Scribd
Upload
88 views

17 Web Application Firewall

This document discusses web application firewalls and fuzzing tools. It provides information on: 1. What a web application firewall is and how it protects web applications from threats and attacks at the application layer. 2. Common features of web application firewalls including blocking capabilities, protection techniques, and performance metrics. 3. Types of fuzzing tools including dumb fuzzers that make random changes to inputs and generation-based fuzzers that systematically test all possible input variations based on a specification. 4. Best practices for fuzzing including using protocol knowledge, maximizing code coverage, and automating long-running fuzzing workflows.

Uploaded by

Gi ji
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
88 views

17 Web Application Firewall

This document discusses web application firewalls and fuzzing tools. It provides information on: 1. What a web application firewall is and how it protects web applications from threats and attacks at the application layer. 2. Common features of web application firewalls including blocking capabilities, protection techniques, and performance metrics. 3. Types of fuzzing tools including dumb fuzzers that make random changes to inputs and generation-based fuzzers that systematically test all possible input variations based on a specification. 4. Best practices for fuzzing including using protocol knowledge, maximizing code coverage, and automating long-running fuzzing workflows.

Uploaded by

Gi ji
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Web Application Firewalls

1. A software or hardware solution that protects your web


enabled applications from threats/attacks.
2. The solution must understand web protection at the
application layer (HTTP and HTTPS conversations to your
web applications, XML/SOAP, and Web Services).
3. Detect/prevent OWASP Top Ten Threats.
4. A Web Application Firewall (a.k.a. WAF), by contrast, is like
placing an eavesdropping agent right next to the Web server.
5. WAFs are an important building block in every HTTP
network.

1
UNIT-III WEB Application Firewall & Fuzzers www.owasp.org
Web Application
Firewalls
Fire
wall

Web Web Application Database


Client Server Server

HTTP Port
Traffic 80
2
UNIT-III WEB Application Firewall & Fuzzers www.owasp.org
WAF
Features
• Full support for HTTP:
• Access to individual fields (field content,
length, field count, etc).
• Entire transaction (both request and
response).
• Uploaded files.
• Anti-evasion features (also known as
normalisation/canonicalisation/transformation
features).

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


WAF Features
• Blocking features:
• Transaction
• Connection
• IP Address
• Session
• User
• Honeypot redirection
• Blocking via external device

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Protection Techniques
• Cookie protection
• Sign/encrypt/virtualise
• Hidden field protection
• Sign/encrypt/virtualise
• Session management protection
• Enforce session duration timeout, inactivity
timeout.
• Prevent fixation.
• Virtualise session management.
• Prevent hijacking or at least warn about it.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Protection
Techniques
• Brute-force protection
• Link validation
• Signing
• Virtualisation
• Request flow enforcement
• Statically
• Dynamically

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Performance
Metrics
• Performance:
• New connections per second.
• Maximum concurrent connections.
• Transactions per second.
• Throughput.
• Latency.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Signatures and
Rules
1. Signatures
 Simple text strings or regular expression patterns
matched against input data.
 Not very flexible.
2. Rules
1. Flexible.
2. Multiple operators.
3. Rule groups.
4. Anti-evasion functions.
5. Logical expressions.
6. Custom variables.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Three Protection
Strategies
1. External patching
 Also known as "just-in-time patching" or "virtual patching”.
2. Negative security model
 Looking for bad stuff.
 Typically used for Web Intrusion Detection.
 Easy to start with but difficult to get right.
3. Positive security model
 Verifying input is correct.
 Usually automated, but very difficult to get right with
applications that change.
 It's very good but you need to set your expectations
accordingly.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Web Intrusion
Detection
• Detection is so old.
• Prevention is better.
• The problem with prevention is that it is bound
to fail given sufficiently determined attacker.

• Monitoring (logging and detection) is actually


more important as it allows you to
independently audit traffic, and go back in
time.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Monitoring
Requirements
• Centralisation.
• Transaction data storage.
• Control over which transactions are
logged and which parts of each
transaction are logged, dynamically on
the per-transaction basis.
• Minimal information (session data).
• Partial transaction data.
• Full transaction data.
• Support for data sanitisation.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Fuzzer
• A Security fuzzer is a tools used by security professionals
professional hackers :) to test a parameter of an application.
(and

• Fuzzing is to execute a program on many abnormal inputs, look


for badness.
• Goal: Prevent attackers from encountering exploitable errors
• Automatically generate test cases
• Many slightly anomalous test cases are input into a target
interface
• Application is monitored for errors
• Inputs are generally either file based (.pdf, .png, .wav, .mpg)
• Or network based
• http, SNMP

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Mutation Based Fuzzing (Dumb
Fuzzing)
• Little or no knowledge of the structure of the
inputs is assumed

• Anomalies are added to existing valid inputs

• Anomalies may be completely random or follow


some heuristics (e.g. remove NUL, shift
character forward)

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Dumb Fuzzing In
Short
• Strengths
• Super easy to setup and automate
• Little to no protocol knowledge required
• Weaknesses
• Limited by initial corpus
• May fail for protocols with checksums, those which
depend on challenge response, etc.

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Generation Based
Fuzzing
• Test cases are generated from some
description of the format.
• Anomalies are added to each possible
spot in the inputs
• Knowledge of protocol should give
better results than random fuzzing

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Generation Based Fuzzing In
Short
• Strengths
• completeness
• Can deal with complex dependencies e.g.
checksums

• Weaknesses
• Have to have spec of protocol
• Often can find good tools for existing protocols e.g. http,
SNMP
• Writing generator can be labor intensive for
complex protocols
• The spec is not the code

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Fuzzing Tools- Input
Generation
• Existing generational fuzzers for common protocols
(ftp, http, SNMP, etc.)
• Mu-4000, Codenomicon, PROTOS, FTPFuzz
• Fuzzing Frameworks: You provide a spec, they
provide a fuzz set
• SPIKE, Peach, Sulley
• Dumb Fuzzing automated: you provide the files or
packet traces, they provide the fuzz sets
• Filep, Taof, GPF, ProxyFuzz, PeachShark

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Input
Inject
• Simplest
• Run program on fuzzed file
• Replay fuzzed packet trace
• Modify existing program/client
• Invoke fuzzer at appropriate point

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Problem
Detection
• See if program crashed

• Run program under dynamic memory error


detector
• Catch more bugs, but more expensive per run.
• See if program locks up
• Roll your own checker

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Workflow
Automation
• Sulley, Peach, Mu-4000 all provide tools to
aid setup, running, recording, etc.
• Virtual machines can help create
reproducable workload
• Some assembly still required

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Example:
PDF
• I have a PDF file with 248,000 bytes
• There is one byte that, if changed to particular
values, causes a crash
• This byte is 94% of the way through the file
• Any single random mutation to the file has a
probability of .00000392 of finding the crash
• On average, need 127,512 test cases to find it
• At 2 seconds a test case, thats just under 3 days...
• It could take a week or more...

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Code
Coverage
• Some of the answers to these questions lie in
code coverage
• Code coverage is a metric which can be used
to determine how much code has been
executed.
• Data can be obtained using a variety of
profiling tools. e.g. gcov

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Types of Code
Coverage
• Line coverage
• Measures how many lines of source code
have been executed.
• Branch coverage
• Measures how many branches in code have
been taken (conditional jmps)
• Path coverage
• Measures how many paths have been
taken

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


Fuzzing Rules of
Thumb
• Protocol specific knowledge very helpful
• Generational tends to beat random, better specification make better fuzzers

• More fuzzers is better


• Each implementation will vary, different fuzzers find different bugs

• The longer you run, the more bugs you find

• Best results come from guiding the process

• Code coverage can be very useful for guiding the process

UNIT-III WEB Application Firewall & Fuzzers www.owasp.org


THANK YOU

25
UNIT-III WEB Application Firewall & Fuzzers www.owasp.org

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy