28
Herzlich willkommen

Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Herzlich willkommen

Page 2: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

ADC: Citrix Application Firewall (WAF)

Page 3: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Ihr Speaker: Arnd Kagelmacher

Page 4: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

ADC: Citrix Application Firewall (WAF)

Inhaltsangabe:•Aufgaben / Ziele / Funktionsweise•Technik, wie funktioniert es?•Features•Use Cases

20.11.2018 4

Page 5: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben / Ziele / Funktionsweise

Was wird geschützt?•Web-Anwendungen•WebsitesWo wird geschützt?•Auf Anwendungsebene•Zero-Day-Angriffe

20.11.2018 5

Page 6: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben / Ziele / Funktionsweise

Wie wird geschützt?•Eingehende Anfragen werden überprüft•Ausgehende Daten werden überprüft

20.11.2018 6

Page 7: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben, Ziele und Funktionsweise

20.11.2018 7

Page 8: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben, Ziele und Funktionsweise

20.11.2018 8

98% aller Angriffe kommen von Extern (+6%) 86% aller Angriffe sind nicht so ‘komplex’ (+4%)

94% aller betroffenen Daten beinhalten Serverzugriffe (+18%) 97% aller Angriffe können durch einfache Maßnahmen verhindert werden (+1%)

Unternehmensgröße

1 bis 10 11 bis 100

101 bis 1,000 1,001 bis 10,000

10,001 bis 100,000 Über 100,000

Quelle: 2017 Data Breach Investigation ReportVerizon RISK Team

Page 9: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

20.11.2018 9

Web ApplicationFirewall

Request Security Checks

Web Server

Forward to Web Server

Redirect to Designated Error

Page

Forward to User’s Browser

Request

Fail

Pass

Response Security Checks

Pass

404 Not Found

NetScaler

Page 10: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

20.11.2018 10

Aufgaben / Ziele / Funktionsweise

INTERN

1. Client Requesthttp://www.meinefirma.ch/

EXTERN

2. Request Inspections3. Client Requestwww.meinefirma.ch

4. Server Responsewww.meinefirma.ch

5. Response Inspections6. Server Responsehttp://www.meinefirma.ch/

•Start URLs•XSS•SQL Injection•Field Consistency•Buffer Overflow

•Credit Cards•SAFE Object

Database

HTML Web

Applications

XML Web Applications

Citrix ADC WAF

Page 11: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben / Ziele / Funktionsweise Integrierte HTML und XML Sicherheit

• XML Sicherheit:

• Thread Protection• Content Validation• …

XML Anwendungen• SOAP

Eine Appliance für HTML, XML und Web 2.0 Anwendungen

Prüft (Checks):Block, Log und Statistics

20.11.2018 11

Page 12: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben / Ziele / Funktionsweise

Schützt Firmen / Firmendaten:• Z.B.: Informationen / Daten / Codes / …

Schützt Kunden / Kundendaten:• Z.B.: Kreditkarten / Finanzdaten / Patientendaten / …

20.11.2018 12

Page 13: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Aufgaben / Ziele / Funktionsweise

Features (Auszug):• RegEx Editor• Benutzerdefinierte Error-Page• PCI Compliant (= Payment Card Industrie)• Learmodus• Profiles / Templates / Signaturen / …• …

Einfache Konfiguration und Monitoring20.11.2018 13

Page 14: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Top-Ten der Angriffe

20.11.2018 14

1. Injection (Sqli -> SQL Injection)2. Broken Authentication and Session Management

3. XSS (Cross Site Scripting)4. Broken Access Control5. Security Misconfiguration

6. Sensitive Data Exposure7. Insufficient Attack Protection.8. Cross Site Request Forgery (CSRF or XSRF)

9. Using Components with known vulnerabilities10. Under protected APIs

Page 15: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Angriffsübersicht

20.11.2018 15

Web Servers

Malicious Database Request

Complete Customer Records

Programming Error

Client

Malicious Request(… aber gültig …)

Page 16: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Application Server

Internet

ApplicationGain Application

PrivilegesPlatform

Gain PlatformPrivileges

OSGain root

Server Access

Buffer Overflow Attack

Hacker

Citrix Application Firewall limitsInput parameter sizes for:

Form Fields URLs Cookies

Buffer Overflow Exploits

20.11.2018 16

Page 17: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Protecting Against Buffer Overflow Exploits

20.11.2018 17

Web Server

Error Page

REQ

Contains a URL, cookie or a header

that is too long

Hacker

Page 18: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Konfiguration Buffer Overflow

20.11.2018 18

Page 19: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

SQL Injection Attacks

20.11.2018 19

SQL Injection Attacks:

Sending SQL commands to a Web application that when passed to databases execute and allow hacker to gain access or change customer and sensitive information.

SQL Injection Attack

http://shop/index.asp?category=books' or ‘1=1

Database

HTML Web Applications

XML Web Applications

Page 20: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Protecting Against SQL Injection

20.11.2018 20

Web Server

Error Page

REQ

SQL

SQLSQL

SQL Injection Security Check

SQL

SQL Injection Security Check no

violation

SQL Injection Security Check Violation

Page 21: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Cross-site Scripting (XSS) Attacks

20.11.2018 21

Innocent user downloads script and executes

2

Hacker posts <malicious script> to vulnerable Web application

1

3Script captures

credential info andsends to hacker

Database

HTML Web Applications

XML Web Applications

Cross-Site Scripting:Inserting a malicious script that compromises the trust relationship between a user and a Web application, resulting in sending an attacker confidential information that can be used to steal that user’s identity.

Page 22: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Protecting Against Cross-Site Scripting

20.11.2018 22

Error Page

REQWeb

Server

ScriptTransformed

Script

Cross-Site ScriptingSecurity Check

XSS

Page 23: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Protecting Against Cross-Site Scripting

20.11.2018 23

Page 24: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Cookie Consistency Protection

20.11.2018 24

Web Server

Block

Client

REQ

Original CookieOriginal Cookie

Modified CookieError

Page 25: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Cookie Consistency Protection

20.11.2018 25

Page 26: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Cookie Consistency Protection

20.11.2018 26

Page 27: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Fragen ?😱😱

Vielen Dank !

Page 28: Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

CNS-320