Web Application Attacks: New Threats and Countermeasures

A Teros Security Whitepaper Written by: David Jevans, Senior Vice President, Teros January, 2005

Synopsis:

Hackers and criminals are creating a new threat environment by circumventing traditional network firewalls and intrusion prevention systems, and attacking web applications directly. The business costs of web application security breaches are high, and in some cases incalculable. This whitepaper discusses a number of the new attacks and the business risks that they pose. The role of web application security scanning tools and web application firewalls in preventing these new threats is also presented.

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

Table of Contents:
1. Web Application Attacks - A New Threat Environment....................................................... 3 2. Business Drivers for New Web Application Security Defenses ......................................... 4 2.1 Database Confidentiality, Regulatory Compliance and Business Reputation............................................................................................... 4 2.2 Business Continuity................................................................................................. 4 2.3 Defacement Prevention and Brand Protection........................................................ 5 2.4 Phishing Liability Containment ................................................................................ 5 2.5 Zombie and Worm Liability Containment ................................................................ 5 3. Securing Web Applications from the Ground-Up ................................................................ 6 4. The Benefits of Web Application Firewall Devices.............................................................. 6 5. Conclusion .............................................................................................................................. 7 Appendix A .................................................................................................................................. 8

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

1. Web Application Attacks - A New Threat Environment Internet security threats are migrating from pure network-level attacks to web server and web application attacks. Criminals are getting into the hacking game, and there are financial incentives for breaching security and stealing identities. Most new attacks are against web servers, web forms, business and financial applications, e-commerce applications, bulletin boards and blogs. The web application itself has become the new security perimeter, and is wide open to the new generation of attacks. Network-level security devices cannot detect, let alone prevent, the majority of web application attacks. Firewalls let the attacks straight through, because the attacks target web resources that are intentionally exposed to the Internet. Many applications, such as e-commerce servers, use SSL encryption to keep their communications private with the end user. Unfortunately, this also means that Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) cannot inspect the traffic either, rendering them all but useless to detect or prevent these encrypted attacks. Please see Appendix A of this document for a table comparing network and application-level attacks and defenses.

Network-level security devices cannot detect, let alone prevent, the majority of web application attacks.

Actual website attack statistics (compiled Tuesday, January 4, 2005). The charts above show statistics captured against a single public web server.

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

2. Business Drivers for New Web Application Security Defenses Attacks at the web application level are more than just an IT nuisance they pose severe business and operational challenges and costs. Business drivers for deploying new security defenses include: Protecting database confidentiality, regulatory compliance and business reputation Business continuity Defacement prevention and brand protection Phishing liability containment Zombie and worm liability containment

2.1 Database Confidentiality, Regulatory Compliance and Business Reputation

Because database security is only as strong as the web frontend applications connected to them, it is crucial to keep attackers from exploiting vulnerabilities in your web applications, application servers, web servers and web application tools. Use of login credentials obtained through phishing or spyware means that attackers can get right into the heart of web applications and search for vulnerabilities inside the application, not just on the public outer pages. Common attacks involve injecting commands into databases via the web application user interfaces, and extracting data such as customer records, medical records, price lists and credit card databases. While this in itself is not a good thing to have happened, it becomes a serious business and public relations issue if discovered. Many companies have been obligated to inform customers that their confidential information has been stolen. All companies conducting business with California consumers are obligated by law to inform customers if their personal information might have fallen into the wrong hands. Furthermore, in 2004 the Federal Trade Commission (FTC) filed judgments against well-known companies for violating their stated privacy and security policy statements, when it was discovered that databases of customer information had been breached through web application vulnerabilities.
2.2 Business Continuity

All companies conducting business with California consumers are obligated by law to inform customers if their personal information might have fallen into the wrong hands.

Keeping websites and databases running uncorrupted and undefaced is a business necessity. Network distributed denial of service (DDoS) is not the only way to take a website, ecommerce application or extranet offline. In fact, crashing a sites application server or corrupting its database via command injection can allow a single computer to take a site offline without having to harness thousands of zombie attacker machines.

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

2.3 Defacement Prevention and Brand Protection

Preventing defacement of your website and web applications is not only good for protecting your online brand, it can be critical to the proper functioning of your website and web applications. On any given day, between 150 and 2,000 websites are defaced by hackers and political activists. These antagonists exploit web server and web application vulnerabilities, in addition to traditional network security vulnerabilities. Every month ecommerce sites, government agencies and educational institutions are successfully attacked. The results can be embarrassing, such as SCO 's logo being replaced on November 29, 2004 with WE OWN ALL YOUR CODE, PAY US ALL YOUR MONEY. Website defacements can also create serious business interruptions, for example when the homepage for Googles picture sharing service Picasa was taken down and replaced with a blank page on December 6, 2004. These attacks are even becoming automated. Over the Christmas holidays in 2004 the Santy worm attacked web application servers and defaced 40,000 sites in just 24 hours.
2.4 Phishing Liability Containment

On any given day, between 150 and 2,000 websites are defeated by hackers and political activists.

Phishing attacks that use spoofed e-mails to lure consumers to fake websites in order to steal their personal and financial information is growing at approximately 30% per month. It is impossible to stop all phishing, because it uses brand spoofing and social engineering against your customers, partners and employees. However, you can make it hard for phishers to create convincing e-mails and data collection sites by preventing your own website from being used against you in an attack. Enterprise phishing is a new and growing phenomenon. In these cases, spoofed e-mails are sent to employees in a company in an attempt to trick them into thinking the e-mail came from the IT staff, and getting them to divulge passwords into the network. Many of the most convincing attacks use cross-site scripting, page referrals and image referrals from your very own site. Preventing and detecting this misuse with a web application firewall can reduce the likelihood and success of phishing attacks, and may reduce your potential liability.
2.5 Zombie and Worm Liability Containment

Since October 2004, hackers and criminals have been making widespread use of so-called zombie networks to launch phishing attacks and send spam. Zombies are compromised

Zombies: Compromised computers that are running e-mail relays and web servers unbeknownst to their owners

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

computers, typically on high-speed connections, that are running e-mail relays and web servers unbeknownst to their owners. In November 2004, it was discovered that many zombies are being infected by web server vulnerabilities, and that even corporate servers are sometimes hosting zombies. In November 2004 it was also discovered that corporate servers have been compromised and are being used to host and distribute worms including the IFRAME exploit. The situation was made dramatically worse when an ad-serving company became infected and spread worms through their online ads to thousands of sites on the Internet. Web application security devices in front of web servers and web applications can prevent the ingestion and inadvertent hosting of zombies and worms on corporate networks, thereby potentially reducing their liability.

3. Securing Web Applications from the Ground-Up There are now thousands of commercially available web applications and application servers, and hundreds of thousands of custom websites and web applications on the Internet. Many were first developed before application level attacks began to be well known and widely exploited, and it can be difficult to fix them. While every effort is being made to improve the security of these web applications and tools, the reality is that every month there are more new vulnerabilities discovered and publicized than can be fixed. There is no debating that web applications need to be developed from the ground-up with security in mind, and should be thoroughly tested with application security tools and penetration testers. However, most of these tools are signature-based and detect only known vulnerabilities, and therefore cannot prove that applications are fully secure. Additionally, there are many types of application attacks including phishing and application denial of service that software scanning tools cannot prevent.

Web Application Firewall devices are a new breed of security solutions that complement network security devices.

4. The Benefits of Web Application Firewall Devices Web application firewall devices are a new breed of security solution that complements network security devices such as firewalls and intrusion prevention systems. Web application firewalls are typically hardened reverse web proxies, with deep semantic inspection of HTTP streams, positive security models, and hardware acceleration.

To learn more about network firewalls vs. web application firewalls, download the Network Firewalls vs. Web Application Firewalls article here: www.teros.com/register

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

There are many reasons why web application firewall devices may represent the fastest and most cost-effective way to ensure the security of your websites and web applications: No need to modify your existing web applications to ensure their security Works with 3rd party and commercial applications like CRM, ecommerce applications and popular web development tools like PHP without modification Can be installed and running quickly - no need for months or years of fixing applications Positive security model lets only known good traffic through, preventing zero-day web attacks and reducing the urgency of patching Web servers and server O/S Prevents Application Denial of Service (AppDoS) by limiting distributed scraper attacks and throttling abusive web traffic Protects clusters of applications with a single device Protects against SSL vulnerabilities in common web servers Optionally accelerates web traffic through SSL encryption acceleration, HTTP compression and TCP connection termination and pooling Optionally provides more secure SSL key management in a FIPScompliant manner

5. Conclusion Website and web application security is rapidly becoming a critical IT security imperative. The business costs of web application security breaches are high, and in some cases incalculable. Business reputation, regulatory compliance and continuity can all be negatively affected by website and web application attacks. Fortunately, a combination of application security scanning tools and web application firewall devices can bring a high level of protection to online business operations.

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com

Web Application Attacks: New Threats and Countermeasures

Appendix A Network Attacks vs. Web Application Attacks Typical Network Attacks Remote login to sysadmin resources Abuse of anonymous accounts Worms, e.g., slammer, code red Portscans for any vulnerability Network DDoS Network performance degradation Typical Web Application Attacks Database theft via SQL injection Phishing using cross-site scripting (XSS) Installation of zombies Website breach and defacement Web application DoS Application and database corruption

Network Security Tools vs. Application Security Tools Network Security Tools Firewalls Intrusion Prevention Systems (IPS) Intrusion detection systems (IDS and HIDS) Network vulnerability scans and penetration tests Application Security Tools Web application firewalls Web application firewall devices Web application IDS

Scan tools and application penetration tests

Teros, Inc. 3965 Freedom Circle, 9th Floor, Santa Clara, CA 95054 t: 408-850-0800

f: 408-850-0899 www.teros.com