CS507 Assignment#4 Solution
Assignment No. 04 SEMESTER Fall 2010 CS507- Information Systems
Total Marks: 10
Due Date: 24/1/2011
Please read the following instructions carefully before solving & submitting assignment:
It should be clear that your assignment will get zero marks if:
o The assignment is submitted after due date.
o The submitted assignment does not open or file is corrupt.
o The assignment is copied (from other student or ditto copy from handouts or internet).
o Student ID is not mentioned in the assignment File or name of file is other than student ID.
Your answer must follow the below given specifications. You will be assigned zero marks if you do not follow these instructions.
• Font style: “Times New Roman”
• Font color: “Black”
• Font size: “12”
• Bold for heading only.
• Font in Italic is not allowed at all.
Do not put any query at MDB about this assignment, if you have any query then contact at firstname.lastname@example.org
Your assignment must be uploaded/submitted at or before Monday, January 24, 2011.
Web application security
You have learned in this course about the system security risks and vulnerabilities.
That when any system goes online so it is more likely be attacked by hackers.
Hackers try to attack at the application layer of network system. Just to get into the database of system, as application layer is the bottom layer from which any computer
can access to let the data traffic comes in.
You have learned about the various technical controls that ensure security like:
• Antivirus software
• Network security scanners etc
From the figure, it is clear that the network firewall do not protect a web application they are only designed for network level security. It blocks unwanted traffic and activity and allow legitimate traffic in.
Antivirus software detects system level issues, not the browser.
Whereas, network security scanners are a good choice to secure network services. But they do not launch any security checks to check the vulnerabilities in web applications.
Hackers can easily hack web application firewalls as they won’t fix security holes in web applications and are not immune to attacks. Common attacks are:
1) Cross site scripting (XSS)
2) Cross site request forgery (CSRF)
3) SQL injection (SQL)
4) Buffer overflow etc
What are the challenges faced by WAFs (Web Application Firewalls) in order to secure the web applications? Write only five challenges. [ 10 marks]
Note: Write only precise answer and avoid giving extra details.
Web application server
Internet just for an idea.
2. cross-site scripting (XSS)
3. broken authentication and session management
4. insecure direct object references 5. cross-site request forgery (CSRF)
6. security misconfiguration
7. insecure cryptographic storage
8. failure to restrict URL access
9. insufficient transport layer protection
10. unvalidated redirects and forwards Why is this of interest to the WAF community?
The naive answer would be that scanners and WAFs are alternatives. While they do not perform the same function, they compete for the same budget and are offered as alternatives by PCI DSS. If scanners are not as good as expected, WAF might be the right solution after all. This is especially important as WAFs are usually under more fire than scanners as it is much simpler to find a fault in a WAF - just find the right evasion vector. For a scanner a full analysis as done by Suto is required.
However the paper has other more far reaching conclusions on the state of security products in general and therefore WAFs:
No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
All this is true for the WAF market as much as it is true to the scanner market. The WAF market is eagerly expecting its Larry Suto. Some vendors may bleed, but finally gold and iron would be differentiable.
Obstacles for WAFs
Web application firewalls (WAFs) take a different approach. WAFs inspect inbound and outbound traffic to an application and enforce a security policy meant to prevent attackers from compromising the site. Security techniques implemented by WAFs vary, but most WAFs will include positive security (allow only that which is known to be good usage) and negative security (block usage that is known to be malicious).
Advanced WAFs combine these two types of security rules as well as correlate multiple user behaviors to increase accuracy. Proponents of
WAFs (and I am one of them) will argue that WAFs provide the most effective mechanism to immediately address security issues, as the security rule set can be adjusted to prevent new attack types without the time required to change application code. The common objections to WAF
• Some issues can only be corrected in code. The most commonly cited example is logical flaws in the application, meaning that if the application was intentionally built to do something insecure, only rewriting the application can fix this issue. This is true to some extent, but a good WAF will provide ongoing monitoring information that helps to identify when logical flaws are being exploited.
• WAFs can’t understand enough about the application to be effective and accurate. The answer to this is that some WAFs indeed can’t. As with any technology product, it’s important to pick a good one. What to Do?
Given these differences, how is someone faced with PCI’s dilemma, false or not, to choose?
For those only concerned with compliance, the
answer is simple: WAF. Because a WAF can be
deployed without affecting the application and
without engaging outside consultants to review
application code, WAF is a faster and more costeffective
approach to meeting the letter of the law.
For those concerned with actually doing the
right thing and asking “which first?” rather than
“which?” the answer is actually the same: WAF.
That’s because a WAF can be deployed to provide
immediate protection, and a WAF can be quickly
configured to adjust as applications and application
attacks change. WAFs not only provide the most
cost-effective first step, but a sound building block
for the second step. Once a WAF is in place, code
review projects can proceed at a controlled pace,
reducing the risk of errors. WAFs also provide
critical information on usage patterns and changes
in usage patterns that can guide code review teams
and point out obvious problems.
An instructive analogy can be found in application
performance Verio brings something extra to Linux:
reliability. Click to learn about free test. tuning.
Re-coding slow parts of an application is a great
way to improve system performance. However,
finding those slow parts requires a performance
measurement tool and sometimes a little extra help
-- in the form of content acceleration techniques
like caching and compression -- is warranted. WAFs
serve a similar function for application vulnerability
assessment by providing a roadmap that code
reviewers can follow to find and fix underlying
Concept of WAFs (For understanding):
Hackers / Attackers channel their attacks through http (port 80) and https (port 443) to
the web server, which was never designed as a security device. Therefore, we often see
the web server forwarding strange SQL queries, allowing cookie injection attacks or one
of the many cross-site attacks. As a result, there is a new field in the security industry
called 'Web Application Firewalls'(WAF), which are intended to truly know the web
application as opposed to the more traditional network firewalls, which only see valid http
or https (at best) but don't truly understand the content or its purpose.
A WAF, on the other hand, learns the web application and understands what http/https
traffic is valid and should also understand how the web application will respond to certain
queries. WAFs are not easy to implement and the implementation plan needs to be wellthought
out and involve all of developers, security engineers, network engineers, system
administrators and the business owner. Following are some challenges faced by Web Application Firewalls:
1. To provide extensive network security.
2. To notify / rectify the security loopholes.
3. Provision of right speed, integrity, reliability & redundancy.
4. Ports Management Capability.
5. Provision of Data Encryption / Capsulation at best.
6. Should also work as Intruder Detection System (IDS).
7. To prevent data theft, hacking, parameter tempering.
8. To provide effective load balancing and object caching.
9. Effectively Protects Network from CSS, CSRF, SQL injection, buffer overflow
10. Continuous Network Monitoring
11. To prevent session hijacking, cookie poisoning attacks.
12. Lower Scanning Time
13. Database penetration monitoring.
14. To provide system level as well as network level access & security.
15. Use of Application Scanning protocol for safe background applications
16. To provide clean network / packet filtering, Proxies, SSL termination.
17. Being capable to report errors in an easy to understand way.
18. Effective scanning / filtering of HTTP/HTTPS Requests
19. Be able to detect application vulnerabilities.