1

F5
Web
Application
Security

Radovan Gibala
Senior Solutions Architect
[email protected]
+420 731 137 223

2011
 2

Security’s Gaping Hole

“64% of the 10 million

security incidents tracked
targeted port 80.” DATA
Information Week
 3

Web Application Security

Attacks Now Look To

!Non-
Perimeter Security
Is Strong
Exploit Application
Vulnerabilities
compliant Buffer Overflow
Cross-Site Scripting
Information
SQL/OS Injection PORT 80

Cookie Poisoning
Hidden-Field Manipulation
PORT 443 !
Forced
Parameter Tampering Access to
But Is Open
!
Infrastructural
to Web Traffic
Information

High
Intelligence Information
Density
=
High Value
Attack
 4

Why Are Web Applications

Vulnerable?
New code written to best-practice methodology, but not
tested properly
New type of attack not protected by current methodology
New code written in a hurry due to business pressures
Code written by third parties; badly documented, poorly
tested – third party not available
Flaws in third party infrastructure elements
Session-less web applications written with client-server
mentality
 5

Who is responsible for application

security?

Web developers?

Network Security?

Engineering services?

DBA?
 6

Traditional Alternative: Rely Exclusively on the

Developer Application Patching

Application Logic Application Optimization

1+1=2

Application Security Application Scalability

Application Integration Application Availability

Application Performance
 7

Web Application Protection Strategy

Best
Automated
Practice
& Targeted
Design
Testing
Methods
Only protects against Web Done periodically; only
known vulnerabilities Apps as good as the last test
Difficult to enforce; Only checks for known
especially with sub- vulnerabilities
contracted code Does it find everything?
Only periodic updated;
large exposure window
 8

Challenges of traditional solutions

HTTP attacks are valid requests
HTTP is stateless, application is stateful
Web applications are unique
– there are no signatures for YOUR web application
Good protection has to inspect the response as well
Encrypted traffic facilitates attacks…
Organizations are living in the dark
– missing tools to expose/log/report HTTP attacks
 9

Traditional Scan and Fix and Audits

Scan and Fix
– Scanners can’t find all vulnerabilities
– Scanners can’t reverse engineer the code
– Scanners can’t find business logic vulnerabilities
– When something is detected, it requires an immediate code change
– Not a pro-active solution
Security Code Audits
– Extremely expensive ($25,000 for medium to small app)
– Requires preparation and availability of the dev team.
– Requires iterations of audit and fix
– Each fix may add more bugs to current application or may add another vulnerability…

“we only protect from what we

know,
we never protect from what we
don’t know”
 10

Web Application Protection Strategy

Best
Automated
Practice
& Targeted
Design
Testing
Methods
Only protects against Web Done periodically; only
known vulnerabilities Apps as good as the last test
Difficult to enforce; Only checks for known
especially with sub- vulnerabilities
contracted code Does it find everything?
Only periodic updated; Web
large exposure window Application
Firewall

Real-time 24 x 7 protection
Enforces Best Practice Methodology
Allows immediate protection against
new vulnerabilities
 11

OWASP Top 10 / January 2007

A1 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows attackers to execute
script in the victim’s browser which can hijack user sessions, deface web sites, etc.

A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs
when user-supplied data is sent to an interpreter as part of a command or query. The
attacker’s hostile data tricks the interpreter into executing unintended commands or
changing data.
A3 – Insecure Remote File Include Code vulnerable to remote file inclusion allows attackers to include hostile code and data,
resulting in devastating attacks, such as total server compromise.

A4 – Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or key, as a URL or form
parameter. Attackers can manipulate those references to access other objects without
authorization.
A5 – Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a
vulnerable web application, which then forces the victim’s browser to perform a hostile
action to the benefit of the attacker.
A6 – Information Leakage and Improper Applications can unintentionally leak information about their configuration, internal workings,
Error Handling or violate privacy through a variety of application problems. Attackers use this weakness
to violate privacy, or conduct further attacks.

A7 – Broken Authentication and Session Account credentials and session tokens are often not properly protected. Attackers
Management compromise passwords, keys, or authentication tokens to assume other users’ identities.

A8 – Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials.
Attackers use weakly protected data to conduct identity theft and other crimes, such as
credit card fraud.
A9 – Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
communications.

A10 – Failure to Restrict URL Access Frequently, the only protection for sensitive areas of an application is links or URLs are not
presented to unauthorized users. Attackers can use this weakness to access and perform
unauthorized operations.
 12

Traditional Security Devices vs. WAF

Network
Firewall IPS ASM

Known Web Worms Limited  

Limited
Unknown Web Worms X 
Limited
Known Web Vulnerabilities Partial

Unknown Web Vulnerabilities X Limited

Illegal Access to Web-server files Limited X 
Forceful Browsing X X 
File/Directory Enumerations X Limited 
Buffer Overflow Limited Limited 
Cross-Site Scripting Limited Limited 
SQL/OS Injection X Limited 
Cookie Poisoning X X 
Hidden-Field Manipulation X X 
Parameter Tampering X X 
Layer 7 DoS Attacks X X 
Brute Force Login Attacks X X 
App. Security and Acceleration X X 
 13

Application Security Lacks Test

...or: „The Point of Truth“

Simple Version:
– Does your WAF discover that the Price of an Item on an Online
Shop was changed ?
 14

Support of dynamic values

 15

Application Security Lacks Test

...or: „The Point of Truth“

Simple Version:
– Does your WAF discover that the Price of an Item on an Online
Shop was changed ?

Technical Version:
– OWASP
(http://www.owasp.org/index.php/OWASP_Top_Ten_Project )
1. Unvalidated Input
2. Broken Access Control
3. Broken Authentication and Session Management
4. Cross Site Scripting
5. Buffer Overflow
6. Injection Flaws
7. Emproper Error Handling
8. Insecure Storage
9. Application Denial of Service
10. Insecure Configuration Management
 16

Traditional Security Doesn’t Protect Web

Applications Looking at the wrong
thing in the wrong place

Application Network IPS

Firewall Firewall
Known Web Worms  Present Present
Unknown Web Worms  Present Present
Known Web Vulnerabilities  Present Present
Unknown Web Vulnerabilities  Present Present
Illegal Access to Web-server files  Present Present
Forceful Browsing  Present Present
File/Directory Enumerations  Present Present
Buffer Overflow  Present Present
Cross-Site Scripting  Present Present
SQL/OS Injection  Present Present
Cookie Poisoning  X X
Hidden-Field Manipulation  X X
Parameter Tampering  X X
 17

Negative vs. Positive Security Model

Negative Security Model

– Lock Known Attacks
– Everything else is Allowed
– Patches implementation is quick and easy (Protection against Day
Zero Attacks)

Positive Security Model

– (Automatic) Analysis of Web Application
– Allow wanted Transactions
– Everything else is Denied
– Implicit Security against New, yet Unknown Attacks (Day Zero
Attacks)
 18

Application Security with a WAF

!
Unauthorised
And Stops
Bad !Non-
Access Requests compliant
Information

WAF Allows
Browser
! Legitimate Requests
Unauthorised
!
Infrastructural
Access Intelligence

Bi-directional:
– Inbound: protection from generalised & targeted attacks
– Outbound: content scrubbing & application cloaking
Application content & context aware
High performance, low latency, high availability, high
security
Policy-based full proxy with deep inspection & Java support
Positive security augmenting negative security
Central point of application security enforcement
 19

Application Security with a WAF

Intelligent Decisions
Allow Only Good
Application Behaviour;
Positive Security

Definition of Good
Browser and Bad Behaviour
 20

Selective Application Flow

Enforcement

!
ALLOWED

Username
From Acc. $ Amount
Password To Acc. Transfer

? !
!
VIOLATION
VIOLATION

This part of the site is a

financial transaction that
• Should this be a violation?
requires authentication; we
• The user may have
should enforce strict flow
bookmarked the page!
and parameter validation
• Unnecessarily enforcing flow
can lead to false positives.
 21

Flexible Deployment Options

Tighter OBJECT FLOWS

Security
Posture
PARAMETER VALUES

PARAMETER NAMES
Typical
‘standard’
starting point OBJECT NAMES

OBJECT TYPES
 22

How does it work?

Server response
Request made Security Policy
checked

Enforcement
Content Scrubbing
Application Cloaking
Security policy
Response delivered applied

Security at Application, Protocol and Network Level

“BIG-IP enabled us to improve security instead of having to

invest time and money to develop a new more secure application”
TechValidate 0C0-126-2FB Application Manager
Global 5000 Media and Entertainment Company
 23

Multiple security layers

RFC enforcement
Various HTTP limits enforcement
Profiling of good traffic:
– Defined list of allowed file types, URI’s, parameters
Each parameter is evaluated separately for:
– Pre defined value
– Length
– Character set
– Attack patterns
• looking for Pattern Matching Signatures
 24

Flexible Policy Granularity

Generic Policies - Policy per object type
– Low number of policies
– Quick to implement
– Requires little change management
– Can’t take application flow into account

Optimum policy is often a hybrid

Specific Policies – Policy per object

– High number of policies
– More time to implement
– Requires change management policy
– Can enforce application flow
– Tightest possible security
– Protects dynamic values
 25

Flexible Deployment Options

Tighter OBJECT FLOWS POLICY

Security TIGHTENING
Posture SUGGESTIONS
PARAMETER VALUES
Policy-Building Tools
• “Trusted IP” Learning
PARAMETER NAMES
• Live Traffic Learning
Typical
‘standard’ • Crawler
starting point OBJECT NAMES • Negative RegEx
• Template

OBJECT TYPES
 26

Deployment without False positives

Easy web application implementation
– Rapid deployment policy
– Pre-configured application policies

Learning mode
– Gradual deployment
– Transparent / semi-transparent / full blocking
 27

Layer 7 DOS/DDOS
DOS/DDOS attacks are on the increase
The wide spread of malware is providing much more
tools/means to execute these attacks via BOTnets
Danger of DOS:
– Service availability
– Resource cost optimization
– Stability of the security state
Two main scenarios
– Network pipe is saturated
– Server resources are saturated
An ideal solution will stop the malicious traffic, allowing
legitimate end users to get service – Automatically!!!
 28

Layer 7 DoS and Brute Force

Unique Attack Detection and Protection
Unwanted clients are remediated and desired clients are serviced
Improved application availability
Focus on higher value productivity while automatic controls intervene
 29

Hacking Automation
Attackers are using commercial scanners to find
vulnerabilities
Automated attack BOTS/ Worms randomly scan
the internet for vulnerabilities and exploit them
What is the probably the most difficult BOT
activity to detect ?
– Web Scraping : “Stealing” IP content from a website,
harvesting its database
 30

Automated scanner and bot programs

Web Scraping a Real Problem
Remote users

Dublin datacenter Frankfurt datacenter

IT Staff IT Staff
Automated
scraper

Web Domino Network

Legitimate user and
Scraping a public web scraping traffic
page or requesting copying or
private data behind Web Domino Network requesting data
login page ADC
ADC

Problem
Entire web site is being scraped of valuable IP information
Scrapers fail to provide company’s terms and updates
Sites copying content end up ranking above company’s for keywords
Need logging and reporting on Web scraping
 31

Airline Inventory Vulnerable to Web Scraping

Ryanair – Forbids screen-scraping as commercial use. Major business
problem
Unister online travel site: Duesseldorf to London
– Ryanair 93.25 Euros vs. Unister 111.86 Euros, a 20% increase in price
easyJet warns Expedia: 'Hands off our flights‘
– Tried to block IP address but Expedia uses millions of IP addresses
Alternatives: Litigation and legal letters
– Ryanair sent cease and desist letters to 300 sites
– Ryanair wins injunction against Vtours GmBH
 32

Protection from Web Scraping

Legitimate users see
data while scrapers
Remote users
are remediated

Dublin Datacenter Frankfurt Datacenter

IT Staff IT Staff

Automated
scraper
Web Domino Network

Web Domino Network

Detect requests BIG-IP 8900 BIG-IP 6900 Comprehensive
and determine web
reporting on
site is being LTM/ASM LTM/ASM
scraping attacks
scraped

Solution
Protects valuable intellectual property
Prices are controlled and users see airline approved inventory
Integrated scrape reporting for PCI compliance
Avoid litigation drastically reducing legal costs
 33

Control Over Bots and Scanners

Protection from Web Scraping

Design rate
shaping and
interval requests
before blocking

Add IP addresses
to Whitelist for
allowable scrapers
 34

OWASP Top 5: CSRF Attack

What is a Cross Site Request Forgery (CSRF) attack?

– In a CSRF attack a hacker is forcing the browser to send a stealth
valid request which the attacker created to a website in which the
victim has a session

What are the dangers?

– Attackers can execute full transactions that can be used for
finance fraud, DOS – anything)
– Hard for victims to prove that they didn’t commit the transactions
– Hard to trace the origin
 35

OWASP Top 5: CSRF Attack

CSRF Attack example

1. Mobile user logs in to a
Trusted trusted site
Encrypted
Web Site
Trusted Action 2. Session is authenticated
3. User opens a new tab
e.g., chat
4. Hacker embeds a
request in the chat
5. The trusted link asks
the browser to send a
request to the hacked
site
 36

ASM: Attack Protection from Rogue Users

Only vendor with checkbox

functionality for easy protection of
all URLs in an approved URL list.
 37

ASM: ICAP support

Extract every file upload and send them to
AntiVirus scan over Internet Content Adaptation
Protocol (ICAP)
Every file upload within multi-part request is sent
 38

Web Services-encryption and

digital signature support

ASM can cover a basic use case of message

level encryption
WS-Security standard was implemented*
Limitations
– Encryption card isn’t being used
– Requires the user to manage certificates in both ASM
AND LTM
– Authentication not included
 39

XML Firewall
Well formatted validation
Schema/WSDL validation
Methods selection
Attack signatures for XML platforms
Backend Parser protection
XML islands application protection
Full request Logging
 40

IP “penalties”
IP Penalty Enforcer
– Regular and repeatable attacks from reported IPs are
mitigated
– A policy in ASM allows only a designated number of
violations blocked per minute
– Upon threshold the IP session is blocked
– Tighter security coverage for IP violators
 41

n-tier Web Application Layer

 42

Secerno DataWall
Real-Time database activity monitoring
and blocking
Responds to each type of threat via either logging, monitoring,
alerting, blocking or substituting.
Enables rapid application development by reducing the need for
intensive security code development
Enforces a positive-security model: Only approved behavior is
allowed
Zero false positives
 43

The Integration:
F5 ASM+Secerno DataWall
Monitor & Block traffic at the web and database layers
Application sessions tracked from client to database and back.
When anomalies are detected by ASM, they are logged to both the ASM & Secerno
DataWall logs.
– ASM provides user and web context of the attack to Secerno enabling complete visibility of attack from source
IP address, through HTTP page and session to SQL transaction.
– Secerno can analyse the full SQL transaction to see if the query is out of policy, rather than just a fragment.
Ensures that administrators are always able to get consistent, correlated application
monitoring data.
Web tier attacks are blocked by ASM
Undetected attacks that get to the database are blocked by Secerno DataWall
Users who do not access the database via the web application (DBA’s, consultants,
and operations staff) are still controlled by Secerno, whether the access is made over
then network, remote session, SSH or keyboard.
 44

How The Integration Works

Web traffic is secured with BIG-IP ASM, and

database traffic with Secerno DataWall

When a user logs into an application, BIG-IP

passes their identity to Secerno DataWall.

If a SQL attack takes place, then all context of the

attack is sent to Secerno DataWall, and user
identity is associated with the attack in reports,
based on session and the ASM cookie.
 45

BIG-IP Protocol Security Module

(PSM)
Integrated Platform to Secure Application Traffic
– Protects HTTP(s), FTP, and SMTP at BIG-IP System
Speeds
Application Security Accessible for the Network
Guy
– Application Protocol, Not Application Logic
– Fully Configured after Installation
Easy Introduction to Application Security
– First Step Toward a true Application Firewall
 46

Simplified Security - PSM

Enforces Mandatory White-List Server Mitigates Directory

Headers Commands Harvesting

Mitigates Brute-
Length Checks Force Attacks Rate Limits

Anti-SPAM
Data Guard Length Checks Grey-Listing

Protocol Anomaly Augments MSM L4

RFC Compliance
Exploits w/ L7
 47

Simplified Security - PSM

 48

“Stepping-Stone” Security

Application

BIG-IP ASM
App. Protocol

BIG-IP PSM
BIG-IP LTM
Transport

Network

Data Link
 49

Only Completely Integrated

Security Solution
“Stepping Stone” Security
– TMOS/LTM Provides L2-L4
– PSM Provides L4-L7 Protocol Security
– ASM Provides Application Security
Builds on ADN Functionality
– SSL Termination
– Caching/Compression
– IPv6 Gateway
 50

Attack Expert System in ASM v10.1

1. Click on info tooltip
 51

Attack Type Details

2. Click on attack type

 52

Improved PCI Compliance Reporting

New PCI reporting:

• Details security measures required by PCI DSS 1.2
• Compliancy state
• Steps required to become compliant
 53

Reporting
 54

Reporting
 55

Application visibility and reporting

Monitor URIs for server latency
Troubleshoot server code that causes latency
 56

Reporting Features Executive View

HTTP Response Splitting

Command Execution
Detection Evasion
Parameter Tampering
SQL –Injection
Cross Site Scripting (XSS)
XML Parser
 57

Geo-location based reporting

 58

Centralized Advanced Reporting with

Splunk
Centralized reporting with
Splunk’s large-scale, high-
speed indexing and search
solution
Packaged 15 different ASM
specific reports
Provide visibility into attack
trends and traffic trends
Identify unanticipated threats
before exposure occurs
http://www.f5.com/solutions/technology-
alliances/security/splunk.html
 59

Sample Reports with Splunk

– Top violations
– Top violations by protocol (HTTP, FTP, SMTP)
– Top HTTP violations by web application
– Top attackers
– Top attackers by protocol (HTTP, FTP, SMTP)
– Top web applications attacked, alerted or blocked
– Top web applications alerted by IP address
– Attacks by location
– Top response codes by web application
– Top alerted or blocked web application requests by time period
– Web application requests by method
– Custom ASM forensics filtering & search
 60

F5 Application Security Manager (ASM) and

WhiteHat Sentinel partnership
Turnkey Vulnerability Detection and Remediation Solution
 61

ASM + Sentinel Benefits

Discovery and remediation within minutes
Single click policy rules (XSS, SQLi)
Targeted laser focused policy rules
No false positives
Third party policy validation
Out-of-the-box integration for fast implementation
 62

ASM vs. competition

Features F5 Barracuda Breach Citrix Imperva
Signature-based Security    X 
Policy-based Security     
Staging area for new signatures  X X X X
Human Readable Policies  X X X X
Pre-configured policies  X X  
XML Schema validation  X X  X
Integration with Vuln. Scanners  X X X (1)
Data center security in one unit  X X X X
Monitor URIs for server latency  X X X X
Web scraping protection  X (2) (2) X
Encrypted cookie support  X X X X
Rate limiting   X X X
Geolocation reporting  X X X X
Layer 7 DoS attack protection  X X X X
Brute Force attack protection   X X X
Acceleration and security  X X X(3) X
 63

Link Collection www.f5.com

Overall www.f5.com
Technical ask.f5.com
devcentral.f5.com

F5 University www.f5university.com/
» Login: your email
» Password: adv5tech
Partner Informaiotn
www.f5.com/partners
www.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html

Important deployment information is available at http://www.f5.com/solutions/deployment/

Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf
Application Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
Application Briefs http://www.f5.com/solutions/applications/
Solution Briefs http://www.f5.com/solutions/sb/
F5 Compression and Cache Test http://www.f5demo.com/compression/index.php
F5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/
F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/

Let us know if you need any clarification or you have any further questions.
 64

F5 is the Global Leader in

Application Delivery

Users Data Centre

Application
Delivery
At Home Network SAP
In the Office Microsoft
On the Road Oracle

Business goal: Achieve these objectives in the

most operationally efficient manner
65