Hi All,

In 2007, OWASP (Open Web Application Security Project) published their Top 10 most serious web application vulnerabilities at http://www.owasp.org/index.php/Top_10_2007.   A summary of their Top 10 is outlined in the table below with a brief mitigation approach for each.  You will quickly see that a primary component of mitigating these vulnerabilities is the Intelligent Application Gateway (IAG) product. IAG runs on top of ISA to provide higher-level security closer to the application level than that provided by ISA alone. 

Attack Type

Description

Mitigation

A1 - Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

Since the application firewall inspects requests, parameters and values, such attacks will be blocked by the filtering engine. (IAG)

A2 - Injection Flaws

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

Since the application firewall inspects requests, parameters and values, such attacks will be blocked by the filtering engine.

(IAG)

A3 - Malicious File Execution

Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.

When files are not expected, the filter will not allow the uploading of files (e.g., through POSTs). (IAG)

A4 - Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

Parameter tampering – The filtering engine inspects all parameters before transmitting requests to back-end Web servers. Only parameters that are expected and whose names, sizes, and values conform to the stringent rules defined in the filter configuration are accepted. If a user has tampered with a parameter in an effort to attack an internal system, the filtering engine will not allow the parameter to reach the intended target. (IAG)

A5 - Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

Application developer – code-based protection

A6 - Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.

Application Developer - code-based protection

A7 - Broken Authentication and Session Management

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.

Will be blocked by the application firewall in a similar manner to tunneled SQL commands and other injected code.

A8 - Insecure Cryptographic Storage

Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

Application Developer - code-based protection

A9 - Insecure Communications

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.

Handled by ISA if SSL enabled

A10 - Failure to Restrict URL Access

Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Vulnerability introduced by utilizing inappropriate methods – POSTing when a GET is expected, using WebDAV methods, etc. The filtering engine checks that the METHOD for every URL is appropriate as defined in the rule set in the filter configuration. (IAG)

In addition to the above information, here it is a more detailed list of security benefits to be gained by use of Intelligent Application Gateway (IAG) 2007:

Some of the types of attack techniques that the IAG application firewall’s application filtering engine can mitigate include:

· Parameter tampering – The filtering engine inspects all parameters before transmitting requests to back-end Web servers. Only parameters that are expected and whose names, sizes, and values conform to the stringent rules defined in the filter configuration are accepted. If a user has tampered with a parameter in an effort to attack an internal system, the filtering engine will not allow the parameter to reach the intended target.

· Debug options – The filtering engine can block requests that contain parameters with Debug options.

· Buffer overflows – Buffer overflow attacks typically utilize long URLs or long parameter values, which will not conform to the rules in the filter configuration, and will, therefore, be blocked by the engine.

· Encoded attacks – The filtering engine is Unicode and escape-sequence aware, and will block Unicode and escape-sequence encoded attacks, including double encoding and overlong UTF-8 representation.

· Code injection – Code injection involves the submission to the Web application of code where simple data is expected. For example, a user might add a short script instead of his address – in the hopes that the system might execute the script. Alternatively, the script may be added as a parameter value added to the URL. Since the application firewall inspects requests, parameters and values, such attacks will be blocked by the filtering engine.

· Cross-site scripting – Cross-site scripting is a special form of code injection in which the hacker attempts to submit code in a field that a Web application that will later let other users view, in an attempt to have that code execute on other users’ machines. For example, a hacker may submit code to an online bulletin board with the hope that when users view the hacker message their browsers will execute the code instead of displaying it as text. Since the application firewall inspects requests, parameters and values, such attacks will be blocked by the filtering engine.

· SQL Injection – Similar to code injection, this type of attack involves embedding SQL calls to a database within a data field. As with the general case of code injection, the filtering engine will block attempts to tunnel SQL.

· Tunneling OS shell commands – Similar to code injection, this type of attack involves embedding operating system commands within a data field, and will be blocked by the application firewall in a similar manner to tunneled SQL commands and other injected code.

· Tunneling proprietary protocols – Similar to code injection, this type of attack involves embedding commands to some application on the internal network within a data field. Like the other aforementioned examples of injected code, it will be blocked by the application firewall.

· Inappropriate HTTP Methods – Utilizing inappropriate methods – POSTing when a GET is expected, using WebDAV methods, etc. The filtering engine checks that the METHOD for every URL is appropriate as defined in the rule set in the filter configuration.

· Unexpected file uploading – When files are not expected, the filter will not allow the uploading of files (e.g., through POSTs).

· Other application-level attacks – Positive logic based application-request filtering (with event-driven dynamic capabilities) is a powerful tool against known attacks, and even against vulnerabilities not yet discovered or patched. It reduces the likelihood of a Denial of Service attack against internal systems, as invalid requests will not be transmitted to internal servers, and servers issuing large volumes of so-called “valid requests” can be blacklisted as well.

Detailed information on the IGA product may be found at http://download.microsoft.com/download/F/0/2/F0229C11-B47E-4002-A444-60207C6E11F5/IAG%202007%20Application%20Firewall-WP-200702.doc