Introduction
Web Application Defender’s Cookbook is a consolidation of tutorials called recipes. They are designed to facilitate the expedient mitigation of the most critical vulnerabilities and attack methods that cyber criminals use today. Whether you’re mitigating a denial-of-service attack on your e-commerce application, responding to a fraud incident on your banking application, or protecting users of a newly deployed social networking application, this book gives you creative solutions to these challenges. This book shows you how to be as pragmatic as possible when performing remediation. Although each recipe includes adequate background information so that you understand how the web application attack or vulnerability works, theory is kept to a minimum. The recipes’ main intent is to provide step-by-step countermeasures you can use to thwart malicious activity within your web applications.
I obtained the information in this book through years of protecting government, educational, and commercial web sites from a wide range of adversaries who used an even wider array of attack methods. Because web attack methods employ multiple levels of complexity and sophistication, so do the remediation recipes presented in this book. All the recipes, however, have a foundation in the following skill sets and topics (listed in order of relevance):
- Web application vulnerabilities and attacks
- HTTP
- Perl Compatible Regular Expressions (PCRE)
- Programming (Lua, Python, and Perl)
- Web server administration (Apache)
- Web browsers
- UNIX operating system (shell commands and editing files with vim)
- HTML
- Incident response process
- Networking and TCP/IP
- Basic understanding of Structured Query Level (SQL)
Although the recipes in this book include the key elements of many web application attacks, this book is not meant as a comprehensive guide for describing web application weaknesses, attacks, or secure web application development. Numerous other books and public resources help developers secure their web applications.
Overview of This Book
Quite simply, the goal of this book is to make your web applications more difficult to hack. Web applications—or any software, for that matter—will never be completely secure and free from defects. It is only a matter of time before a determined attacker will find some vulnerability or misconfiguration to exploit and compromise either your site or one of its users. You should take a moment to come to terms with this truth before progressing. Many people wrongly assume that hiring “smart” developers or deploying commercial security products will magically make their sites “hacker proof.” Sadly, this is not reality. A more realistic goal for web application security is to gain visibility into your web transactions and to make your web applications more hacker resistant. If you can force any would-be attackers to spend a significant amount of time probing your site, looking for vulnerabilities, you will widen the window of opportunity for operational security personnel to initiate proper response methods.
This book arms you with information that will help you increase your web applications’ resistance to attacks. You will be able to perform the following critical web application security situational awareness tasks:
- Detect when web clients are acting abnormally
- Correlate web activity to the responsible user
- Figure out if your web application is not functioning properly
- Determine if your application is leaking sensitive user or technical information
- Detect new or misconfigured web application resources
- Create a process to quickly remediate identified vulnerabilities
- Create virtual patches to mitigate identified vulnerabilities
- Respond to different attack methods with various response actions
Who Should Read This Book
The target audience for this book is web application defenders. The term defender in this book refers to anyone who is charged with protecting live web applications from attacks. These people did not create the web application, but they are responsible for administering the application on the live network. Web application defenders are one of the three main communities who contribute to the overall security posture of web applications; the other two are builders and breakers. Builders are the development teams who are responsible for the actual source code and functionality of the web application. They are the initial creators of the application and are responsible for future enhancements and maintenance. Breakers, on the other hand, are the information security teams who assess applications by reviewing source code and attacking live web applications. All three communities contribute to the overall security of web applications, but this book is solely focused on helping defenders with their appointed tasks.
How This Book Is Organized
This book is organized as a set of recipes that solve specific web application security problems. Many of the recipes are self-contained, meaning that the vulnerability or attack is presented and a solution is outlined that mitigates the entire attack surface. Other recipes, however, individually address only a portion of the larger problem, so it may be necessary to implement multiple recipes together to fully reduce the risks involved.
From the highest conceptual view, this book is organized into three logical parts:
- Part I, “Preparing the Battle Space”
- Part II, “Asymmetric Warfare”
- Part III, “Tactical Response”
The order of these parts is based on the logical flow and dependencies of each topic. If you are initially deploying a new web application, we recommend that you read this book from start to finish. On the other hand, if you already have web applications deployed in production, you can easily jump directly to a recipe that addresses your specific concern. When appropriate, cross-references to other chapters, recipes, or external resources are provided. The following sections describe each part and its chapters.
Part I, “Preparing the Battle Space”
This book begins with the concept of preparing your web application platform for the attacks that will eventually occur. You should complete the recipes in this part either right before or right after you put a new application into production.
- Chapter 1, “Application Fortification,” lists the initial steps you should take to implement attack awareness, gain visibility, and conduct proper audit logging of web transactions. You’ll also learn how to implement centralized data storage to facilitate shared attack intelligence for your organization.
- Chapter 2, “Vulnerability Identification and Remediation,” describes the critical methods of proactively identifying vulnerabilities within your web applications. After these vulnerabilities are identified, you learn how to remediate them through a process known as virtual patching.
- Chapter 3, “Poisoned Pawns (Hacker Traps),” covers various methods of “booby-trapping” your web application to help you quickly and accurately identify malicious clients.
Part II, “Asymmetric Warfare”
After the web application is live on the production network and is exposed to real users, the recipes in this part will come into play. All of these recipes deal with analyzing web transactions for malicious activity.
- Chapter 4, “Reputation and Third-Party Correlation,” demonstrates how to leverage third-party geographic data and IP address blacklists to identify known malicious sources or restrict access.
- Chapter 5, “Request Data Analysis,” illustrates various methods of data acquisition, normalization, and analysis for inbound HTTP requests. It also discusses how to identify common request anomalies that indicate abnormal request construction.
- Chapter 6, “Response Data Analysis,” shows techniques similar to those in Chapter 5, but this time we inspect the HTTP response data. Anomalies found in these recipes often indicate application errors or successful application attacks.
- Chapter 7, “Defending Authentication,” describes how to identify brute-force attacks to enumerate user credentials, track successful and failed authentication attempts, and track user applications.
- Chapter 8, “Defending Session State,” addresses security issues related to application session management. It discusses attacks such as cookie tampering and session hijacking.
- Chapter 9, “Preventing Application Attacks,” highlights the problem of accepting user input to your web application without any type of validation check. It provides protection information for attacks such as SQL Injection, remote file inclusion, and OS commanding.
- Chapter 10, “Preventing Client Attacks,” shifts the focus from protecting the web application to defending its users against various attacks, such as cross-site scripting, cross-site request forgery, and clickjacking. It also highlights cutting-edge defenses against banking trojans such as Zeus. Furthermore, it shows you how your web application and the browser can collaborate on security policies.
- Chapter 11, “Defending File Uploads,” describes how allowing users to upload files to your web application provides an obvious window for attackers to insert malicious code onto your site. These recipes demonstrate how to analyze file attachment uploads to block malicious data.
- Chapter 12, “Enforcing Access Rate and Application Flows,” shows you how to correlate attributes from multiple client requests to identify abnormal request rates, application flow, and usage anomalies.
Part III, “Tactical Response”
After you have identified malicious behavior within your web application, the next logical question is what do you want to do about it. The final part of this book highlights how to best utilize the different response options at your disposal.
- Chapter 13, “Passive Response Actions,” shows various application changes that may be dispatched that are imperceptible to the end user, such as increases in internal logging.
- Chapter 14, “Active Response Actions,” lays out more aggressive, disruptive actions that may be used against the transaction or end user. These include dropping the connection, temporarily blacklisting the source IP, and forcibly logging out the application user.
- Chapter 15, “Intrusive Response Actions,” describes intrusive methods of inspecting information in the client’s web browser to validate functionality or even enumerate additional source information.
Tools You Will Need
This book demonstrates hands-on techniques you can use to prevent web application attacks. Keep in mind that, because you are a web application defender, your tool set is not identical to that which is afforded to the web application developer. Your main tool is the web application platform itself, such as Apache’s web server or Microsoft’s Internet Information Services (IIS) web server. Unfortunately, the effective mitigation of web application vulnerabilities and attacks relies on advanced logic and analysis capabilities that normally are not present in standard web server software. To achieve the advanced defensive capabilities outlined in this book, you need to install additional software within your web server as an additional module or filter.
The recipes in this book use the open source web application firewall (WAF) module called ModSecurity,1 which is available for the Apache, Microsoft IIS, and Nginx web server platforms. You have other options for achieving basic input filtering for your web application, but no other defensive module has the same level of advanced capabilities as ModSecurity. These capabilities include the robust rules language, data modification, content injection, and even a Lua application programming interface (API), which facilitates custom logic and integration with other tools. By the end of this book, I am confident you will agree that ModSecurity is an outstanding tool for web application defense. Nevertheless, we include appropriate pointers and references to other tools that may provide similar functionality.
Although the recipes use ModSecurity, the underlying detection techniques may certainly be adapted for use within applications that use other tools or libraries. For instance, the OWASP AppSensor2 project (to which I am a contributor) includes Java code examples that implement many of the same concepts presented in this book.
The target web applications that you will protect throughout this book are taken from the OWASP Broken Web Application (OWASP BWA) project.3 The virtual machine image available for download provides a large number of intentionally broken web applications used for testing and learning about web application attacks and vulnerabilities. It also provides many real-world applications (such as WordPress) that have real flaws. If you want to follow along with the recipes in the book and practice hands-on with implementing the protection mechanisms, download the virtual machine image.
2 https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project
3 http://code.google.com/p/owaspbwa/
Conventions
To help you get the most out of this book and to keep track of the information contained in the recipes, we use several conventions throughout the book.
- External software reference
- Some rules files to download
- A third-party data file to install
- We italicize new terms and important words when we introduce them.
- We show keyboard strokes like this: Ctrl+A.
- We show filenames, URLs, and code within the text like so: persistence.properties.
- We present code in two different ways:
We use a monofont type with no highlighting for most code examples.
We use bold to emphasize code that is particularly important in the present context or to show changes from a previous code snippet.Source Code
As you work through the examples in this book, you may choose either to type in all the code manually or to use the source code files that accompany the book. All the source code used in this book is available for download at www.wiley.com/go/webappdefenderscookbook.
You can also search for the book at www.wiley.com.