How WAFs Can Mitigate The OWASP Top 10
Cars require seatbelts. Pill bottles need safety caps. Applications need web application firewalls (WAFs), bot management and API protection, and for good reason. The web application threat landscape is in a constant state of flux. From DevOps to new attack
vectors, these changes can leave security professionals scrambling to safeguard their
most prized digital assets to secure the customer experience.
The Open Web Application Security Project (OWASP) Top 10 list is an invaluable tool for accomplishing this. Since 2003, this top ten list seeks to provide security professionals with a starting point for ensuring protection from the most common and virulent threats, application misconfigurations that can lead to vulnerabilities, as well as detection tactics and remediations.
What OWASP Vulnerabilities Are Most Popular with Cybercriminals?
Based on customer data from Radware’s Cloud WAF Service in 2020-2021, the overwhelming majority of OWASP Top 10 application vulnerabilities were Broken Access Control (#5) and Sensitive Data Exposure (#3), which comprised 71% (see below). The underlying reasons why these two attack vectors have become so prevalent vary, but bots crawling websites in search of data to scrape increased dramatically throughout 2020, which might be one of the reasons for the dramatic increase in Broken Access Control.
How To Mitigate The OWASP Top 10
Injection flaws, such as SQL, NoSQL, OS and LDAP injection, have been a perennial favorite among hackers for some time, which is why it’s no surprise that this threat is still at the top of the list. An injection flaw occurs when suspicious data is inserted into an application as a command or query. This hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
The most common code injection are SQL Injections, which is an attack that is accomplished by sending malformed code to the database server. It’s a simple and quick attack type that almost anyone with internet access can accomplish; SQL Injection scripts
are available for download and are easily acquirable.
Mitigation: Positive protection. Many web application security solutions leverage a negative security model, which ultimately results in protection against the lowest common denominator. A positive security model, which defines the set of allowed types and values, is required to provide proper protection where signature-based protection cannot fill the gap. In the case of SQL Injections, a positive security model screens user input for known patterns of attacks and leverages logic to tell the difference between legitimate user input and injection flaws.
RISK: Broken Authentication
When an application’s functions are not implemented correctly, the door is left open for criminals to break in. Attackers can compromise passwords, keys, or session tokens or exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sessions should be unique to individual users, and without some session management, an attacker can sneak in disguised as a user to access valuable data.
Mitigation: Challenge and validate. Securing these application in terms of access control is no easy task. Authenticating users by having them provide their identity and challenging them to verify their identity is a key first step. Single sign-on and multi-factor authentication is a key first step that reduces the risk of compromised accounts. Second is a WAF that proactively encrypts session parameters between network and client, proactively inspects login attempts and thwarts HTTP sessions via code-encrypting, cryptographic capabilities.
RISK: Sensitive Data Exposure
Many web applications and APIs contain vulnerabilities due to coding, thereby exposing sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
Mitigation: Encryption. Encryption is key, both for data at rest or in transit. Leading WAFs provide inspection/encryption of data, including SSL inspection and protection
capabilities to eliminate security blind spots. This includes, but is not limited to, SSL traffic decryption and encryption, masking server identities and veiling sensitive information. An adaptive WAF that leverages auto policy generation and machine-learning capabilities to automatically create and apply security configurations and policies is also critical. Finally, any enterprise-grade firewall should support the encryption of ingress and egress traffic across both on-premise and cloud-based infrastructures.
RISK: XML External Entities
Many older or poorly configured XML processors evaluate external entity references within XML documents. Attackers can use external entities for attacks, including remote code execution and to disclose internal files, SMB file shares, conduct internal port scanning and to launch DoS attacks.
Mitigation: An integrated approach. Static application security testing (SAST) is a tried and true way to discover this issue by inspecting dependencies and configuration. Its brethren, Dynamic Application Security Testing (DAST) are tools to detect vulnerabilities in application in its running state. A WAF should be able to parse and inspect protocols and structured documents, including HTTP/HTTPS traffic, POST requests and XML JSON schemas. In addition, the aforementioned machine-learning algorithms can learn XML and JSON structures and schemas for enforcement as part of the validation phase and create security policies.
RISK: Broken Access Control
Improperly configured or missing restrictions on authenticated users allow them to access unauthorized functionality or data. Also, restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Mitigation: Fastest time to protection. Penetration testing is essential for detecting non-functional access controls; other testing methods only detect where access controls are missing. The problem is it can take several weeks to test, produce and assess these reports, and then implement necessary security changes. Any WAF should serve as a catalyst for stemming unauthorized access via authentication gateway functionality, single sign-on, user tracking and access controls to the web application based on user role and profile information.
RISK: Security Misconfiguration
Security misconfiguration remains one of the most commonly seen web application security issues to this day. This risk refers to improper implementation of controls intended to keep application data safe, such as insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and perhaps most importantly, not patching or upgrading systems, frameworks, libraries,
applications and components.
Mitigation: The ability to learn. As notable ransomware and malware outbreaks in recent years (i.e. WannaCry) has proven, system upgrades are critical. An “adaptive” WAF will leverage auto policy generation and machine-learning capabilities to automatically create and apply security filters and enforcement rules where security is misconfigured. It evaluates the structure of a web application, sets relevant security filters and analyzes traffic properties from a production environment to build a dynamic network profile, thereby maximizing security while minimizing false positives.
RISK: Cross-Site Scripting (XSS)
Mitigation: A checklist. Against cross-site scripting attempts, make sure any WAF can check off the following: signature- and rule-based protection protection with updated signatures (similar to a blacklist) and the ability to identify scripting patterns and blocking malicious requests.
RISK: Insecure Deserialization
Insecure deserialization often leads to remote code execution to tamper or delete serialized objects or elevate privileges. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay or injection attacks.
Mitigation: Best of both worlds. Identify WAFs that provide the best of both worlds: they combine negative (defining what is forbidden and accepting the rest) and positive security models (defining what is allowed and rejecting the rest). This winning combination should leverage various WAF access control filters such as cookie encryption, XML/JSON parsing, parameters enforcement and more.
RISK: Using Components With Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Developers frequently don’t know which open source or third-party components are in their applications, making it difficult to update components when new vulnerabilities are discovered. These components can undermine application defenses and enable various attacks and impacts.
Mitigation: Know where the holes exist. Any WAF that provides integration with programs such as Microsoft’s Server Update Services allows the WAF to protect against exploitations of components with known vulnerabilities by screening client requests and server responses. In addition, security updates and threat intelligence feeds are essential to keep security teams in the know and facilitate quicker responses. for real-time responses to maximize protection and reduce exposure.
RISK: Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response systems, is the bedrock for the majority of incidents, allowing attackers to run amok, attacking further systems, tampering, extracting or destroying data. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to nearly 100%.
Mitigation: Suite solutions vs. best-of-breed. To address the issue of internal processes, think like an attacker and internally test and audit to discover if your organization has sufficient monitoring. If your organization lacks this “white hat hacker” expertise, be sure that any cybersecurity vendor you partner with provides DDoS mitigation expertise via a team of security experts.
These same experts should also play a role in the second biggest concern: real-time monitoring and detection. Timely detection of malicious malware or snooping hackers comes down to best-of-breed versus suite offerings. Stopping cyberattacks in near real-time is best accomplished via a single vendor attack mitigation system. Many organizations leverage best-of-breed mitigation tools from different vendors. This hodgepodge collection results in poor communication and detection. Suite WAF/DDoS solutions can more effectively communicate, setting network traffic baselines and comparing data points to quickly detect when something is awry, in addition to providing enterprise-grade monitoring and management dashboards/analytics.