To be able to defend the application we need to specify the main mechanisms
used to make this possible.
This approach emphasizes heavily the application security noting that some
other aspects needs to be considered if we target general defense mechanisms
The actual focus is based on the ability to control the access, the attacker and to
enable full monitoring capabilities over user input and application:
Access:
this part is about controlling the user privileges in term of access to data
and functionality. This target is normally covered in web application by
three main mechanisms:
a. Session management
Session management is the method in which the server can handle
subsequent requests coming from the same user, meaning that it is
the way the server differentiates various requests coming from
different clients.
Http as a protocol does not provide this service as it is called
stateless protocol.
In general, all the application need to provide an approach to help
dealing with requested sent by various user keeping track for each
unique user.
The common way to allow session management in an application
is to create a session structure and generate the session token. The
session structure is dedicated to track user interaction through the
unique generated token.
Tokens are long, randomly generated strings that are unique for
the user. Tokens are transmitted using different methods the most
common is HTTP cookies other methods like URL strings or hidden
fields can be used too.
Session for specific user is destroyed automatically after a period
of time if no interaction between the client and the server is
initiated, this period can be set by the application and it is usually
about 20 minutes.
b. Authentication:
Is the method used to identify the user trying to access the
application, normally anonymous unauthenticated personnel are
treated as guest and provided with specific level of access
depending on the nature of the application.
The simplest approach to apply authentication in web application
is usually through user name and password combination.
The provided credentials should abide a set of conditions to
minimize the possibility of guessing those credentials.
More critical web application should be depending on extra
credentials like challenge codes, smart & magnetic cards or
biometric approaches
c. Access control:
Authentication of users accessing the applications is only the first
step that will pave to control different users access to application
resources and functionalities.
This task is called “Authorization” and it means to specify “WHO”
access “WHAT”.
Generally, the “WHO” information are mapped to a set of
privileges, where privileges set specify the access level for that
user on the specific resource.
Privileges are usually bundled in roles where each role, a role or
more can be assigned to a user or a group of users.
Access control robustness is a must because it can be a big source
of threat by malicious users that might try to elevate their
privileges or try to access resources or functionalities with
different roles.
Input:
With all the risk related to accessing data, handling the user input still the
biggest challenge because of freedom level you need to give to user to
fulfil the requirement of usable application which makes having defense
mechanism related to the user input a necessity.
a. Black listing and white listing:
Covering issues related to input is
not very easy task especially when it is about entering free text or
when it is related to hidden information that is not part of user
direct interaction like hidden fields and cookie information.
Input handling is usually done by applying common approaches
depending on either accept only the good input based on known
patterns or by rejecting suspicious input based on common
blacklists.
b. Sanitization:
Even though that the whitelisting and blacklisting
seem to be very efficient, those approaches might sometime make
the application less user friendly and less usable which derive the
need to use other ways like sanitization.
c. Semantic check:
Even sanitization might fail to get safe input
because attacker sometimes depends on having the input totally
valid on the syntactic level but malicious on the semantic level. A
good example about this case will be trying to access other users
information by altering the information of account number in the
hidden field dedicated to that purpose.
In that case the input is valid as the input match the pattern for an
account number and the session information shows that the user is
successfully authenticated and the user can access and manipulate
information related to the entered account number.
d. Recursive and fragmented check:
in lot of cases attacker might
tend to divide attack to multiple stages in way that each part is not
classified as malicious input but when it is merged it will create a
malicious input.an example will be double encoding the special
character in the URL.when the URL is received and decoded for the
first time it will not look suspicious but the second decoding by the
application will cause the special character to bypass the filter.
Attacker:
the other dimension that should be controlled is the attacker in order to
be sure that all unexpected errors handled, preserved the audit log, notify
the administrator and response to attack.
a. Mitigating unexpected errors:
Handling errors will allow
controlling the unexpected part by showing a customized non
informative message or mitigating the error away from any system
generated messages the thing that minimize the information
discloser caused by unexpected verbose message.
b. Keeping Audit logs:
The worst attacks those that do not leave a
trace because it does not give any answer to investigators on what
assets has been compromised, information disclosed, accessed or
altered and nothing about used vulnerability or the identity of
attacker.
Audit logs should have precise information about all events,
transactions and access attempts that took place and its status
(failed, succeeded) with special focus on any abnormal request
showing malicious pattern.
When storing and managing audit logs it is very critical to be sure
that information cannot be accessed nor changed by attacker even
if that means to isolate as separated system or store the
information on write-once media.
c. You are under attack:
another important issue in handling
attacker is to let the administrator know that the system is under attack to response in real time because some attacks can be
stopped if a fast enough response is generated. Monitoring and
detection modules normally depend on abnormality in received
requests as a count, sequence, known attack patterns or even a
suspicious business content. Examples are receiving a big amount
of request from the same source IP or getting request in a
suspicious sequence or alteration of values that are normally
inaccessible by user (hidden fields) or getting a request to transfer
unusual big amount of money from an online bank account.
Detection modules can be a separated application like firewalls
and intrusion detection systems but using this approach might not
be as effective as integrated modules on all levels especially with
attacks of semantic nature due to the usage of generic patterns in
off-shelf application in contrast with the intrusion detection
modules integrated as part of the application.
d. Response:
notifying administrator that the application is under
attack is something and reacting actively is another thing because
responding in real time is an essential factor and can sometimes
save the application and stop the attack in many critical
applications.
Response might be something like blocking request from specific
source, react slowly with suspicious requests or drop the user
session.
Even though that the response was unable to stop a skilled
attacker malicious activities it will provide more information and
buy time to administrator to react more effectively to the attack.
Monitoring and auditing:
This aspect is one of the important aspects because it gives the
administrator the ability to monitor the overall user behaviors, organize
roles, initiate diagnostics tasks and apply different configurations
additionally track and log any abnormal user activities.
The sensitivity and the importance of this mechanism makes it also a very
delicious feast to attackers that might try to gain higher privileges or
disclose power user information benefiting from miss configuration.
0 comments: