Scribd Logo
Upload

Welcome to Scribd!

  • 17 Web Application Firewall

    Uploaded by

    Gi ji
    20 views25 pages

    Original Title

    17_web_application_firewall

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views25 pages

    17 Web Application Firewall

    Uploaded by

    Gi ji

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Web Application Firewalls

    1. A software or hardware solution that protects your web


    enabled applications from threats/attacks.
    2. The solution must understand web protection at the
    application layer (HTTP and HTTPS conversations to your
    web applications, XML/SOAP, and Web Services).
    3. Detect/prevent OWASP Top Ten Threats.
    4. A Web Application Firewall (a.k.a. WAF), by contrast, is like
    placing an eavesdropping agent right next to the Web server.
    5. WAFs are an important building block in every HTTP
    network.

    1
    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org
    Web Application
    Firewalls
    Fire
    wall

    Web Web Application Database


    Client Server Server

    HTTP Port
    Traffic 80
    2
    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org
    WAF
    Features
    • Full support for HTTP:
    • Access to individual fields (field content,
    length, field count, etc).
    • Entire transaction (both request and
    response).
    • Uploaded files.
    • Anti-evasion features (also known as
    normalisation/canonicalisation/transformation
    features).

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    WAF Features
    • Blocking features:
    • Transaction
    • Connection
    • IP Address
    • Session
    • User
    • Honeypot redirection
    • Blocking via external device

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Protection Techniques
    • Cookie protection
    • Sign/encrypt/virtualise
    • Hidden field protection
    • Sign/encrypt/virtualise
    • Session management protection
    • Enforce session duration timeout, inactivity
    timeout.
    • Prevent fixation.
    • Virtualise session management.
    • Prevent hijacking or at least warn about it.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Protection
    Techniques
    • Brute-force protection
    • Link validation
    • Signing
    • Virtualisation
    • Request flow enforcement
    • Statically
    • Dynamically

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Performance
    Metrics
    • Performance:
    • New connections per second.
    • Maximum concurrent connections.
    • Transactions per second.
    • Throughput.
    • Latency.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Signatures and
    Rules
    1. Signatures
     Simple text strings or regular expression patterns
    matched against input data.
     Not very flexible.
    2. Rules
    1. Flexible.
    2. Multiple operators.
    3. Rule groups.
    4. Anti-evasion functions.
    5. Logical expressions.
    6. Custom variables.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Three Protection
    Strategies
    1. External patching
     Also known as "just-in-time patching" or "virtual patching”.
    2. Negative security model
     Looking for bad stuff.
     Typically used for Web Intrusion Detection.
     Easy to start with but difficult to get right.
    3. Positive security model
     Verifying input is correct.
     Usually automated, but very difficult to get right with
    applications that change.
     It's very good but you need to set your expectations
    accordingly.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Web Intrusion
    Detection
    • Detection is so old.
    • Prevention is better.
    • The problem with prevention is that it is bound
    to fail given sufficiently determined attacker.

    • Monitoring (logging and detection) is actually


    more important as it allows you to
    independently audit traffic, and go back in
    time.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Monitoring
    Requirements
    • Centralisation.
    • Transaction data storage.
    • Control over which transactions are
    logged and which parts of each
    transaction are logged, dynamically on
    the per-transaction basis.
    • Minimal information (session data).
    • Partial transaction data.
    • Full transaction data.
    • Support for data sanitisation.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Fuzzer
    • A Security fuzzer is a tools used by security professionals
    professional hackers :) to test a parameter of an application.
    (and

    • Fuzzing is to execute a program on many abnormal inputs, look


    for badness.
    • Goal: Prevent attackers from encountering exploitable errors
    • Automatically generate test cases
    • Many slightly anomalous test cases are input into a target
    interface
    • Application is monitored for errors
    • Inputs are generally either file based (.pdf, .png, .wav, .mpg)
    • Or network based
    • http, SNMP

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Mutation Based Fuzzing (Dumb
    Fuzzing)
    • Little or no knowledge of the structure of the
    inputs is assumed

    • Anomalies are added to existing valid inputs

    • Anomalies may be completely random or follow


    some heuristics (e.g. remove NUL, shift
    character forward)

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Dumb Fuzzing In
    Short
    • Strengths
    • Super easy to setup and automate
    • Little to no protocol knowledge required
    • Weaknesses
    • Limited by initial corpus
    • May fail for protocols with checksums, those which
    depend on challenge response, etc.

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Generation Based
    Fuzzing
    • Test cases are generated from some
    description of the format.
    • Anomalies are added to each possible
    spot in the inputs
    • Knowledge of protocol should give
    better results than random fuzzing

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Generation Based Fuzzing In
    Short
    • Strengths
    • completeness
    • Can deal with complex dependencies e.g.
    checksums

    • Weaknesses
    • Have to have spec of protocol
    • Often can find good tools for existing protocols e.g. http,
    SNMP
    • Writing generator can be labor intensive for
    complex protocols
    • The spec is not the code

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Fuzzing Tools- Input
    Generation
    • Existing generational fuzzers for common protocols
    (ftp, http, SNMP, etc.)
    • Mu-4000, Codenomicon, PROTOS, FTPFuzz
    • Fuzzing Frameworks: You provide a spec, they
    provide a fuzz set
    • SPIKE, Peach, Sulley
    • Dumb Fuzzing automated: you provide the files or
    packet traces, they provide the fuzz sets
    • Filep, Taof, GPF, ProxyFuzz, PeachShark

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Input
    Inject
    • Simplest
    • Run program on fuzzed file
    • Replay fuzzed packet trace
    • Modify existing program/client
    • Invoke fuzzer at appropriate point

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Problem
    Detection
    • See if program crashed

    • Run program under dynamic memory error


    detector
    • Catch more bugs, but more expensive per run.
    • See if program locks up
    • Roll your own checker

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Workflow
    Automation
    • Sulley, Peach, Mu-4000 all provide tools to
    aid setup, running, recording, etc.
    • Virtual machines can help create
    reproducable workload
    • Some assembly still required

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Example:
    PDF
    • I have a PDF file with 248,000 bytes
    • There is one byte that, if changed to particular
    values, causes a crash
    • This byte is 94% of the way through the file
    • Any single random mutation to the file has a
    probability of .00000392 of finding the crash
    • On average, need 127,512 test cases to find it
    • At 2 seconds a test case, thats just under 3 days...
    • It could take a week or more...

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Code
    Coverage
    • Some of the answers to these questions lie in
    code coverage
    • Code coverage is a metric which can be used
    to determine how much code has been
    executed.
    • Data can be obtained using a variety of
    profiling tools. e.g. gcov

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Types of Code
    Coverage
    • Line coverage
    • Measures how many lines of source code
    have been executed.
    • Branch coverage
    • Measures how many branches in code have
    been taken (conditional jmps)
    • Path coverage
    • Measures how many paths have been
    taken

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    Fuzzing Rules of
    Thumb
    • Protocol specific knowledge very helpful
    • Generational tends to beat random, better specification make better fuzzers

    • More fuzzers is better


    • Each implementation will vary, different fuzzers find different bugs

    • The longer you run, the more bugs you find

    • Best results come from guiding the process

    • Code coverage can be very useful for guiding the process

    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


    THANK YOU

    25
    UNIT-III WEB Application Firewall & Fuzzers www.owasp.org

    You might also like