Web-based applications and services have changed the landscape of information delivery and exchange in today’s corporate, government, and educational arenas. Ease of access, increased availability of information, and the richness of web services have universally increased productivity and operational efficiencies. These increases have led to heavier reliance on web-based services and greater integration of internal information systems and data repositories with web-facing applications.
While motivations of attackers against a victim’s corporate and organizational assets remain the same (e.g., financial, intellectual property (IP), identity theft, services disruption, or denial of service), web applications enable a whole new class of vulnerabilities and exploit techniques such as SQL injection, cross-site scripting (XSS), and cross-site request forgery.
One technology that can help in the security of a web application infrastructure is a web application firewall. A web application firewall (WAF) is an appliance or server application that watches http/https conversations between a client browser and web server at layer 7. The WAF then has the ability to enforce security policies based upon a variety of criteria including signatures of known attacks, protocol standards and anomalous application traffic.
Web application security is a branch of Information Security that deals specifically with security of websites, web applications and webservices. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems.
- Authentication : Ensure that only authorized entities may consume a Web Service . Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to: perform a certain action (coarse-grained); on the requested data (fine-grained).A web service should authorize its clients whether they have access to the method in question. Following authentication, the web service should check the privileges of the requesting entity whether they have access to the requested resource. This should be done on every request. Ensure access to administration and management functions within the Web Service Application is limited to web service administrators. Ideally, any administrative capabilities would be in an application that is completely separate from the web services being managed by these capabilities, thus completely separating normal users from these sensitive functions.
- Non-repudiation : Prevent a web services consumer from denying having performed a particular transaction.
- Confidentiality: Ensure that SOAP messages traversing networks are not viewed or modified by attackers. WS-Security and WS-Secure Conversation provide the confidentiality services necessary. Messages containing sensitive data must be encrypted using a strong encryption cipher. This could be transport encryption or message encryption. Messages containing sensitive data that must remain encrypted at rest after receipt must be encrypted with strong data encryption, not just transport encryption.
- Message Integrity: This is for data at rest. Integrity of data in transit can easily be provided by SSL/TLS.When using public key cryptography, encryption does guarantee confidentiality but it does not guarantee integrity since the receiver’s public key is public. For the same reason, encryption does not ensure the identity of the sender.For XML data, use XML digital signatures to provide message integrity using the sender’s private key. This signature can be validated by the recipient using the sender’s digital certificate (public key).
- Protection of resources: Ensure that individual Web services are adequately protected through appropriate identification, authentication, and access control mechanisms. There is a plethora of standards available for controlling access to Web services.
- Negotiation of contracts: To truly meet the goals of SOA and automate business processes, Web services should be capable of negotiating business contracts as well as the QoP and QoS of the associated transactions. While this remains a hard problem, standards are emerging to address portions of contract negotiation—particularly in the QoP and QoS field.
- Trust management: One of the underlying principles of security is ensuring that all entities involved in a transaction trust one another. To this end, Web services support a variety of trust models that can be used to enable Web services to trust the identities of entities within the SOA.
- Security properties: All Web service security processes, tools, and techniques rely on secure implementation. A vulnerable Web service may allow attackers to bypass many—if not all—of the security mechanisms.
- Transport Confidentiality : Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to/from the server. All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. This is recommended even if the messages themselves are encrypted because SSL/TLS provides numerous benefits beyond traffic confidentiality including integrity protection, replay defences, and server authentication.
- Server Authentication: SSL/TLS must be used to authenticate the service provider to the service consumer. The service consumer should verify the server certificate is issued by a trusted provider, is not expired, is not revoked, matches the domain name of the service, and that the server has proven that it has the private key associated with the public key certificate (by properly signing something or successfully decrypting something encrypted with the associated public key).
- Schema Validation: Schema validation enforces constraints and syntax defined by the schema. Web services must validate SOAP payloads against their associated XML schema definition (XSD).The XSD defined for a SOAP web service should, at a minimum, define the maximum length and character set of every parameter allowed to pass into and out of the web service. The XSD defined for a SOAP web service should define strong (ideally white list) validation patterns for all fixed format parameters (e.g., zip codes, phone numbers, list values, etc.).
- Output Encoding: Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.
Different Security Threats
- Distributed Denial of Service (DDoS) – DoS / DDoS attacks have increased in popularity. They are easy to employ and highly effective. Often, the attacker has to do little to cause your website harm. The goal is to disrupt your business by taking your website off-line.
- Volume Based Attacks – Overload your web servers and application platforms resource.
- Protocol Based Attacks – The internet is all based on protocols; it’s how things get from point A to point B. This type of attack can include things likes Ping of Death, SYN Flood (SYNchonize and ACKnowledge message), Packet modifications and others.
- Layer 7 application attack (HTTP Flood Attack) – is when an attacker makes use of standard GET / POST requests in effort to overload your web servers response ability. They can generate thousands of requests a second. This attack can occur over HTTP or HTTPS and much easier to implement.
- Simple Service Discovery Protocol (SSDP Attack) – It often targets traditional SSDP ports, (1900) and destination port 7 (echo). SSDP is usually used by plug and play devices
- User Datagram Protocol (UDP Attack ) – will randomly flood various ports on your web server, also known as Layer 3 / 4 attacks. This forces the web server to respond.
- Domain Name Server Amplification (DNS Attack) – It occurs at Layer 3 / 4. They make use of publicly accessible DNS servers around the world to overwhelm your web server with DNS response traffic.
- Backdoor Injections (SQL Injection Attacks) – Injection flaws, such as SQL, OS, and LDAP injection occur when un-trusted data is sent as part of a command or query. The attacker’s hostile data can execute unintended commands and pollute data.
- Cross Site Scripting(XSS)– XSS flaws occur whenever an application takes un-trusted data and sends it to a web browser. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions or redirect the user to malicious sites.
- Broken Authentication– Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens.