1. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security 2006. 2. 20. HPC Lab., POSTECH, Korea Tae Hyung Kim

2. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 2/14 Contents  Introduction  Problem Definition  Background  Marking Scheme  Implementation  Discussion  Conclusion

3. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 3/14 Introduction(1/2)  Nearly most of web applications are security critical, but only a small fraction of deployed web applications can afford a detailed security review.  For securing web applications, there are several approaches under research: Input and output filtering  Web application firewall Automated testing  Vulnerability scanner Diversity Defense (against code-injection attacks)  Instruction-Set Randomization Information flow security  Checking integrity of data from untrusted sources

4. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 4/14 Introduction(2/2)  Especially, many companies and researchers try to develop application firewalls for a web application.  Those firewalls are based on a positive model for web applications, because a rule-based firewall needs extra attention to update rules periodically.  However, it is difficult to make a good positive model owing to lack of understanding web application semantics.

5. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 5/14 Problem Definition  Lack of understanding the web application semantics degrades web application firewalls: many false positive, false negative and overhead in a detection process.  We propose a new scheme to make security systems or modules aware the semantics of the web application.

6. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 6/14 OWASP Top Ten Vulnerabilities Unvalidated input Cross site scripting (XSS) Injection flows Buffer overflows Broken auth. and session management account Broken access control Improper error handling Denial of service Insecure storage Insecure configuration Type 1: Injection Type 2: Poisoning Type 3: etc. Background * OWASP: Open Web Application Security Project

7. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 7/14 Web Attack Analysis  Conditions for exploiting a web system A parameter to insert malicious codes A vulnerable source that process the parameter Improper configurations in environment ( optional )  Attacks are initiated by fabricating a parameter and the parameter is placed in the requested URL or HTTP header.  We can quarantine web attacks by restricting data for the parameter and by checking that. Background

8. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 8/14 Marking Scheme  Markers within parameters of web sources.  Markers For input restriction  p_ : plain alphabet only  n_ : number only  w_ : white space  s_ : special characters  lxx_: max length For integrity check  xxx_cookieName  xxx: random number Marking Scheme(1/4) Login.htm Username: Passwd: ExecLogin.asp <% Dim p_strUsername, p_strPassword, objRS, strSQL p_strUsername = Request.Form(“p_Username") p_strPassword = Request.Form(“pn_Passwd") strSQL = "SELECT * FROM tblUsers " & _ "WHERE Username='" & p_strUsername & _ "' and Password='" & p_strPassword & "'" Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." If (objRS.EOF) Then Response.Write "Invalid login." Else Response.Write "You are logged in as " & objRS("Username") End If Set objRS = Nothing %>

9. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 9/14 Architecture Marking Scheme(2/4) web application with marked parameters. User Web Firewall Web Server Input Validation Integrity Check

10. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 10/14 Defense of Injection Attacks NetworkNetwork Web Server Web Firewall Attacker Normal User Marking Scheme(3/4) URL request: http://aaa.bbb.com/login.htm?p_U sername=xxxxdafjlkjaflafjlkdjfaljaf kldjajfalfjdajfalkjlfjaslkajfadlkfjaafd kajlajdalj\cat%20passwd&pn_Pas sword=yyyyyy (1) Parse requested URL (2) Throw parsed parameters to each checking module. (3) If all modules say O.K., then pass the request. (4) If not, drop the packet

11. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 11/14 Defense of Cookie Poisoning NetworkNetwork Web Server Web Firewall Attacker 111_cookie:aaa 222_cookie:bbb 333_cookie:ccc (1)Cookie names are marked with a random number Normal User (3)-1 normal (3)-2 poisoning (4) Check a number-hashValue pair If there exists the pair, then pass the request. If not, drop it Marking Scheme(4/4) (2) Store a number-hashValue pair 111,hash(aaa) Memory

12. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 12/14 Implementation  Web Page Conversion Tool  Web Application Firewall Implemented on Linux Based on the “mod security for apache” WPC tool :GUI-based Web page Marked web page User

13. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 13/14 Adapting Marking Scheme to other Application Discussion Attacker Application Security System Guiding information: Marker, Protocol *Syntax-aware (including protocol) *Semantic-aware *capable to check integrity Normal User (1) (2)

14. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 14/14 Conclusion  We propose a new security scheme for securing web application.  This scheme makes the application firewall filtering malicious packets easily and efficiently by helping it aware the semantics of web application.  As a future work, we are required to implement the WPC tool and realize the firewall in detail. And also we need more experiments for improving our scheme.