Project Part II Double Deuce Jibran Ilyas Frank
Project Part II Double Deuce Jibran Ilyas, Frank La. Sota, Paul Lowder, Juan Mendez 1
Our Security Problem Is Website Attacks § Firewall are common in every network deployment, so attackers use websites to get access to internal network § Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries. 2
Our Security Problem's implications for the four cornerstones of secure computing: § Website attacks have an affect on all four corner stones of secure computing – Confidentiality < Attackers can steal data from databases – Authenticity < Popular websites are targets of phishing attacks – Integrity < This is when a software downloads websites serves trojans and viruses combined with the legit software – Availability < Website are vulnerable to Denial of Service Attacks 3
SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity 4
PHP File Inclusion Web Attack Example 5
Cross Side Scripting (XSS) § In the code below, you will see that XSS can easily send you to an evil site http: //www. fippex. com/stocks-analysis/index. php? name=<script language=javascript>window. location= ”http: //www. evilsite. com”; </script> § In the code below, you will see that XSS may cause denial of service with just one line of code • http: //www. doubledeuce. com/hot-breakfast/index. php? name=<script language=javascript>set. Interval ("window. open('http: //www. cs. northwestern. edu/~ychen/', 'inner. Name')", 100); </script> The link above will open a window of Dr. Chen’s webpage and request it every 100 milliseconds. 6
Other Web Attacks § Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc 7
Evaluation of Existing Work – Intrusion Prevention Systems and Web Application Firewall 8
Evaluation of Existing Work – Intrusion Prevention Systems § Pros – They can help filter the malicious queries before they get to the website – They can prevent bad code to come into the network – They have blacklist IPs which can protect you from exchanging data from malicious sites § Cons – – – They slow down the speed of the websites False positives block legit web traffic Very costly Have to keep evolving Not suitable for high volume websites 9
Case Study – E-Commerce Website for Computer Goods § June 15, 2008 – Website was hacked – Company used a shared shopping cart – Attacker stole credit card data via SQL Injection common to the shopping cart – August 4, 2008 - Forensic Investigation completed – Recommended Manual Code Review, Intrusion Detection/Prevention System and Application Penetration Test – September 20, 2008 – Intrusion Prevention System deployed – Configured it with all built in rules 10
Case Study – E-Commerce Website for Computer Goods § September 20, 2008 – Website problems – Performance got hit – FTP stopped working due to bad IPS rule – September 21, 2008 - Configure only trusted IPS rules – Allowed only 10 rules to block traffic – November 3, 2008 – Website down – Initial ruling was DOS attacks – It was later discovered that holiday season rush caused IPS to do more work and it crashed. – The setting on IPS was to fail close i. e. Not allow traffic upon device failure 11
Case Study – E-Commerce Website for Computer Goods § November 3, 2008 – CIO ordered downtime report – IT guys suggested to have IPS to fail open i. e. allow all traffic when device fails – November 4, 2008 – IPS Decommissioned – IPS functionality was reduced to minimum anyway – Business decision was made to not use traffic inspection solution until the end of Holiday Season 12
Take Aways § IPS looked at all traffic when the protection was required for Web Application only – Overkill of what web applications need – IPS was doing minimal work and was not worth the investment. – For a website, you can block all ports except web ports on firewall. – IDS/IPS, on their own, cannot protect web applications. Each web application can have different vulnerabilities and requires different treatment. 13
So what’s the industry fix § Web Application Firewalls § § § Trained to look at abnormal web traffic Doesn’t service any ports other than web application ports Provides deep inspection on all web requests Supports ultra high performance & sub-millisecond latency Addresses PCI 6. 6 requirement for web security Nothing, Nothing beats the manual code review and secure coding training § Companies with high stakes + available funds go for this 14
So what’s the industry fix § Common Web Application Firewalls (WAFs) § § Web. Knight OWASP Stinger Project Mod. Security Imperva Secure. Sphere § Lots of security vendors and startups creating WAFs § Source code reviews and Application Penetration Tests are becoming industry standards as well 15
Magic Quadrant for Intrusion Prevention Systems 16
Magic Quadrant for Secure Web Gateways 17
Related Work and Research in This Area § § § SANS Paper on Web Based Threats – http: //www. sans. org/reading_room/whitepapers/application/web_based _attacks_2053? show=2053. php&cat=application Symantec’s Paper on Web Based Threats – http: //eval. symantec. com/mktginfo/enterprise/white_papers/bwhitepaper_web_based_attacks_03 -2009. en-us. pdf Dev. Shed. com’s Cross Side Scripting Paper – http: //www. devshed. com/c/a/Security/A-Quick-Look-at-Cross-Site. Scripting/1/ Trustwave’s PHP File Inclusion Paper – https: //www. trustwave. com/white. Papers. php Security Focus’ article on SQL Injection – http: //www. securityfocus. com/infocus/1768 18
- Slides: 18