Web application security management White paper January 2008 Understanding Web application security challenges Understanding Web application security challenges Page Contents 2 What makes Web applications vulnerable 3 Typical Web application attacks 4 Table 1 Common types of Web application attacks 6 7 This paper explains what you can do to help protect your organization and it discusses an approach for improving your organization s Web application security Basic guidelines for providing security for Web applications What makes Web applications vulnerable Understanding the Web In the Open System Interconnection OSI reference model 1 every message travels through seven network protocol layers The application layer at the top includes HTTP and other protocols that transport messages with content including HTML XML Simple Object Access Protocol SOAP and Web services application lifecycle 9 As businesses grow increasingly dependent upon Web applications these complex entities grow more difficult to secure Most companies equip their Web sites with firewalls Secure Sockets Layer SSL and network and host security but the majority of attacks are on applications themselves and these technologies cannot prevent them Security testing throughout the application lifecycle 10 Table 2 Relative cost of error fixes based on time of discovery 10 Considering the right testing approaches 10 Table 3 Web application security testing approaches 12 Four strategic best practices for protecting Web applications 15 Table 4 Inception defining security requirements 16 Table 5 Elaboration and construction modeling and coding for security measures This paper focuses on application attacks carried by HTTP an approach that traditional firewalls do not effectively combat Many hackers know how to make HTTP requests look benign at the network level but the data within them is potentially harmful HTTP carried attacks can allow unrestricted access to databases execute arbitrary system commands and even alter Web site content Understanding Web application security challenges Page Highlights Without governance measures to manage security testing throughout the application delivery lifecycle software teams can expose applications to HTTP carried attacks as a result of Analysts and architects viewing security as a network or IT issue so that only a few organization security experts are aware of application level threats Teams expressing application security requirements as vague expectations or negative statements e g You will not allow unprotected entry points that make test construction difficult Testing application security late in the lifecycle and only for hacking attempts Typical Web application attacks attacks enterprises should employ generic preventive approaches as well as targeted technologies A Web application s specific vulnerabilities should dictate the technology you use to defend it Figure 1 shows many points within a system that might require protection Often it is best to employ generic countermeasure concepts first to help ensure that you choose the technology best suited to your needs rather than one that claims to counter the latest hacking technique Denial of service Concurrency Web server Application server Application Application Protecting sensitive data Preventing parameter manipulation Fine input validation Providing secure configuration Handling exceptions Authenticating users Firewall To protect Web applications against Preventing session hijacking Auditing and logging Coarse input validation Figure 1 Web application security concerns Authorizing users Protecting sensitive data Database Understanding Web application security challenges Page Highlights Table 1 shows common threats and preventive measures However specific threats to your application may be different Table 1 Common types of Web application attacks Description Enterprises can employ multi Impersonation ple preventive measures against Typing a different user s credentials or changing a cookie or parameter to impersonate a user or pretend that the cookie originates from a different server Web application breaches caused by impersonation tampering and repudiation Common causes Preventive measures Using communicationsbased authentication to allow access to any user s data Use stringent authentication Using unencrypted credentials that can be captured and reused Operating system OS supplied frameworks Storing credentials in cookies or parameters and protection for credential information using Encrypted tokens such as session cookies Digital signatures Using unproven authentication methods or authentication from the wrong trust domain Not permitting client software to authenticate the host Tampering Changing or deleting a resource without authorization e g defacing a Web site altering data in transit Trusting data sources without validation Use OS security to lock down files directories Sanitizing input to prevent execution of unwanted code and other resources Running with escalated privileges Leaving sensitive data unencrypted Validate your data Hash and sign data in transit by using SSL or IPsec for example Repudiation Attempting to destroy hide or alter evidence that an action occurred e g deleting logs impersonating a user to request changes Using a weak or missing authorization and authentication process Use stringent authenti Logging improperly Audit Allowing sensitive information on unsecured communication channels cation transaction logs and digital signatures Understanding Web application security challenges Page Highlights Preventive measures can also be taken to ward off attacks that attempt to access sensitive information and overwhelm server resources Description Common causes Preventive measures Allowing an authenticated user access to other users data Store PII on a session transitory rather than permanent basis Allowing sensitive information on unsecured communication channels Use hashing and encryption for sensitive data whenever possible Selecting poor encryption algorithms and keys Match user data to user authentication Information disclosure Revealing personally identifiable information PII such as passwords and credit card data plus information about the application source and or its host machines Denial of service DoS Flooding sending many messages or simultaneous requests to overwhelm a server Lockout sending a surge of requests to force a slow server response by consuming resources or causing the application