B-3-YP45RV

KONA WAF vs Application Layer Attacks - Part 1

Blog Post created by B-3-YP45RV Employee on Nov 19, 2014

Akamai's KONA WAF is used by the customers to protect there website against various application layer attacks, which in turn improves the brand and enhances the site’s security triad - Confidentiality, Integrity, and Availability. When we talk about application layer attacks, the first thing that comes in the mind of security folks is OWASP Top 10.

 

This blog lists the ten most critical web application security risks (OWASP Top 10, 2013, https://www.owasp.org/index.php/Top_10_2013-Top_10) and how does KONA WAF addresses each of these risks to protect web applications.

 

Note: For WAF protection against the risks, we have considered WAF as a product running on Akamai platform (with built-in security controls) and the protection mechanism doesn't include usage of any other Akamai product (Edge Auth, Edge Redirect, etc) and/or custom solution using advanced metadata.

 

Vulnerability: A1 - Injection


Description: Injection flaws such as SQL injection, OS Command injection, LDAP injection & XPath Injection occurs when the application accepts untrusted data and sends the data to the interpreter for execution. The untrusted data (attack payload) tricks the interpreter into executing unintended commands or accessing data without proper authorization.


KONA WAF Prevention: The WAF rules present in the SQL Injection, Command Injection & Generic Attacks risk group in KRS provided adequate protection against the injection attacks.


KONA WAF Status: Green

 

A2 – Broken Authentication and Session Management


Description: This flaw occurs when application functionality related to authentication & session management are not implemented securely, which could lead to compromise of username/password, session IDs and user impersonation.


KONA WAF Prevention: The majority of the authentication related mitigation depends on the implementation of functionality such as login, change password, forgot password, registration, etc and KONA WAF provides partial protection against the risks. Authentication bypass using SQL Injection attacks can be protected using rules in the SQLi Injection risk group. Brute force attack attempt to compromise login credentials can be protected using adequate rate control rules.

Session management related controls such as session is invalidated at logout, session timeout after a period of inactivity, session tokens are long & random, etc cannot be enforced using KONA WAF and such control should be enforced by the origin server. KONA WAF has few rules to detect 'Session Fixation' attack.

Some of the commercial on premise WAF provides the following features:

  • Upstream authentication
  • Cookie store
  • Cookie encryption
  • URL encryption
  • Secure session handling

Some WAF has the capability to integrate with IAM solution to take care of the user-management module.


KONA WAF Status: Orange

 

A3 – Cross-Site Scripting (XSS)

 

Description: An XSS flaw occur whenever an application accepts untrusted data and sends it to a web browser without proper input validation or output sanitization. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface the web sites, or redirect the user to malicious sites.

 

KONA WAF Prevention: The WAF rules present in the Cross Site Scripting (XSS) risk group in KRS provided adequate protection against the XSS attacks.

 

KONA WAF Status: Green

 

A4 – Insecure Direct Object References

 

Description: A direct object reference flaw occurs when an application provides direct access/reference to objects such as a file, directory, or database key based on user-supplied input. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

 

KONA WAF Prevention: The flaw is due to insufficient authorization checks before retrieving the objects and as WAF doesn't hold the user authorization matrix to perform any kind of checks, it is not possible to protect this risk using WAF.

Some of the commercial on premise WAF provides the following features as a compensatory control:

  • URL encryption (A WAF block requests if a URL is manipulated on the client side.)
  • Smart form protection (A WAF block requests if a form parameter is manipulated on the client side.)

 

KONA WAF Status: Red

 

A5 – Security Misconfiguration

 

Description: Enforcement of good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings (hardening) should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

 

KONA WAF Prevention: From an attacker's perspective Akamai edge servers are the target web server and edge servers are securely configured (hardened) & have built-in security features. However, securely configuring the application frameworks (ASP.NET, Java Servlets, Ruby on Rails, etc), database server should be done at the origin.

Some compensatory controls provided by KONA WAF are:

  • Due to default settings, web applications throw error messages disclosing internal information such as stack traces, backend databases info, framework details; and such error reponses can be detected and custom error page can be rendered to the attacker using custom rules in WAF.
  • Attackers looking for backup files, old files & test files (.asa, .inc) can be detected by 'URL File Extension is Restricted By Policy' rule in Inbound Anomaly risk group.
  • Attackers looking for usage of different HTTP methods for nefarious purposes. Except GET & POST methods, all other methods are by default blocked by the Akamai platform.

 

KONA WAF Status: Orange

 

A6 – Sensitive Data Exposure

 

Description: Web applications may not properly protect sensitive data such as login credentials, PINs, credit card details, PII, customer data. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data should be encrypted at rest or in transit, as well as special precautions when exchanged with the browser.

 

KONA WAF Prevention: Akamai platform on top of which KONA WAF runs, supports HTTPS (TLS & strong cipher suites) and ensures that data in transit is over encrypted channel. Also, it is ensured that sensitive data is neither stored nor processed in the Akamai infrastructure. Akamai's SSL network is PCI DSS compliant. Akamai provides partial protection against the 'Sensitive Data Exposure' risk.

For end to end protection:

  • The origin should have adequate controls to ensure that data at rest is encrypted using strong cryptographic algorithms and strong key; with proper key management process in place.
  • Caching for pages containing sensitive data should be disabled.
  • Autocomplete feature should be 'Off' for sensitive form fields.

 

KONA WAF Status: Orange

 

A7 – Missing Function Level Access Control

 

Description: Web application does not perform access control checks on the server side when the user's accesses different application function/features. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. An attacker can also escalate his privileges vertically & horizontally.

 

KONA WAF Prevention: The flaw is due to insufficient access control checks before allowing access to a function and as WAF doesn't hold the user access control matrix to perform any kind of checks, it is not possible to protect this risk using WAF.

Some of the commercial on premise WAF provides the following features as a compensatory control:

  • Session-based URL encryption
  • Upstream Authentication (allows to define fine granularly user access to application paths.)

 

KONA WAF Status: Red

 

A8 – Cross-Site Request Forgery (CSRF)

 

Description: A CSRF attack tricks a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

 

KONA WAF Prevention: Adding a unique per user session anti-CSRF token to sensitive transactions and validating that token value at server side will protect against CSRF attack and maintaining session based data per user is not possible using the Akamai KONA WAF.

Some of the commercial on premise WAF provides the following features as a compensatory control:

  • Session-based URL encryption (URL's are encrypted with a session-based key & the URL is only valid for one user for a session). These URLs can’t be guessed – so attackers can’t craft forged URLs to enforce browsers doing CSRF requests.  As form action URLs are also encrypted, this technique protects both GET and POST requests.

 

KONA WAF Status: Red

 

A9 - Using Components with Known Vulnerabilities

 

Description: Web application uses different components, such as libraries, frameworks, and other software modules, which usually runs with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server compromise. Applications using vulnerable components may weaken application defenses and open up for a range of possible attacks.

 

KONA WAF Prevention: Some of the exploit against libraries & frameworks could be detected by the injection rules in KRS and the flexibility of creating custom rule, once the attack vector is detected provides a reactive mitigation. For better protection, origin should update the libraries & frameworks to there latest & secure version. The origin should also disable unused functionality of the components.

 

KONA WAF Status: Orange

 

A10 – Unvalidated Redirects and Forwards

 

Description: Web applications frequently redirect and forward users to other pages and websites, and use user controlled data to determine the destination pages. Without proper validation, attackers can accomplish a phishing attack or redirect victims to malware sites, or use forwards to access unauthorized pages.

 

KONA WAF Prevention: The flaw is due to usage of redirects and forwards in an insecure fashion and mitigation controls such as avoiding redirects & forwards, not using user parameters in calculating the destination and/or validation of allowed domains can be effectively done at origin. KONA WAF may not provide any protection against this risk.

Some of the commercial on premise WAF provides the following features as a compensatory control:

  • URL encryption

 

KONA WAF Status: Red

 

In the next part, we will look at other application layer attacks that are not covered in the Top 10 risk.

Outcomes