Hyperguarding your Web Applications

Archive for October, 2009


Posted by hyperguard on October 16, 2009

It’s getting closer to OWASP’s AppSecDC show, Nov 10-13, and this year’s show will feature the announcement of an updated Top 10 web vulnerabilities list for the first time since 2007. This list impacts the entire WebAppSec industry and there are a number of interesting effects anticipated here.

How will these updates impact PCI-DSS which is currently in the process of redefining requirements for a virtualized market? The OWASP Top 10 forms an important part of PCI so any updates are sure to have an impact.

What impact will this have on the Cloud Security Alliance’s (CSA) guidelines for the industry? Again, they factored the Top 10 in predominantly. The CSA is preparing an update of these guidelines before the end of the year. Our Alex Meisel is contributing heavily this time around to the WAF section.

If you’re going and would like to meet up with Art of Defence’s Georg Hess, leave a comment and we’ll get you on his calendar.

Hope to see you in DC!


Posted in Post | Tagged: , | Leave a Comment »

Danger. Danger, Will Robinson! (enough with the panic, please)

Posted by hyperguard on October 13, 2009

The sky is not falling on cloud computing because of the Microsoft Danger / Sidekick fiasco (sorry John D., even end-user license agreements aren’t going to hold back cloud adoption). All this hubbub is good for the industry, even if it’s sparking radical pundits on both sides. The Cloud Computing Interoperability Forum (CCIF) member Reuven Cohen sums it up well. If you haven’t read his full comment, here’s the important part:

“Let me remind you that failures happen and it happen all the time. There are whole groups at major manufacturers devoted to it, on purpose. Whether it’s on your desktop, in your data center or in the cloud. To fail is human. But to be prepared is noble.”

Being prepared to adopt new technology means different things to people. Is your cloud provider being transparent with bugs, glitches, etc? Do you have provider options (Google, Amazon, DISA’s RACE)? How is your data handled and protected? Is the cloud application security up to you or does your provider take care of everything?

Posted in Post | Tagged: | Leave a Comment »

Could Gmail, Yahoo Mail, Hotmail, etc. Stopped the Phishing?

Posted by hyperguard on October 9, 2009

By know just about everyone has heard of the 20,000 hijacked e-mail accounts due to a potentially long-lived phishing attack. This, according to a Computerworld interview with the Anti-Phishing Working Group Chairman, Dave Jevans. As we imagined, this has kicked off quite a lot of discussion in the industry. The Washington Post offered some good background earlier this week.

The threat of phishing is becoming even more prevalent as hackers test both the savvy of users and defenses of websites and email providers. In fact, Slashdot just reported on the largest phishing bust to-date (the original we think came from IT Pro in this article).

The average person deserves some credit for perpetuating phishing of course, as TechCrunch illustrates in their plea for help. People have been sounding off in forums like Neowin and on blogs like Gizmodo. So does Google, Yahoo!, Hotmail and the other effected providers share some responsibility here? Each of these must have a WAF in place – we assume and hope J – so why didn’t the WAF identify, flag and prevent the outbound spamming?

Phishing is in essence an attack on the user and not on the web server, however, the operator of a web application can do various things with their WAF to at least make it harder to carry out phishing attacks.

In phishing, the attacker attempts to direct the user of a legit web application to a fake website. If the user has entered data on the phishing site, he will normally be directed from there to links on the legit site, rendering the attack undetected for as long as possible. Phishing sites also often directly embed icons, graphics and other content from the legit site. Here is where the WAF comes into play (or in Art of Defence’s case, hyperguard).

hyperguard will detect the linking of third party websites to the legit web application and initiate counter-measures. This detection can also be carried out dynamically – only blocking access once a specific number of requests have occurred.

From a technical point of view, the WAF checks the HTTP referrer header of requests using a whitelist, blacklist, graylist or a combined approach to do this.

Posted in Post | Tagged: , , | Leave a Comment »

@Hoff’s “Cloud Providers & Security” Beef Post

Posted by hyperguard on October 5, 2009

Couldn’t agree more! Hoff hits a key security issue for the cloud space. Speaking from the WAF standpoint, complexity is the main issue. For a cloud provider to offer full security services for any customer, they will have to migrate a host of issues.

  1. Right up front, hardware WAF’s are out (scaling dictates software). The anti-virtualization appliance solutions will cripple a provider. Imagine 500 applications (each a separate customer for the cloud provider) in need of 500 sets of WAF boxes. This could mean 1,000’s of appliances pending the traffic capacity of each box.
  2. Granular black / white / grey listing filters are a must. For the 500 customers, each will have very different WAF needs and in order for the cloud provider to have a reasonable offering, the WAF must cover each customer’s needs, otherwise it will have little value. Further, rulesets must be grouped by customer > by application > by filter > by detect or protect.
  3. Integration with source code analyzers is key. By linking the two tools, the cloud provider will be able to monitor and react proactively to attacks across all 500 applications. Think of the value the provider would be able to offer customers (new revenue streams?).

Art of Defence’s CTO defined what this might look like and the pressures of the cloud in this white paper. Worth a read if you’re a cloud provider considering integrating a WAF.

Posted in Post | Tagged: , , | Leave a Comment »

Burglars, Rush Hour and Web Application Firewalls

Posted by hyperguard on October 1, 2009

Who would have thought a carpool service web site could be the stuff of pulp novels and Hollywood capers? After reading about the early September plight of RideMatch.info in the New York Times, you might not see the connection since ‘Agent Smith’ reported technically about this run-of-the-mill SQL injection attack on the popular Southern California commuter website. Dig into the details and you will assuredly start to crave popcorn and your favorite soda!

The opening shot would pan stage-left to settle on a robed gentleman at his PC. Steaming cup of java in hand, our subject clicks his mouse on SEND to whisk his phone number, address, commute time, work location, employee ID number and name to RideMatch’s member database to find a suitable carpool. Satisfied, our man walks slowly off camera.

Camera fades to black as the narrator sets the stage for drama to come, “little did Joe know his life was about to crash into those of a cat burglar, overworked web application developer and an eager hacker.”

Because a hacker had exploited a coding flaw in RideMatch’s site – the infamous SQL injection – a hacker was able to see every user’s data, pinpointing who was home when, employment information and social security numbers (a.k.a. employee ID numbers), whose value was only in the sale of this information to others. While the burglary didn’t actually happen, it isn’t much of a stretch to see that it very well could have. Would a web application firewall (WAF) have prevented this and saved RideMatch from certain liability? If configured correctly, yes.

How prevalent is this issue? Very. Here are just a few of the interesting public cases.

On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly “the biggest case of identity theft in American history”, the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers.

In 2008, at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft’s IIS web server and SQL Server database server. The attack doesn’t require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. [21] A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor’s system. The number of exploited web pages is estimated at 500,000

On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shuts down site for ‘routine maintenance’ after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection

Posted in Post | Tagged: , , | 1 Comment »