Secure your Web applications with Web Application

White paper
Applic Control
Intrus tion
Preve em
S t
irus &
Anti-V yware
Are you fighting new threats with old weapons?
Secure your Web applications with Web Application Firewalls.
Web applications have increased the speed and accessibility to business information for an organization’s
customers, partners and employees. And at the same time, delivering tangible savings. Business
applications for accounting, collaboration, customer relationship Management (CRM), Enterprise
Resource Management (ERP), content management, online banking, E-commerce, and many more, are all
available on the Web…and all of them house valuable, sensitive data! Unfortunately, hackers realized this
much before organizations could.
Today, Web applications are the most common target for attack by hackers because they are ubiquitous
and provide easy entry to virtually any organization’s lucrative data. SQL injection, cross-site scripting
(XSS), cross-site request forgery (CSRF), OS command injection, session hijacking and buffer overflows are
the most commonly used attacks targeting Web applications hosted within an organization’s local network
or in private data centers .
! Theft of Intellectual property
! Identity and information
! Loss of revenue, brand,
! Fines and lawsuits from
Web Applications
! E-commerce
! Information delivery vehicle
for partners, employees,
! Accelerated pace of business
! Reduced business costs
failure in regulatory
! Threat to National security
A study done by Ponemon Institute in 2011 reveals that 73 percent of organizations have been hacked in
the last 24 months as a result of weakness in their web applications! Sadly, 69% of organizations surveyed
relied on the security of their traditional network firewalls to protect web applications.
This whitepaper will examine the variety of web application attacks hitting organizations today and discuss
why traditional network firewalls are not capable of defending against them. A new breed of Web
Application Firewalls is the solution to protect corporate data, observe regulatory compliance like the PCI
DSS, and safeguard their brand, reputation and customers.
Web Application Security should not be ignored!
Montana-based broker-dealer D.A. Davidson & Co. had to cough out
$375,000 after the Financial Industry Regulatory Agency (FINRA) found it
to be neglectful in protecting the personal data of 192,000 of its clients.
The data, which resided in a database on a Web server, was compromised
as the result of a SQL Injection attack launched by Latvian cyber criminals.
The Company’s web facing applications were left wide open to the point
that the database was never encrypted nor was the default password
changed, leaving it blank.
Vulnerabilities in Web Applications Rising with their Numbers
Organizations continuously develop new web-based applications to meet
their product or service promotional needs. The high-pressure
environment this creates for programmers is less than ideal for developing
never-ending enhancements and new functionality. Without rigid secure
software development practices, inserting even the smallest piece of code
on the website can lead to serious vulnerabilities. Besides, logic flaws,
forgotten backup files, debug code, and other production-related
vulnerabilities are a regular challenge to the security of websites and other
Web applications in organizations.
Securing the bigger picture around Web Applications
There are many Web application attacks that have nothing to do with
developers and coding errors. Many times the threat comes from the
language, protocol or the platform that supports the delivery of these
applications. In other words, the environment surrounding the web
applications. The main reason the majority of Web application attacks are
successful today is due to the fact that the attackers come in the same way
any legitimate user would –all without disturbing the sanctity of RFC’s or
W3C standards.
OSI Layer 5-7
OSI Layer 4
OSI Layer 3
OSI Layer 1-2
Web applications reside at the top of the OSI stack and are practically cutoff from the rest of the network and application layers in the stack. They
have no control or visibility in the layers underneath them. When attackers
exploit the HTTP/TCP behavior, like in the case of Layer 7 DoS attack,
neither the Web application nor the developer has no knowledge of the
exploit. This is where Web Application Firewalls help to add an extra layer
of security to secure Web applications. Web Application Firewalls have the
ability to understand the bigger picture surrounding the applications. They
look at every request and response within the HTTP/HTTPS/ Web Service
layers and understand the context in which to evaluate the behavior of
requests, thereby blocking Web application attacks.
Common Web Application Attacks
SQL Injection
In an SQL injection attack, the attacker gains access to the entire contents
of a backend database including identity information by bypassing
authentication to gain unauthorized access. Here, the input validation
vulnerabilities are exploited in the application code to send unauthorized
SQL commands to a back-end database.
Cross-site Scripting
Common Web Application Attacks
! SQL Injection
! Cross-site Scripting
! Worms
! URL Parameter Tampering
! Cross-site Request Forgery (CSRF)
! OS command injection
! Session Hijacking
Cross-site scripting attacks the application code by exploiting script
injection vulnerabilities where malicious HTML tags or client-side scripting
code is injected into HTML form fields and a customer’s login credentials
redirected to an attacker.
Worms take advantage of vulnerabilities in commercial software platforms
and operating systems. Code Red, Nimda, and MSBlaster are some
examples of worm infections that spread at an astounding rate, sometimes
affecting hundreds of thousands of servers within minutes.
URL Parameter Tampering
This type of attack involves manipulation of parameters exchanged
between client and server. The attacker alters the URL query string
parameter values in the browser’s address bar to change application data
such as user credentials, permissions, and other information.
Cross-site Request Forgery (CSRF)
CSRF forces the authenticated user of an application to send an HTTP
request to a target destination, desired by the attacker, without the user’s
knowledge or intent. This results into data theft and in case of a full-blown
attack, it can compromise the entire web application.
OS command injection
OS Command Injection exploits vulnerabilities that occur during the design
and development of applications. In this, the attacker takes advantage of
an application vulnerability that results in execution of system-level
Session Hijacking
Session Hijacking exploits a valid computer session by stealing or
predicting a valid session token and gains unauthorized access to
information or services on the Web server.
Traditional Network Security Solutions Prove Inadequate for
Securing Web Applications
Effective web application security requires understanding of a user’s
interaction with web applications – session IDs, cookies, URLs, HTTP
methods, and more. Many organizations rely on their network firewalls
and intrusion prevention system to overcome web application threats. But
this is how traditional security solutions fall short:
Network Firewalls
Many organizations rely on their network
firewalls and intrusion prevention system
to overcome web application threats. But
traditional security solutions fall short of
protecting against Web application
Part of the reason why we need Web Application Firewalls today is the
network firewalls! Although network firewalls protect against network
layer attacks, they ought to allow HTTP and HTTPS traffic to the Web
servers. Hackers have been using this fact to embed attacks like SQL
injection and Cross-Site Scripting (XSS) into Web traffic using allowed
application protocols, which are ignored by network firewalls and pass
through them, uninterrupted.Besides, network firewalls work over the
third and fourth of the seven layers of the OSI network model and do not
understand protocols and languages like, HTML and XML, have no means
of controlling/filtering sensitive data included in server responses, lack
ways to detect tampering of parameters in a URL request, cannot validate
user inputs to an HTML application and most importantly, they lack
awareness about session data, limiting their effectiveness against web
application attacks.
Intrusion Prevention System
Intrusion Prevention System can look into a packet’s payload and compare
it with a list of known signatures/attacks. Hence, they are effective against
worms and other attacks based on known software vulnerabilities but are
largely ineffective against web application attacks targeting unknown
vulnerabilities in application code or vulnerabilities arising out of poor
Web Application Firewalls – the only Answer to Web
Application Security
Web Application Firewalls sit between the web client and a web server to
analyze OSI Layer 7 messages for violations in the programmed security
policy to protect websites and web applications from attacks. They
function bi-directionally by intercepting incoming Layer 7 attacks before
reaching the Web server. In addition, they also analyze Web server
responses to protect against potential risks of information leakage in
organizations. Placed right in front of the Web server, it becomes the last
and first stop for information requests to be entertained, as well as the
information delivery process.
PCI-DSS and Web Application Security
Web applications have been declared as the initial point of attack on
cardholder data. Requirement 6.6 of the Payment Card Industry Data
Security Standard requires organizations to ensure that web facing
applications should be protected by installing an application-layer firewall
in front of them, or by having all custom application code reviewed for
common vulnerabilities by an organization that specializes in application
security. With the Code review technique turning out to be expensive and
tedious, Web application firewall comes out to be the only option left with
organizations. Web application firewalls perform a deep packet inspection
of incoming traffic to detect threats, thereby creating a security layer in
front of the application itself that ensures security of the web server that
secures credit card and other sensitive data, which needs to be protected
under the PCI DSS requirements.
Cyberoam Web Application Firewall
Cyberoam Web Application Firewall is available as a subscription on
Cyberoam Network Security appliances (UTM, NGFW). It follows the
positive security model based on its Intuitive Website Flow Detector to
secure websites and Web-based applications against attacks like SQL
injection, cross-site scripting (XSS), URL parameter tampering, session
hijacking, buffer overflows, and more-- including the OWASP Top 10 Web
application vulnerabilities.
Web User
Client /Partner
SQL Injection,
cookie poisoning, XSS,...
Web & Application
Web Application Firewall
Database Server
Cyberoam Web Application Firewall Protection against Web-based Application Attacks
Cyberoam Web Application Firewall is deployed to intercept the traffic to and
from the Web servers to provide an added layer of security against attacks
before they can reach the Web applications. Its Intuitive Website Flow
Detector intelligently “self-learns” the legitimate behavior and response of
Web applications. Based on the Intuitive Website Flow Detector, the Web
Application Firewall ensures the sanctity of Web applications in response to
server requests, protecting them against Web application attacks.
Cyberoam Web Application Firewall looks at every request and response
within the HTTP/HTTPS/Web Service layers. It is effective at repelling attacks
from a wide range of commercial and open-source automated vulnerability
scanners (e.g. Nessus, WebInspect), as well as hand-crafted attacks.
Conforms to HTTP specification?
Matches a user-defined policy?
Adheres to Intuitive Website
Flow Detector?
HTTP Protocol Specification
Intuitive Website Flow Detector
User-defined policies
Request is legitimate and adheres to the
Intuitive Website Flow Detector’s “selflearning” in the past, when such a
request was last made to the Web server.
The server request was not found valid under
the Intuitive Website Flow Detector’s
knowledge from the past – the requested URL
cannot be the entry point and it is, hence,
blocked from reaching the Web server and the
browser receives an HTTP 403 Forbidden
response code. No other information is exposed
as decided under the User Defined Policy.
The request doesn’t pass any of the 3 validation steps.
Web server is thus protected from present/future
URL-based HTTP attacks.
Positive protection model without Signature Tables
The Cyberoam Web Application Firewall enforces a
positive security model through Intuitive Website Flow
Detector to automatically identify and block all applicationlayer attacks without relying on signature tables or patternmatching techniques. The Web Application Firewall
considers defined Web application behavior as “good”.
Any deviation is considered “bad”, or malicious, and is
blocked accordingly. This provides security against zeroday attacks and eliminates the need to manually populate
and update signature tables. The Intuitive Website Flow
Detector automatically adapts to changes in the website.
Comprehensive business logic protection
The Cyberoam WAF protects against attacks like SQL
injection,cross-site scripting (XSS),and cookie-poisoning
that seek to exploit business logic behind Web
applications, ensuring they are used exactly as intended.
Reverse proxy for incoming HTTP/HTTPS traffic
The Cyberoam WAF follows a reverse proxy model for all
incoming HTTP and HTTPS traffic which provides an
added level of security by virtualizing the application
infrastructure. All incoming Web application requests from
the Web client terminate at the WAF. Valid requests are
submitted to the back-end Web server, hiding the
existence and characteristics of originating servers.
URL , Cookie, and Form hardening
Application-defined URL query string parameters,
cookies, and HTML form field values (including hidden
fields, radio buttons, checkboxes, and select options) are
protected by the Cyberoam WAF. Attempts to escalate
user privileges through cookie-poisoning, gain access to
other accounts through URL query string parameter
tampering, and other types of browser data manipulation
are automatically identified and blocked.
HTTPS (SSL) encryption Offloading
Attackers cannot bypass the Cyberoam WAF protection
measures through an HTTPS (SSL) connection, mostly
used in the financial services, healthcare, e-commerce,
and other industries that process sensitive data. The WAF
not only secures encrypted connections, but also reduces
latency of SSL traffic with its SSL offloading capabilities.
Monitoring and reporting
Cyberoam Web Application Firewall provides alerts and
logs that help organizations with information on types of
attacks, source of attacks, action taken on them, and more
that help comply with the PCI DSS requirements.
Instant Web server hardening
The Cyberoam WAF instantly shields any Web
environment (IIS, Apache, WebSphere®, etc.) against the
more than 14,000 common server mis-configurations and
an ever-expanding universe of known 3rd-party software
Additional Features:
Block/alert known bad IP addresses
Customizable user messages for blocked requests
Rate-based connection safeguards
Business Benefits
! Offers instant protection without requiring changes to existing Web applications when deployed.
! Prevents intruders from manipulating web content
! Protects data inside the organization from being hacked by exploiting Web application vulnerabilities
! Secures corporate brands, trade secrets, and Intellectual Property
! Maintains customer confidence in your website’s security, especially for banks, e-commerce, and more.
! Ensures sensitive information about the environment doesn’t go out to hackers by sending customizable error
messages to users.
! Easy to use with no special training required for administrators
! Low maintenance as it automatically adapts to website / web-application changes
! Promotes integrity and availability of Web applications
! Helps comply with mandatory PCI requirements
Cyberoam Awards & Certifications
C o p y r i g h t © 1999-2014 Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d . Cyberoam &
Cyberoam logo are registered trademarks of Cyberoam Technologies Pvt. Ltd. Ltd. ®/TM: Registered trade
marks of Cyberoam Technologies Pvt. Ltd. Technologies or of the owners of the Respective
Toll Free Numbers
USA : +1-877-777-0368 | India : 1-800-301-00013
APAC/MEA : +1-877-777-0368 | Europe : +44-808-120-3958
SSL Basic
Network Extension
SSL Advanced
Network Extension
Although Cyberoam attempted to provide accurate information, Cyberoam assumes no responsibility for
accuracy or completeness of information neither is this a legally binding representation. Cyberoam has the right to
change, modify, transfer or otherwise revise the publication without notice.