dotDefenderWeb Application SecurityWeb Application Security 1011

Web Application Security 101As the Internet has evolved over the years, it has become an integral part of virtually every aspect in thebusiness process cycle. In the early days of the Web a company’s online presence consisted of a staticWebsite that promoted products and provided visitors with company information. The emergence ofcertain technologies like AJAX, PHP, and Document Object Models gave businesses the ability to movefrom placing nothing short of a company brochure on the Web to deploy dynamic, feature-richapplications that drive sales through e-commerce; provide online services to their employees; establishopen ended communication between themselves and their customers; and allow for collaborationamong employees, partners, suppliers, and clients.In addition to providing employees and customers with a more dynamic experience, Web applicationshave become a way for businesses to save money. By turning to Software as a Service and cloud basedsolutions, organizations have found that they are able to trim their budgets by: Spending less on resources such as servers and networking infrastructure Reducing power consumption and related costs Avoiding capital expenditures associated with IT Using technology that is flexible and scalableOf course, as the usefulness and complexity of the Internet grew through increased use of Webapplications, the security risks involved also grew proportionately. To combat the threats that theseapplications face, many organizations look towards traditional network security solutions. Thinking thatdeploying a network firewall, intrusion detection system, or intrusion prevention system works toprotect the network perimeter from attack at the application layer (OSI Layer-7) can be a huge mistake.The traditional approach to network security aims to protect resources such as servers, workstations,printers, internal databases, and other network resources. The tools used to secure these resourceswork by preventing access to certain ports or services by creating allow or deny rules to networkpackets. Blocking access to port scans, worms, viruses, and other attacks aimed at networking protocolsworks to prevent intrusion over OSI Layer-3, but does nothing to prevent the sophisticated attacks thattake place at the application layer because their simple approach does not work in an environmentwhere each application differs from another.Many IPS systems cannot even look into simple SSL encryption, and are, therefore,relegated to blindly forwarding SSL traffic without inspection.2

Figure 1. Traditional firewalls keep out malicious network traffic but malicious Web traffic pass throughfreely.Web application security relies on the ability to inspect HTTP packets to handle threats at Layer-7 of theOSI model. Attackers are all too familiar with the fact that traditional perimeter security methods do notstop attacks against Web applications that are, by nature, designed to allow visitors to access data thatdrives the Website. By exploiting simple vulnerabilities in Web applications, an attacker can passthrough perimeter security undetected accessing data and even the network your traditional firewalland IDS systems are in place to protect.According to a Gartner study, 75% off all attacks on Web sites target the applicationlevel and not the infrastructure.Understanding the RisksTo help IT professionals better understand the security risks that surround Web applications, acommunity of concerned individuals created the Open Web Application Security Project, or OWASP forshort. In addition to a collection of open source tools, training and projects, OWASP publishes a list ofthe Top Ten Risks to Web Application Security. Among the most prevalent threats to Web applicationsare: Injection attacks (1) Cross-site scripting (2) Security misconfiguration (6) Failure to restrict URL access (7)3

Injection attacks are the result of a Web application sending untrusted data to the server. The mostcommon attack occurs from malicious code being inserted into a string that is passed along to a SQLServer for execution. This attack, known as SQL Injection, allows the attacker access to data which canbe stolen or manipulated. Other types of injection attacks include Code Injection and CarriageReturn/Line Fee (CRLF) Injection.Cross-Site Scripting, or XSS, is the most prevalent security flaw that Web applications are vulnerable to.In an XSS attack, the attacker is able to insert malicious code into a Website. When this code is executedin a visitor’s browser it can manipulate the browser to do whatever it wants. Typical attacks includeinstalling malware, hijacking the user’s session, or redirecting a user to another site.Security Misconfiguration is the result of poor administration of the Web server or application serverand often leads to path traversal vulnerabilities. Allowing unauthorized or unprotected access to files,directories, or accounts can lead to an attacker completely compromising a system that is vulnerable.Failure to protect URL access is another flaw that allows attackers to exploit the path traversalvulnerability. Only in this case, the attacker simply amends the URL to see if he is granted access to aprivate page or directory within the Website.Statistical DataJust how many Websites are vulnerable to the different attacks? According to the Web ApplicationSecurity Consortium’s most recent Web Application Security Statistics Project, the probability to detect avulnerability classified as either urgent or critical in a Web application is 96% if done by white boxtesting. So practically every Website that runs an application is vulnerable to some type of attack.Finding it is simply a matter of determination on the part of the attacker.Figure 1 - The most widespread vulnerabilities found in Web Applications (source: WASC WebApplication Security Statistics Project).4

According to these numbers, 39% of all vulnerable Web applications are susceptible to Cross-SiteScripting attacks. SQL Injection, on the other hand, is found in only 7% of all vulnerable Webapplications. So why are injection attacks at the top of the OWASP Top Ten list? For two reasons:1) Several types of injection type attacks are included in the category.2) The Top Ten list reflects the risks associated with each vulnerability, not only the saturation. Injectionattacks are much more dangerous because, especially with SQL Injections, they allow the attacker directaccess to data. Whether it be authentication data, health records, card holder data, or any otherconfidential information the ability for the attacker to access this makes injection attacks the mostdangerous risk to Web applications.The most widespread vulnerabilities found in this report can be easily aligned to the OWASP Top Tenrisks we just discussed.WASCCross-Site ScriptingSQL InjectionInsufficient Transport Layer ProtectionFingerprintingInformation LeakageHTTP Response SplittingOWASPCross-site scriptingInjection attacksFailure to restrict URL access, Injection attacksSecurity MisconfigurationSecurity MisconfigurationInjection attacks, Cross-Site ScriptingTable 1: Aligning WASC to OWASP.More interesting may be the percentage of Web applications that are vulnerable to the different typesof attacks. In the following chart, the data shows the probability, by percentage, that the mostwidespread vulnerabilities will be found on a Website.5

Figure 2 - The most widespread vulnerabilities and the probability that a Website contains it.Clearly, the numbers total much more than 100%, showing that many Websites are vulnerable tomultiple exploits.Automated AttacksBased on the sheer number of vulnerable sites, attackers have taken a different approach towardsattacking them. Unlike the tedious hours spent hacking a network’s perimeter, attacks against Webapplications can be easily automated - and with the help of a bot net, large scale, coordinated attacksagainst multiple sites can net the cyber criminal millions of dollars with a minimal amount of work orskill.By visiting any number of hacker forums, the attacker can locate specific code strings found invulnerable Websites. Performing an automated search for this string can collect lists of Websites thatcontain a specific vulnerability (this is the fingerprinting process mentioned earlier).Once the attacker has accumulated a list of potential victims, they can download a tool to use inlaunching the attack. Again, a bot net can be used to increase the pool of targets since the attack isautomated. The attacker simply collects the information he or she is looking for and moves on to theirnext attack.The Aftermath of a Successful AttackAccording to the Computer Security Institute’s Annual Computer Crime and Security Survey, the averagecost per incident is 300,000. Don’t be fooled into thinking that this number represents only the largestorganizations. Close to a quarter of all those surveyed in this report were organizations that have6

between 1 - 99 employees. To a large company, losing 300,000 dollars can put a dent in the bottomline, but to a small business this loss can be devastating.Web applications are used to process data and make it accessible to users across the Internet. Whetherthe application is used to process credit cards, manage employees, or increase collaboration betweenpartners, failing to protect these applications can have serious ramifications.Compliance Issues - To ensure that organizations do what is necessary to protect confidentialinformation, governments and industries alike have put in place certain requirements. US laws like theHealthcare Information Portability and Accountability Act (HIPAA) are used to protect confidentialhealth information. To protect credit card information, the Payment Card Industry (PCI) has created itsown set of requirements. Failure to comply with industry wide or governmental requirements oftenresult in large fines waged against the organization responsible for protecting the information.Data Theft - In addition to personal and financial information being stolen, a large cost thatorganizations may face after having a Web application compromised is the loss of proprietaryinformation. Web applications process a great deal of personal information; however, they are also usedfor collaboration and project management. Organizations with offices across the globe need some wayof working together and many Web applications provide such a way. Attackers know this, and oftentimes the objective of their crime is to steal intellectual property either as corporate espionage or to sellto a competitor.Customer/Visitor Loss of Trust - This is one of the most intangible costs associated with a Website beingattacked; it is, at the same time, one that should be expected. When the TJX Companies made the newsbecause they were victimized by Albert Gonzalez, customers lost trust in their ability to protect theircredit card information. Likewise, when Google warns that a Website is untrustworthy, even the mostloyal visitors avoid the site for fear of having their information stolen or their computer infected.Burden on Resources - Not all attacks are launched with the intent of profiting directly. Attackers stilllaunch Denial of Service attacks against Websites to disrupt service to legitimate visitors. Additionally,compromised Web servers and sites are used to host multimedia files, malicious files, and links to otherWebsites without the knowledge of the owner. In these instances, storage space and bandwidth arewasted on illegitimate use.Ability to Attack the Internal Network - Those organizations who host their Web servers on site riskhaving one of their applications serve as a entry point to the internal network where other servers,databases, and computers can also be compromised. Going right through the vulnerabilities in theseapplications bypasses any network perimeter defenses put in place.The dotDefender SolutionEarlier, we saw how traditional network security solutions do not effectively protect against thecommon vulnerabilities that exist within a Web application framework. However, because these toolsdo not adequately protect against Web application vulnerabilities doesn’t mean that there is no defense7

against these threats. On the contrary, a Web Application Firewall solution like dotDefender providesprotection that meets compliance regulations set by one of the most stringent industry securitystandards there is, the Payment Card Industry Data Security Standard.A Web Application Firewall or WAF, is an appropriate solution to defend against the common avenues ofattack used against Web applications. Deploying a WAF is like placing an eavesdropping agent right nextto the Web server itself – serving as a two-way filter that prevents malicious requests from reaching theWeb server while at the same time sifting through the responses provided by the Web serve to weedout sensitive or personally identifiable information. The WAF thus serves to not only defend againstattacks, but also to mitigate the potential for information leakage. The immediate proximity to theserver means it is the last stop in information flow – right before the request must be served, but wellafter precursor steps such as encryption and fragmentation.Intrusion detection/prevention systems are effective solutions for protecting the network perimeter, asare traditional firewalls; however there are some distinct characteristics that make Web ApplicationFirewalls effective in protecting what other solutions can’t - the application layer.In a network firewall, complications at the packet level like encryption and fragmentation pose asignificant, often insurmountable challenge. However, a WAF remains blissfully oblivious to thesecomplications, and is free to focus on what it understands so well – application level security.The way WAFs handle application layer logic differentiates them from intrusion prevention anddetection systems as well. In addition to having an understanding of protocols, WAFs also recognizeslanguage patterns, such as XML, SQL, JavaScript, HTML, PHP, and many others.How dotDefender WorksdotDefender is a software based Web Application Firewall that when integrated within an existing Webserver begins to protect your Web applications almost immediately. Using three different securityengines, dotDefender is prepared to take proactive steps to protect Web applications, Web sites,databases, and any other low hanging fruit that is so tempting to cyber criminals.Pattern recognition: makes use of a rule set to detect patterns that indicate a possible attack. If anattack is detected, this engine deals with the attack according to how dotDefender is configured. Attacksthat pattern recognition works to defend against include: Cross-Site Scripting SQL Injection Path Traversal Remote Command Execution Probes8

Header Tampering EncodingSession protection: focuses directly on the user session to deal with spoofing and flooding the serverwith HTTP requests. The session protection engine helps you protect your Web site from: Session Hijacking Denial of Service Attacks Cookie TamperingSignature knowledgebase: dotDefender’s engine uses signatures to detect known attacks, such asvulnerability scanners, bots, site-scrapers, email harvesters, and leeches. As a result, your Web siteis protected against: Spammer Bots Worms Bad User Agents Compromised ServersData leakage protection: prevent sensitive information disclosure using built-in and extensible outgoingtraffic inspection rules. Mitigate proliferation of credit card, personal information, application errormessages into the wrong hands.Upload inspection: upload content inspection enforces file extension and MIME-type filtering. PreventWeb shells, backdoors and rootkits from being uploaded via Web content management systems. Scancontents of uploaded files to ensure malicious payloads are not smuggled in posing as benign picturesand content.Benefits of dotDefenderdotDefender delivers an out-out-of-the-box security solution that can be easily installed with a fewsimple clicks. Whether an organization has a dedicated IT security department or relies on individuals totake on security responsibilities as part of their daily duties, dotDefender is the ideal choice. Oncedeployed, dotDefender immediately begins protecting Web applications from attack using its defaultinstallation, or it can be customized to the unique needs of any type of company or organization.As budgets are continuously scrutinized, security is one area that often finds itself in danger of potentialcuts. Decision makers are pleased to find that dotDefender delivers the best Total Cost of Ownership(TCO) in the industry providing the best value for each of these elements:9

Low cost of acquisition: dotDefender is an affordable solution with several pricing models includingSaaS, perpetual and enterprise licenses. License only what you need with no investment in excesscapacity or high availability solutions.Low cost of implementation: dotDefender is a plug & play software solution. With its predefined outof-the-box Web application security profiles, initial implementation is immediate and simple. No Webapplication security skills are required to configure and deploy dotDefender.Low cost of maintenance: maintenance is the most expensive component in the TCO of Web applicationsecurity technology. dotDefender is application-agnostic, so any change in the application is transparentto the security configuration. dotDefender automatically detects and blocks attack attempts, logs theinformation, and generates reports and alerts. Automatic updates against emerging threats ensure thatyour Website is always protected. Multi-platform support for all servers and central management forcontrol and reporting further facilitates and reduces your maintenance efforts.Finally, dotDefender protects your Web applications. Period. Deploying dotDefender offers yourorganization piece of mind by:Stopping major threats at the gateway. Common threats like Injection Attacks, Cross-Site Scripting,Path Traversal, and Remote Command Execution are identified by dotDefender and stopped before theycan be used to compromise your systems and data. In addition to these known threats, dotDefenderidentifies zero-day threats as well by analyzing Website requests for anomalies commonly found inmalicious traffic.Providing PCI Compliance. Simply deploying dotDefender meets the requirement of PCI DSS Section 6.6without the need for expensive code reviews. dotDefender provides any e-commerce Website an easy,cost effective solution to achieving PCI compliance.Protection against data leakage. Rules can be specified to filter outgoing traffic as well as incomingrequests. This enables better data leakage prevention in addition to improved infrastructure masking.System configuration information, errors, credit card data, and social security numbers are someexamples of the data you can protect from accidental exposure.Web application vulnerabilities will continue to threaten businesses as long as there is a profit to bemade by exploiting them. As more laws, regulations, and compliance requirements are put into place toprotect data, organizations will be forced to address Web application security or pay a heavy price.Organizations who seek to effectively protect their Websites and data from attack while enjoying a lowTotal Cost of Ownership will find dotDefender a compelling solution.10

community of concerned individuals created the Open Web Application Security Project, or OWASP for short. In addition to a collection of open source tools, training and projects, OWASP publishes a list of the Top Ten Risks to Web Application Security. Among the most prevalent