The Honeynet Project and Research Alliance early last month published a very interesting report "Know your Enemy: Web Application Threats". The report states: "
By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. "
This is definitely a report worth reading. The report covers all sorts of common attacks against web servers including code injection, remote-code inclusion, SQL injections, Cross-site scripting, IP based scanning, spider based attacks, top 10 operating system commands targeted, email spam, blog comment spam, defacements, hosting files, scanning tools used, botnet recruitment, phishing and trends in evasion and anonymity including proxy servers, goolge translate, onion routing and script encoding.
The reports recommendations on how to protect web servers are worth noting: "
Web servers can be protected from threats in many ways. Firstly, we recommend that the administrator keeps an inventory of what applications are on the web server and maintains patch levels for all of them. A host-based Intrusion Detection System, such as mod_security for the Apache web server may be used to block certain common attack vectors, such as "wget" and "curl" appearing in GET and POST requests. This will not provide complete protection from remote code inclusion attacks in particular, but will block many common attacks. If the attacker can include arbitrary code in the running application, they will be able to evade most keyword filters. Alternatively, an application proxy can be deployed in front of the web server to filter out these types of malicious requests. A Host Intrusion Detection System (HIDS) program such as Tripwire may be used to monitor the integrity of critical system files.
Correct configuration of web servers such as Apache and scripting languages such as PHP is also crucial. We mentioned register_globals earlier which allows an attacker to set variables which can cause problems if the developer has not specifically initialized them. The allow_url_fopen configuration directive should be disabled if possible as this prevents remote code-inclusion attacks. The Open Web Application Security Project provides further details on securing web servers and applications.
Programmers can create more secure applications by rigorously validating all input they receive. Where 'include' statements exist in PHP there should be no way for an attacker to control the name of the file being included. If input is going to be echoed back to the user, the application must take care that Cross-site scripting (XSS) attacks cannot occur. The typical example is to disallow or escape '<' and '>' characters to prevent the attacker from entering javascript code. Ideally SQL operations should be in the form of prepared statements so that data is treated purely as data and does not have the chance to become code, as it does in an SQL injection exploit. A full treatment of this subject is beyond the scope of this article but a good reference for PHP developers is "Essential PHP Security" by Chris Shiflett and published by O'Reilly press. There is also a good set of recommendations for programmers and system administrators as part of the SANS top 20 vulnerabilities, in section C1.3. These include making use of the Hardened-PHP Project's Suhosin tool to control the execution of PHP scripts, migrating to the latest version of PHP and making use of the PHP Data Objects extension when performing SQL queries.
We also recommend that a Network Intrusion Detection System is used which should alert the administrator to events such as connections from web servers to an IRC channel outside the organisation, the port-scanning activity that will be associated with some of the worms and scanning tools, and possibly the increase in traffic that may occur if the server is sending spam email or hosting a phishing web site. Lastly, the administrators should be responsive to the postmaster and abuse email addresses at their domain, which often provide rapid warning of incidents in progress.
"
Taken all together, this is a fine piece of work and is definitely worth a read. As always, I close by noting that all enterprises should understand the numerous attack vectors open to criminals in attacking your enterprise. The reality is that some of these attacks will be successful despite your best efforts. Therefore, put in a many layered defense system using strong authentication, transaction authentication and filters on digital data leaving the enterprise to catch thieves walking out the electronic front door with your crown jewels.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com