Securing Web applications with Rational AppScan part 2nd: Using rational AppScan to address Web application attacks

Source: Internet
Author: User
Tags simple sql injection sql injection attack

1 Current WEB security status

The development history of the Internet can also be said to be the process of continuous development of attack and protection. At present, the global Internet users have reached 1.35 billion, users use the network for shopping, bank transfer payments and a variety of software downloads, enterprise users rely on the Internet to build their core business, the WEB security has increased an unprecedented height.

However, in the real world, attacks against the site intensified and frequently succeeded. Cardsystems is a U.S. vendor that specializes in dealing with credit card transactions. The company provides data outsourcing services to major credit card organizations such as MasterCard (Master), Visa (Visa) and American Express, responsible for reviewing consumer credit card numbers, expiry dates and other information, and then sending them to the bank to complete payment procedures. The company handles credit card information for more than 100,000 companies and has more than $15 billion in annual business. The 15-year-old company has never imagined that a hacker maliciously hacked into its computer system and stole 40 million credit card information. This information includes the cardholder's name, account number, etc. This is the most serious credit card data leak in the history of the United States. The attack not only on consumers, the company caused a huge loss, and even the U.S. credit card industry has a serious impact!

1.1 The misunderstanding of WEB security

But what is web security, or what kind of Web site is safe? Users often have some common pitfalls.

"The Web site uses a firewall, so it's safe."
Both the application-level and port-level firewalls are targeted at network-level attacks, which exclude malicious access by setting accessible ports or applications, but how to authenticate good-faith access and malicious access is a problem. Once access is allowed, subsequent security issues are not a firewall to handle.
"The Web site uses IDS, so it's safe."
Protect against network-level attacks with pattern recognition. However, similar to firewalls, access to attacks through normal connections cannot be identified and processed by exploiting program vulnerabilities.
"The Web site uses SSL encryption, so it's safe."
SSL encrypts the information sent and received by the website, however SSL cannot guarantee the security of the information stored on the site and the privacy information of the site visitor. Websites that use 64-bit or even 128-bit SSL encryption are endless by hackers.
"The vulnerability scanning Tool did not find any problems, so it was safe"
The current vulnerability scanning Tool has been widely used to find some obvious network security vulnerabilities. Similarly, the scan tool cannot detect a Web site application and cannot find vulnerabilities in the app itself.
"We employ security personnel (Pen Tester) for audits every quarter, so it's safe."
man-made detection is not only inefficient, uncontrolled factors, but also for frequent code changes today, Pen Tester can not meet the overall security requirements

However, these methods are far from guaranteeing the security of Web applications, and the application-level attacks can easily break through firewall-protected websites. For example, the most common aspect of SQL injection attack performance is the normal data interaction query. This is the most normal access connection for firewalls or intrusion detection systems, and there are no features that can indicate a malicious attack on such access connections. As a result, some simple SQL injection statements can make it easy to break a website that is equipped with expensive network security devices.

1.2 Web Security Status

Surprisingly, almost all people concerned about web security will have the above-mentioned misunderstanding, and the current security status of the Web also proves the universality of these myths. "Firewall, IDS is the primary security means, SSL guarantees security, ..." In contrast, the Internet has developed to today, 75% of security problems are in the application itself. As the SQL injection attack described above, this is the firewall, SSL, intrusion detection system can not be prevented, resolved, and response!

As shown, only 10% of the current security investment is spent on how to protect against application security holes, and this is the 75% attack source ――10% Vs 75%, which is how big the gap! This is also an important factor that has caused the current Web site to be compromised frequently.

Figure 1. Current security status Statistics and analysis chart

So, what kind of protection is a complete solution? Through the figure 2 we can see that a complete Web protection not only includes the common IDS, Firewall and other protection means, but also need to do a good job of security protection for the application itself, which is to solve the 75% security vulnerabilities. So what are the attacks that firewalls, IDS, or SSL can't handle, and how do they exploit the vulnerabilities of the app itself? Below we will do the detailed elaboration.

Figure 2. Network Protection for Web applications

The ten most common tactics for WEB application attack

There are currently as many as hundreds of attacks on application vulnerabilities, the most common of which are the 10 listed in the table below.

ten ways to attack
Apply Threats Negative Impact Consequences
Cross-site scripting attacks Identify theft, loss of sensitive data ... Hackers can impersonate legitimate users and control their accounts.
Injection attack Illegal querying of databases, LDAP, and other systems by constructing queries. Hackers can access back-end Database information, modify, and steal.
Malicious file Execution Execute the shell command on the server to get control. The modified site transmits all transactions to the hacker
Unsafe object reference Hackers access sensitive files and resources Web app returns sensitive file content
Forge Cross-site requests Hackers call Blind action to impersonate a legitimate user The hacker initiated the Blind request and requested a transfer.
Information catharsis and incorrect error handling Hackers get detailed system information Malicious system detection may help in deeper attacks
Compromised authentication and Session management The Session token is not well protected. After the user launches the system, hackers can steal the session.
Unsafe Trojan Storage Too simple encryption technology causes hackers to crack code Secret information stolen by hackers
Unsecured communication Sensitive information is transmitted unencrypted in an unsecured channel Hackers can sniff sensitive information through a sniffer and impersonate a legitimate user.
Invalid URL access limit Hackers can access non-authorized resource connections Hackers can forcibly access some landing pages, history pages.

We explain the attack principle by injecting defects (injection Flaws, the second-ranking attack).

In the application of the site needs to be applied to a large number of database query retrieval functions, such as the simplest example is the site login, users need to enter the login name and password to login authentication. This functionality is typically implemented in early development with the simplest SELECT statement, which is the select * from users where username = "xxxx" and password = "xxxx" (assuming the database user table name is User s, the user name and password field names are username and password). By intercepting the user's input string in the text box, and then stitching it up, a SELECT statement is formed, and if the table users have a record that matches this condition (that is, the user name and password), the system will return a valid record, allowing the system to be logged in.

However, this development method hides a huge loophole that hackers can hack into the site via SQL injection attacks. As shown, the hacker entered in the login interface is not a user name, but a string ( ’or 1=1 -- ). The purpose of the hacker is to enter a string in the place where the user should have been, causing the entire SELECT statement to change: select * from users where username=’’or 1=1 . The person familiar with the SELECT statement knows that in a conditional statement, the Select will return the 1=1 data from all users tables, regardless of whether the user name is correct or not. The end result is that hackers landed in the system. Through the SQL injection attack, hackers can easily enter some SQL statements into the site, the hidden data query and so on.

Figure 3. Attack examples

We can see from the above principle that the only way to prevent and block SQL injection attacks, whether they are firewalls or intrusion detection systems, is to shut down the vulnerability of the application itself. For example, the database query is implemented by the process of the parameter transfer and the storage, which is much more secure than the dynamic construction SQL statement. For example, in ASP. NET, the following program will avoid the attack:

' Visual Basic Example Dim DS As DataSet Dim myconnection As SqlConnection Dim mycommand As SqlDataAdapter Dim Selectcomma nd as String = "SELECT * from users where username = @username" ... MYCOMMAND.SELECTCOMMAND.PARAMETERS.ADD (New SqlParameter ("@username",  SqlDbType.NVarChar, 20)) MyCommand.SelectCommand.Parameters ("@username"). Value = usernamefield.value//C # example String selectcmd = "SELECT * from Authors where state = @username"; SqlConnection myconnection = new SqlConnection ("server= ..."); SqlDataAdapter mycommand = new SqlDataAdapter (Selectcmd, MyConnection); MYCOMMAND.SELECTCOMMAND.PARAMETERS.ADD (New SqlParameter ("@username",  SqlDbType.NVarChar, 20)); mycommand.selectcommand.parameters["@username"]. Value = Usernamefield.value;

In addition to injecting defect attacks, common application attacks include cross-site scripting attacks, malicious file execution attacks, unsafe direct object application attacks, cross-site request forgery attacks, information leaks, and the use of error handling mechanisms to attack, and so on. Each attack is similar to a SQL injection attack that destroys the system based on vulnerabilities in the application itself, such as obtaining system permissions, obtaining confidential information, impersonating legitimate users, and so on.

In summary, these exploits of Web application vulnerabilities are the most important source of web security threats, and 75% of attacks originate from this, only to transform the application itself to avoid attacks. However, how do we discover that these application vulnerabilities are the first prerequisite for security, and how do we discover vulnerabilities in the WEB application itself in the quickest and most efficient way? Without efficient detection, secure WEB applications will become the reading glasses in the water in the middle of the month.

3 How to respond to website attacks through Rational AppScan IBM Rational AppScan is a powerful tool to address this challenge.

As shown, the Rational AppScan works quite simply, like a black box test tool, where testers do not need to understand the structure of the WEB application itself. AppScan has a large and complete library of attack signatures, applying attacks in hundreds of by inserting test cases into HTTP request, and then analyzing HTTP response to determine if the application has a corresponding vulnerability. The whole process is easy to understand and efficient, testers can quickly locate the location of the vulnerability, while AppScan can detail the principle of the vulnerability and the way to resolve the vulnerability to help developers quickly fix program security vulnerabilities. For attack characteristics and test case users do not need to spend a lot of effort, the Watchfire team regularly update the feature library, with the guarantee of synchronization with the industry, maximize user productivity.

Figure 4. Rational AppScan Work

Here we introduce the use of Rational AppScan through a simple example:

    • Defining scans

First determine the URL of the scan site, and according to the Default Template Configuration Wizard, determine the entire site model for the scan and the kind of vulnerability you want to scan. For example, I want to scan the enterprise application www.xxx.com , want to scan the default value whether there is a security risk, start the AppScan, create a scan, typing, according to the www.xxx.com Configuration Wizard until completion.

Figure 5. The Default Template Configuration Wizard

Figure 6. Create a scan

    • Scan to start, test

Just click to execute.

    • Scan results View

, AppScan shows the results after scanning in various dimensions, not only locating the location of the problem, but also proposing a solution to the problem.

Figure 7. Results after the scan

4 Rational AppScan in-depth introduction

Rational AppScan also offers a number of advanced features to help customers detect complex applications. The supported scan configurations are:

    • Starting URL: Starting URL, setting the starting address of the application under test
    • Custom error Pages: Making error pages improve test efficiency
    • Session IDs: Session during the management testing process
    • Automatic Server Detection: Automatically detects the application server, Web server, operating system on which the app resides
    • Exclusion and inclusion: Develop which Web is scanned or excluded and which file types are not scanned
    • Scan Limits: Other advanced scan limits, such as number of scan limits, etc.
    • Advanced: The way to scan, is the width scan or deep scan
    • Communication Settings: Configure the delay, number of threads in the scan
    • Proxy Settings: Agent settings vlogin/logout: Set the login of the application under test, can use the way of recording and playback, or the way of automatic landing
    • Configure a Test Policy: Configures testing measurements, which vulnerabilities to test.
    • ......

As mentioned above, users can make a series of advanced configurations through AppScan, develop the web model they want to detect, which ones need to be scanned, what they don't need, how to scan, and so on, or you can define a list of the vulnerabilities that need to be scanned, thus ensuring that the site model that users care about has security vulnerabilities that users care about. After detecting security vulnerabilities, AppScan provides a comprehensive solution to help customers solve these problems quickly and maximize the security of WEB applications. In addition, for WEB services AppScan can also be supported.

AppScan provides comprehensive reporting capabilities that enable users to analyze the results of the scan, including support for the industry or regulations, and AppScan provides a range of gadgets, such as: Authentication Tester Scan the user name and password of the site under test by means of brute force detection; The HTTP request editor provides the ability to edit HTTP request, and so on.

5 Use Scenarios for Rational AppScan

At all stages of the software development lifecycle, Rational AppScan can be used to fully guarantee the security of the software. As shown in the software development process, software developers, software testers, QA, auditors and many other roles can be detected through the AppScan application, the vulnerability early excavation. Let's introduce some of the benefits of AppScan to software development through some usage scenarios.

Figure 8. AppScan Usage Scenarios

5.1 Developers use AppScan

Developers in the development process can use AppScan or special plug-ins, at any time to develop testing at any time to maximize the security of personal development programs. The sooner you find the problem, the lower the cost of solving the problem, which provides the most solid foundation for WEB application security.

Testers Use AppScan

System testers use AppScan to do comprehensive testing of the application, once the problem is discovered, can be quickly generated defect, through the integration with ClearQuest can realize defect electronic tracking, and then passed to the developer hands, to guide the developers to quickly solve the problem. Greatly improves the development efficiency of the development team, but also provides a complete communication platform solution.

5.3 Audit personnel use AppScan before online

This is the security quality level before the system goes online. Any system on-line should undergo rigorous on-line testing, which also minimizes the emergence of on-line problems, to avoid the production system on-line after the huge loss to the enterprise.

5.4 After-line audit, monitoring personnel use AppScan

On-line system should be regularly detected, once the problem should be detected in a timely manner, the faster the location of the problem, the smaller the loss.

What we have described above is a more generic usage scenario. Of course, different enterprises may have different characteristics, AppScan use the principle of the scene is to maximize the use of efficiency, early to expose the problem, for the application of security to lay a solid foundation. Each enterprise can define its own usage pattern according to its own development status.

Back to top of page

6. Benefits for the business

Through the above introduction, we have a certain understanding of the current situation of WEB security, the importance of application security, and the use of Rational AppScan security products. However, the tool gives the customer not only some functions, but more importantly to the enterprise to bring the deep-rooted benefits to the enterprise in the development process, security policies and other levels brought profound changes. Below we explain the value that AppScan brings to the enterprise from several aspects:

AppScan is a solid guarantee for WEB application security
As discussed above, the vulnerability of the current WEB security 75% stems from the application itself, the rapid and comprehensive positioning of the problem and the provision of a comprehensive solution will help the development team to build a robust application.
AppScan reduces development costs and improves development efficiency
The development tester can quickly locate the security hidden trouble through Rational AppScan, and the early detection of the problem not only helps to solve the problem, but also reduces the development cost and avoids the huge loss caused by the late occurrence of the problem.
AppScan provides statistical analysis capability to enterprises.
Rational AppScan provides a flexible reporting capability that enables statistical analysis of scan results, supports analysis of regulatory compliance, and provides a Delta comparison report that compares the results of two tests to the basis of quality inspection. AppScan helps build an enterprise-class test Strategy library
Rational AppScan
  To help enterprises to establish different testing strategies according to different application types, while users can define solutions for different threats, continuous knowledge accumulation ensures that the enterprise has a more perfect security solution.
Summarize

To sum up, with the rapid development of the Internet, the security of the WEB has been the unprecedented attention, weak security has become a bottleneck for many enterprises. However, even today, when security is so valued, many people have a huge misunderstanding about how to protect the Web from being safe. The reality shows that only by strengthening the protection of Web application can effectively prevent 75% attacks, WEB application protection has become the most indispensable part of security topic. IBM Rational provides a rational AppScan solution, which helps enterprises to find and solve security vulnerabilities efficiently, ensure the security of the application, and provide a solid technical guarantee for enterprise development in the whole life cycle of Web development, testing, maintenance and operation.

Reprinted from: http://www.ibm.com/developerworks/cn/rational/r-cn-appscan2/

Securing Web applications with Rational AppScan part 2nd: Using rational AppScan to address Web application attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.