Communications in Computer and Information Science
72
Carlos Serrão Vicente Aguilera Díaz Fabio Cerullo (Eds.)
Web Application Security Iberic Web Application Security Conference IBWAS 2009 Madrid, Spain, December 10-11, 2009 Revised Selected Papers
13
Volume Editors Carlos Serrão ISCTE-IUL Lisbon University Institute OWASP Portugal Ed. ISCTE Lisboa, Portugal E-mail:
[email protected] Vicente Aguilera Díaz Internet Security Auditors OWASP Spain Barcelona, Spain E-mail:
[email protected] Fabio Cerullo OWASP Ireland OWASP Global Education Committee Rathborne Village, Ashtown, Dublin, Ireland E-mail:
[email protected]
Library of Congress Control Number: 2010936707 CR Subject Classification (1998): C.2, K.6.5, D.4.6, E.3, H.4, J.1 ISSN ISBN-10 ISBN-13
1865-0929 3-642-16119-7 Springer Berlin Heidelberg New York 978-3-642-16119-3 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2010 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper 06/3180
Preface
IBWAS 2009, the Iberic Conference on Web Applications Security, was the first international conference organized by both the OWASP Portuguese and Spanish chapters in order to join the international Web application security academic and industry communities to present and discuss the major aspects of Web applications security. There is currently a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of Webbased applications and Web services as a way to develop new and flexible information systems. Such systems are easy to develop, deploy and maintain and they demonstrate impressive features for users, resulting in their current wide use. The “social” features of these technologies create the necessary “massification” effects that make millions of users share their own personal information and content over large web-based interactive platforms. Corporations, businesses and governments all over the world are also developing and deploying more and more applications to interact with their businesses, customers, suppliers and citizens to enable stronger and tighter relations with all of them. Moreover, legacy non-Web systems are being ported to this new intrinsically connected environment. IBWAS 2009 brought together application security experts, researchers, educators and practitioners from industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track, academic researchers were able to combine interesting results with the experience of practitioners and software engineers. The conference held at the Escuela Universitaria de Ingeniería Técnica de Telecomunicación of the Universidad Politécnica de Madrid (EUITT/UPM) was organized for the very first time and represented a step forward in the OWASP mission and organization. During the two days of the conference, more than 50 attendees enjoyed different types of sessions, organized around different topics. Two renowned keynote speakers, diverse invited speakers and several accepted communications were presented and discussed at the conference. During these two days, the conference agenda was distributed in two major abstract panels, industry and research sessions, organized according to the following topics: • • • • • • •
Secure application development Security of service-oriented architectures Threat modelling of Web applications Cloud computing security Web application vulnerabilities and analysis Countermeasures for Web application vulnerabilities Secure coding techniques
VI
Preface
• • • • • • • •
Platform or language security features that help secure Web applications Secure database usage in Web applications Access control in Web applications Web services security Browser security Privacy in Web applications Standards, certifications and security evaluation criteria for Web applications Attacks and vulnerability exploitation
On the final day of the conference, a panel discussion was held around a specific topic: “Web Application Security: What Should Governments do in 2010.” From this discussion panel a set of conclusions were reached and some specific recommendations were produced: 1. Challenge governments to work with organizations such as OWASP to increase the transparency of Web application security, particularly with respect to financial, health and all other systems where data privacy and confidentiality requirements are fundamental. 2. OWASP will seek participation with governments around the globe to develop recommendations for the incorporation of specific application security requirements and the development of suitable certification frameworks within the government software acquisition processes. 3. Offer OWASP assistance to clarify and modernize computer security laws, allowing the government, citizens and organizations to make informed decisions about security. 4. Ask governments to encourage companies to adopt application security standards that, where followed, will help protect us all from security breaches, which might expose confidential information, enable fraudulent transactions and incur legal liability. 5. Offer to work with local and national governments to establish application security dashboards providing visibility into spending and support for application security. Although organized together by the OWASP Portugal and Spain chapters, IBWAS 2009 was a truly international event and welcomed Web application security experts from all over the world, supported by the OWASP open and distributed community. We, as organizers of the IBWAS 2009 conference, would like to thank the different authors who submitted their quality papers to the conference, and the members of the Programme Committee for their efforts in reviewing the multiple contributions that we received. We would also like to thank the amazing keynote and panel speakers for their collaboration in making IBWAS 2010 a success. Finally, we would like to thank the EUITT/UPM for hosting the event and for all their support. December 2009
Carlos Serrão Vicente Aguilera Díaz Fabio Cerullo
Organization
Programme Committee Chairs
Aguilera Díaz V., Internet Security Auditors, OWASP Spain, Spain Cerullo F., OWASP Ireland, Ireland Serrão C., ISCTE-IUL Instituto Universitário de Lisboa, OWASP Portugal, Portugal
Secretary
Cerullo F., OWASP Ireland, Ireland
Members
Agudo I., Universidad de Malaga, Spain Chiariglione L., Cedeo, Italy Correia M., Universidade de Lisboa, Portugal Costa C., Universidade de Aveiro, Portugal Cruz R., Instituto Superior Técnico, Portugal Delgado J., Universitat Politecnica De Catalunya, Spain Dias M., Microsoft, Portugal Elias W., OWASP Brasil, Brazil Ferreira J., Universidade de Lisboa, Portugal Filipe V., Universidade de Trás-os-Montes e Alto Douro, Portugal Hernández-Goya C., Universidad de La Laguna, Spain Hernando J., Universitat Politecnica de Catalunya, Spain Hinojosa K., New York University, USA Huang T., Peking, University, China Kudumakis P., Queen Mary University of London, UK Lemes L., Unisinos, Brazil Lopes S., Universidade do Minho, Portugal Marañón G., Consejo Superior de Investigaciones Científicas, Spain Marinheiro R., ISCTE-IUL Instituto Universitário de Lisboa, Portugal Marques J., Instituto Politécnico de Castelo Branco, Portugal Metrôlho J., Instituto Politécnico de Castelo Branco, Portugal Muro J., Universidad Politécnica de Madrid, Spain Neves E., OWASP Brasil, Brazil Neves N., Universidade de Lisboa, Portugal Oliveira J., Universidade de Aveiro, Portugal Raduà F., Universitat Oberta de Catalunya, Spain Ribeiro C., Instituto Superior Técnico, Portugal Roman R., Universidad de Málaga, Spain Saeta J., Barcelona Digital, Spain
VIII
Organization
Santos O., Instituto Politécnico de Castelo Branco, Portugal Santos V., Microsoft, Portugal Sequeira M., ISCTE-IUL Instituto Universitário de Lisboa, Portugal Sousa P., Universidade de Lisboa, Portugal Torres V., Universitat Pompeu Fabra, Spain Vergara J., Universidad Autónoma de Madrid, Spain Vieira M., Universidade de Coimbra, Portugal Villagrá V., Universidad Politécnica de Madrid, Spain Yagüe M., Universidad de Málaga, Spain Zúquete A., Universidade de Aveiro, Portugal
Table of Contents
Abstracts The OWASP Logging Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Marc Chisinevski
1
SQL Injection - How Far Does the Rabbit Hole Go? . . . . . . . . . . . . . . . . . . Justin Clarke
3
OWASP O2 Platform - Open Platform for Automating Application Security Knowledge and Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dinis Cruz
5
The Business of Rogueware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Luis Corrons
7
Microsoft Infosec Team: Security Tools Roadmap . . . . . . . . . . . . . . . . . . . . Simon Roses
9
Empirical Software Security Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dave Harper
11
Assessing and Exploiting Web Applications with the Open-Source Samurai Web Testing Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Raul Siles
13
Authentication: Choosing a Method That Fits . . . . . . . . . . . . . . . . . . . . . . . Miguel Almeida
15
Cloud Computing: Benefits, Risks and Recommendations for Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Daniele Catteddu
17
OWASP TOP 10 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fabio E. Cerullo
19
Deploying Secure Web Applications with OWASP Resources . . . . . . . . . . Fabio E. Cerullo
21
Thread Risk Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin Knobloch
23
Protection of Applications at the Enterprise in the Real World: From Audits to Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Javier Fern´ andez-Sanguino
25
X
Table of Contents
Papers A Semantic Web Approach to Share Alerts among Security Information Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jorge E. L´ opez de Vergara, V´ıctor A. Villagr´ a, Pilar Holgado, Elena de Frutos, and Iv´ an Sanz
27
WASAT- A New Web Authorization Security Analysis Tool . . . . . . . . . . . Carmen Torrano-Gimenez, Alejandro Perez-Villegas, and Gonzalo Alvarez
39
Connection String Parameter Pollution Attacks . . . . . . . . . . . . . . . . . . . . . . Chema Alonso, Manuel Fernandez, Alejandro Mart´ın, and Antonio Guzm´ an
51
Web Applications Security Assessment in the Portuguese World Wide Web Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nuno Teodoro and Carlos Serr˜ ao
63
Building Web Application Firewalls in High Availability Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` Juan Galiana Lara and Angel Puigvent´ os Gracia
75
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
83
The OWASP Logging Project Marc Chisinevski Digiplug, France
[email protected]
The presentation explained current shortcomings of Security Information Management systems. A new solution and a working prototype were presented. In the current Security Information Management Systems it is difficult to obtain relevant views of consolidated data (for instance alarms concerning different clients and different Data Centres on different periods of time), the difficult to calculate essential indicators for management (such as risk indicators such as Annual Lost Expectancy for Assets and the Cost effectiveness of proposed safeguards), difficult to compare with historical data and also some severe performance issues. The proposed solution for these problems is based on the usage of multidimensional database, which presents several advantages, such as presenting risk assessment and safeguard cost-effectiveness scenarios to CFO/CEO and presenting data through different useful views (Client, Asset, Data Center, Time, Geography). The Client view is particularly important for Software-as-a-Service and Cloud providers in order to assess conformity with Service Level Agreements and legal obligations for each customer. The Asset view is essential for management, allowing them to assess the risks for business processes and information. To achieve this, the raw data acquired by the Security Information Management system (events on servers) needs to be correlated and consolidated. The following facts need to be taken into account when assessing the risk: an asset has an intrinsic value and the asset’s value increases if other assets (information, business processes, servers) depend on it. Also, risk indicators are easy to calculate and analyze and it is easier to clearly define aggregation levels, such as raw data (Event, Server) and consolidated data (Alarm (correlated events), Asset, Client, Datacenter, Time, Geography). Reporting queries no longer run on the Security Information Management system’s production database, it is possible to analyze the data (Drill-down, roll-up, slice) without writing SQL and to integrate data from different sources.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 1, 2010. © Springer-Verlag Berlin Heidelberg 2010
SQL Injection - How Far Does the Rabbit Hole Go? Justin Clarke Gotham Digital Science, United Kingdom
[email protected]
SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world, and well publicised data breaches with SQL Injection as a component, it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea. This talk explores the deeper, darker areas of SQL Injection, hybrid attacks, SQL Injection worms, and exploiting database functionality. Explore what kinds of things we can expect in future.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 3, 2010. © Springer-Verlag Berlin Heidelberg 2010
OWASP O2 Platform - Open Platform for Automating Application Security Knowledge and Workflows Dinis Cruz OWASP, United Kingdom
[email protected]
In this talk Dinis Cruz will show the OWASP O2 Platform, which is an open source toolkit specifically, designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/ OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 5, 2010. © Springer-Verlag Berlin Heidelberg 2010
The Business of Rogueware Luis Corrons Panda Security, Spain
[email protected]
The growth and complexity of the underground cybercrime economy has grown significantly over the past couple of years due to a variety of factors including the rise of social media tools, the global economic slowdown, and an increase in the total number of Internet users. For the past 3 years, PandaLabs has monitored the ever-evolving cybercrime economy to discover its tactics, tools, participants, motivations and victims to understand the full extent of criminal activities and ultimately bring an end to the offenses. In October of 2008, PandaLabs published findings from a comprehensive study on the rogueware economy, which concluded that the cybercriminals behind fake antivirus software applications were generating upwards of $15 million per month. In July of 2009, it released a follow-on study that proved monthly earnings had more than doubled to approximately $34 million through rougeware attacks distributed via Facebook, MySpace, Twitter, Digg and targeted Blackhat SEO. This session will reveal the latest results from PandaLabs’ ongoing study of the cybercrime economy by illustrating the latest malware strategies used by criminals, examining the changes in their attack strategies over time. The goal of this presentation is to raise the awareness of this growing underground economy.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 7, 2010. © Springer-Verlag Berlin Heidelberg 2010
Microsoft Infosec Team: Security Tools Roadmap Simon Roses Microsoft, United Kingdom
[email protected]
The Microsoft IT’s Information Security (InfoSec) group is responsible for information security risk management at Microsoft. We concentrate on the data protection of Microsoft assets, business and enterprise. Our mission is to enable secure and reliable business for Microsoft and its customers. We are an experienced group of IT professionals including architects, developers, program managers and managers. This talk will present different technologies developed by Infosec to protect Microsoft and released for free, such as CAT.NET, SPIDER, SDR, TAM and SRE and how they fit into SDL (Security Development Lifecycle).
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 9, 2010. © Springer-Verlag Berlin Heidelberg 2010
Empirical Software Security Assurance Dave Harper Fortify Software, USA
[email protected]
By now everyone knows that security must be built in to software; it cannot be bolted on. For more than a decade, scientists, visionaries, and pundits have put forth a multitude of techniques and methodologies for building secure software, but there has been little to recommend one approach over another or to define the boundary between ideas that merely look good on paper and ideas that actually get results. The alchemists and wizards have put on a good show, but it's time to look at the real empirical evidence. This talk examines software security assurance as it is practiced today. We will discuss popular methodologies and then, based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust Clearing Corporation (DTCC), we present a set of benchmarks for developing and growing an enterprise-wide software security initiative, including but not limited to integration into the software development lifecycle (SDLC). While all initiatives are unique, we find that the leaders share a tremendous amount of common ground and wrestle with many of the same problems. Their lessons can be applied in order to build a new effort from scratch or to expand the reach of existing security capabilities.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 11, 2010. © Springer-Verlag Berlin Heidelberg 2010
Assessing and Exploiting Web Applications with the Open-Source Samurai Web Testing Framework Raul Siles Taddong, Spain
[email protected]
The Samurai Web Testing Framework (WTF) is an open-source LiveCD based on Ubuntu and focused on web application security testing. It includes an extensive collection of pre-installed and pre-configured top penetration testing and security analysis tools, becoming the perfect environment for assessing and exploiting web applications. The tools categorization guides the analyst through the web-app penetration testing methodology, from reconnaissance, to mapping, discovery and exploitation. The project web page is http://sf.net/projects/samurai/. Samurai WTF pretends to become the weapon of choice for professional web app pen-testers, offering a well established environment that acts as a time saver as it includes all the required web application security tools pre-configured and ready to run. This talk describes the actively developed Samurai WTF distribution, its tool set, including the recently created Samurai WTF Firefox add-ons collection (to convert the browser in the ultimate pen-testing tool), available at https://addons.mozilla.org/ en-US/firefox/ collection/samurai, the advanced features provided by the integration of multiple attack tools, plus the new tool update capabilities. This recently added SVN update functionality provides frequent update capabilities for Samurai WTF, new update feature for the most actively developed security testing tools, and offers an improved collaboration model between the Samurai WTF community members. The talk ends up with a live demonstration on a target web application of the advanced attack techniques provided by the integration of tools like Sqlninja and Metasploit. The combination of both tools offers the pen-tester the option to take full control of a vulnerable web infrastructure, including the internal database servers.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 13, 2010. © Springer-Verlag Berlin Heidelberg 2010
Authentication: Choosing a Method That Fits Miguel Almeida Independent Security Consultant, Portugal
[email protected]
Through the last five years, we, in the security field, have been witnessing an increase in the number of attacks to (web) application user's credentials, and the refinement and sophistication these attacks have been gaining. There are currently several methods and mechanisms to increase the strength of the authentication process for web applications. To improve the user authentication process, but also to improve the transaction authentication. As an example, one can think of adding one-time password tokens, or digital certificates, EMV cards, or even SMS one-time codes. However, none of these methods comes for free, nor do they provide perfect security. Also, one must consider usability penalties, mobility constraints, and, of course, the direct costs of the gadgets. Moreover, there's evidence that not all kinds of attacks can be stopped by even the most sophisticated of these methods. So, where do we stand? What should we choose? What kind of gadgets should we use for our business critical app, how much will they increase the costs and reduce the risk, and, last but not least, what kind of attacks we’ll be unable to stop anyway? This presentation will focus on ways to figure out how to evaluate the pros and cons of adding these improvements, given the current threats.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 15, 2010. © Springer-Verlag Berlin Heidelberg 2010
Cloud Computing: Benefits, Risks and Recommendations for Information Security Daniele Catteddu ENISA, Greece
[email protected]
The presentation “Cloud Computing: Benefits, risks and recommendations for information security” will cover some the most relevant information security implications of cloud computing from the technical, policy and legal perspective. Information security benefit and top risks will be outlined and most importantly, concrete recommendations for how to address the risks and maximise the benefits for users will be given.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 17, 2010. © Springer-Verlag Berlin Heidelberg 2010
OWASP TOP 10 2009 Fabio E. Cerullo OWASP Ireland, Ireland
[email protected]
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas –and provides guidance on where to go from here. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and this 2010 release. We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives can start thinking about how to manage the risk that software applications create in their enterprise. This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions, and provides additional information on how to assess these risks for your applications. For each top 10 item, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk, and then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws in that area, and pointers to links with more information.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 19, 2010. © Springer-Verlag Berlin Heidelberg 2010
Deploying Secure Web Applications with OWASP Resources Fabio E. Cerullo OWASP Ireland, Ireland
[email protected]
Secure applications do not just happen – they are the result of an organization deciding that they will produce secure applications. OWASP’s does not wish to force a particular approach or require an organization to pick up compliance with laws that do not affect them as every organization is different. However, for a secure application, the following at a minimum are required: • Organizational management which champions security • Written information security policy properly derived from national standards • A development methodology with adequate security checkpoints and activities • Secure release and configuration management Many of the tools, documentation and controls developed by OWASP are influenced by requirements in international standards and control frameworks such as COBIT and ISO. Furthermore, OWASP resources can be used by any type of organization ranging from universities to financial institutions in order to develop, test and deploy secure web applications. This presentation will introduce you to some of the most successful projects such as: - OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications; - OWASP ASVS which is intended as a standard on how to verify the security of web applications; - OWASP Top 10 which helps to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses; - OWASP Development Guide which shows how to architect and build a secure application; - OWASP Code Review Guide which shows how to verify the security of an application; source code; OWASP Testing Guide which shows how to verify the security of your running application. Finally, as OWASP believes education is a key component in building secure applications, some of the initiatives being carried out by the OWASP Global Education Committee are going to be highlighted.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 21, 2010. © Springer-Verlag Berlin Heidelberg 2010
Thread Risk Modelling Martin Knobloch OWASP Netherlands, Netherlands
[email protected]
How secure must an application be? To take the appropriate measures we have to identify the risks first and think about the measures later. Threat risk modelling is an essential process for secure web application development. It allows organizations to determine the correct controls and to produce effective countermeasures within budget. This presentation is about how to do a Tread Risk Modelling. What is needed to start and where to go from there!
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 23, 2010. © Springer-Verlag Berlin Heidelberg 2010
Protection of Applications at the Enterprise in the Real World: From Audits to Controls Javier Fernández-Sanguino Universidad Rey Juan Carlos, Spain
[email protected]
Securing application development in the enterprise world, where applications range from small in-house applications developed by a small department to large applications developed through an outsourcing company in a project spanning several years. In addition those applications that initially where not considered critical, suddenly become part of a critical process or those that were going to be used in a small and limited internal environment suddenly get promoted and published as a new service on the Internet. To get a better feeling of what works and what does not work in the harsh world outside, this talk will present examples of do's and don’ts coming from real world projects attempting to protect security applications in different stages: from the introduction of technical measures to prevent abuse of Internet-facing applications to source-code driven application security testing.
C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, p. 25, 2010. © Springer-Verlag Berlin Heidelberg 2010
A Semantic Web Approach to Share Alerts among Security Information Management Systems Jorge E. López de Vergara1, Víctor A. Villagrá2, Pilar Holgado1, Elena de Frutos2, and Iván Sanz3 1
Computer Science Department, Universidad Autónoma de Madrid, Calle Francisco Tomás y Valiente, 11, 28049 Madrid, Spain 2 Telematic Systems Engineering Department, Universidad Politécnica de Madrid, Avenida Complutense, s/n, 28040 Madrid, Spain 3 Telefónica Investigación y Desarrollo Calle Emilio Vargas, 6 28043 Madrid, Spain
[email protected],
[email protected],
[email protected],
[email protected],
[email protected]
Abstract. This paper presents a semantic web-based architecture to share alerts among Security Information Management Systems (SIMS). Such architecture is useful if two or more SIMS from different domains need to know information about alerts happening in the other domains, which is useful for an early response to network incidents. For this, an ontology has been defined to describe the knowledge base of each SIMS that contains the security alerts. These knowledge bases can be queried from other SIMS, using standard semantic web protocols. Two modules have been implemented: one to insert the new security alerts in the knowledge base, and another one to query such knowledge bases. The performance of both modules has been evaluated, providing some results. Keywords: SIMS, Semantic Web, IDMEF, SPARQL, Jena, Joseki, RDF, OWL.
1 Introduction Security is an important issue for Internet Service Providers (ISP). They have to keep their systems safe from external attacks to maintain the service levels they provide to costumers. Security threats are identified at routers, firewalls, intrusion detection systems, etc. generating several alerts in different formats. To deal with all these incidents, ISPs usually have a Security Information Management System (SIMS) [1], which collects the event data from their network devices to manage and correlate the information about any incident. A SIMS is useful to detect intrusions at a global level, centralizing the alarms from several security devices. A step forward in this type of systems would be the distribution of alerts among SIMS from different ISPs and different vendors for an early response to network incidents. Thus, mechanisms to communicate security notifications and actions have to be developed. These mechanisms will let the collaboration among SIMS to share information about incoming attacks. For this, it is important to homogenise the information the C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, pp. 27–38, 2010. © Springer-Verlag Berlin Heidelberg 2010
28
J.E. López de Vergara et al.
SIMS are going to share. A data model has to be defined to address several problems associated with representing intrusion detection alert data: alert information is inherently heterogeneous, some alerts are defined with very little information and others provide much more information; and intrusion detection environments are different, the same attack can contain different information. Current solutions provide a common XML format to represent alerts, named IDMEF (Intrusion Detection Message Exchange Format) [2]. Although this format is intended to exchange messages, it is not a good solution in a collaborative SIMS scenario, as each SIMS would flood the other SIMS with such messages. It would be better that a SIMS asks other SIMS about certain alerts, and later infers what is its situation based on that information. However, IDMEF has not been defined to query for an alert set. A way to solve this is to use ontologies [3], which have been precisely defined to share knowledge. Ontologies have been previously proposed to formally describe and detect complex network attacks [4, 5, 6]. In this paper we propose to define an ontology based on IDMEF, where the alerts are represented as instances of Alert classes in that ontology. The use of an ontology language also improves the information definition, as restrictions can be specified beyond data-types (for instance, cardinality). With this ontology, each SIMS can store a knowledge base of alerts, and share it using semantic web interfaces. Then, other SIMS can ask about alerts by querying such knowledge bases through semantic web interfaces. As a result, a SIMS would be able to share their knowledge with other domain SIMS. The knowledge would include policies, incidents, actualizations, etc. In a first phase, this sharing has been constrained to share alert incidents. The rest of the paper is structured as follows. Next section presents the architecture of collaborative SIMs based on knowledge sharing. Then, IDMEF ontology is explained, showing the process followed in its definition, as well as how to query it. After this, an implementation of the system that receives IDMEF alerts and stores them in a knowledge base is described. Results obtained in the different modules are also provided. Finally, some conclusions and future work lines are given.
2 Semantic Collaborative SIMS Architecture The architecture we propose to share information among SIMS is based on semantic web technologies, as shown in Fig. 1. This figure represents two SIMS but it can be generalized to several of them. Each SIMS will contain an alert knowledge base that contains instances of the IDMEF ontology, described in next section. Each knowledge base can be queried by other SIMS using a semantic web interface that accepts queries about the ontology. To implement the web service interfaces in this architecture, Joseki server [7] has been used, based on Jena libraries [8]. Joseki is an HTTP server that implements a query interface for SPARQL (SPARQL Protocol and RDF Query Language) [9]. Joseki provides a way to deal with RDF (Resource Description Framework) and OWL (Web Ontology Language) data in files and databases. Jena libraries have also been used for both the instance generator and the query generator, using the SDB library [10] to store the ontology in a database backend. Section 4 provides a deep explanation about how they have been implemented.
A Semantic Web Approach to Share Alerts among SIMS
29
Security Information Management Systems SIMS1
Instance generator
SIMS2
query generator
IDMEF alert IDMEF instance
Alert knowledge base 1
SPARQL query
Semantic Web interface
Alert knowledge base 2
Fig. 1. Semantic collaborative SIMS architecture
3 IDMEF Ontology IDMEF format provides a common language to generate alerts about suspicious events, which let several systems collaborate in the detection of attacks, or in the treatment of the stored alerts. Although IDMEF has some advantages (integration of several sources, use of a well supported format), it has also drawbacks (heterogeneous data sources led several alerts of a same attack which do not contain the same information). To solve the identified problems, we have defined an alert ontology based on the IDMEF structure. In this process it is worth remarking that IDMEF has been defined following a model of classes and properties, making easier the ontology definition, with a more or less direct mapping. The ontology has been defined using OWL [11], leveraging the advantages of the semantic web (distribution, querying, inferencing, etc.), and also the results of [12]. Several class restrictions have been defined (cardinality, data types) by analyzing the IDMEF definition contained in [2]. The following conventions have been taken to define the IDMEF ontology: • Class names start with a capital letter and it is the same as the IDMEF class name. • Property names starts with a lower-case letter and has the format domain_propertyName, where domain is the name of the class to which the property belongs, and propertyName is the name of the property. The following rules have also been taken: • Each class in an IDMEF message maps to a class in the IDMEF ontology. • Each attribute of an IDMEF class is mapped to a data-type property in the corresponding ontology class. • Classes that are contained in other class are mapped in general to object-type properties. An exception to this are aggregated classes that contain text, which have been mapped to data-type properties. • A subclass of an IDMEF class is also represented as a subclass in the ontology, inheriting all the properties of its parent class. • When an IDMEF attribute cannot contain several values, it is mapped to a functional class.
30
J.E. López de Vergara et al.
• When an IDMEF attribute can only have some specific values, the ontology define them as the allowed values. • Numeric attributes are represented as numeric data-types properties, dates are represented as datetime data-type properties, and the rest as string data-type properties. Following the rules above, the ontology has been defined. Fig. 2 shows a representation of the Alert class, its child classes (OverflowAlert, ToolAlert and CorrelationAlert), and other referred classes (Classification, AdditionalData, Target, Source, Assessment, CreateTime, AnalyzerTime, DetectTime, Analyzer). This figure has been generated using the Protégé [13] ontology editor. The boxes represent the classes and the arcs can be inheritance (in black, labelled isa) and aggregation (in blue, labelled with the property names) relationships. A UML (Unified Modelling Language) representation could also be provided, using the UML profile for OWL [14]. Our definition enables a mapping from IDMEF messages to IDMEF ontology instances. In this way, the information contained on each IDMEF message is translated to an instance of Alert, with instances of Target, Source, etc. as this information is contained on each message. The ontology includes other additional classes, so any IDMEF message can be represented in the ontology. With respect to a plain XML IDMEF message, the ontology provides several advantages. For instance, the information can be restricted as defined in the IDMEF definition [2]. Moreover, query languages such as SPARQL can be used to query all the information contained in the knowledge base, and it is not limited to the scope of a concrete XML document, which would be the case of IDMEF messages. To query the knowledge base, SPARQL has been chosen, given that is has been recently recommended by the W3C as the RDF/RDFS and OWL query language [9]. Using such language a query can be defined as follows: PREFIX rdf:
PREFIX idmef: SELECT ?alert ?id ?target_address WHERE { ?alert rdf:type idmef:Alert ; idmef:alert_messageid ?id ; idmef:alert_target ?target . ?target idmef:target_node ?tnode . ?tnode idmef:node_address ?taddress . ?taddress idmef:address_address ?target_address } The query starts with PREFIX clauses, to define the namespaces to be used to identify the queried classes and properties. After this, the variables alert, id and target_address that meet a set of conditions are requested: alert variable is of type Alert, which has the properties alert_messageid and alert_target. Then, alert_target property refers to an instance with an address value, identified with the variable target_address.
Fig. 2. IDMEF ontology definition
A Semantic Web Approach to Share Alerts among SIMS
31
32
J.E. López de Vergara et al.
4 Implementation The architecture proposed in section 2 has been implemented. Apart from the components provided by existing semantic web implementations (mainly Joseki server), we have implemented the module that stores the IDMEF alerts in the knowledge base (instance generator), as well as the module that queries alerts of an external knowledge base (query generator). Subsections below present such implementations, providing later some results in section 5. 4.1 Instance Generator A module has been developed to map the IDMEF messages to ontology instances. This module has been developed in Java, taking advantage of the libraries that this language provides for parsing XML documents and ontologies. Fig. 3 shows the steps that have to be performed to generate and save instances in the knowledge base:
Open IDMEF message (file)
Parse IDMEF message (XML)
Create IDMEF ontology instances
Save IDMEF ontology instances
Fig. 3. Steps to generate and store ontology instances
1. The first step is to open the IDMEF message, contained in a file. 2. Next, the IDMEF message, formatted in XML, is parsed. This generates a tree in memory representing the message. This tree is generated using the SAX Java API. To reduce parsing times, we have let the file to contain several messages. With this approach, we can continuously parse several alerts without needing to restart the process. 3. Then, reading the generated tree, the set of instances of the IDMEF ontology are generated, using the Jena library. 4. Once the instances have been generated, they are saved in a persistent storage, which can be either an OWL file or preferably, a database. Jena libraries, developed at HP Labs, help when dealing with ontologies in Java applications. In our development we have used Jena version 2, which supports both RDF and OWL languages, as well as a certain level of reasoning on the defined model. Jena library enables the management of ontologies, adding, deleting or editing tuples, storing the ontologies and querying them. For this, Jena provides classes such as: • Resource: anything that can be described in a model. Literal is a type of resource that represents a simple data-type, usually a string. • Property: they are characteristics, attributes or relationships used to describe a resource. • Sentence: A resource joint with a property and an associated value. • Model: they are set of sentences. They include methods to:
A Semantic Web Approach to Share Alerts among SIMS
33
− Create models. − Read and write models. − Load models in memory. − Query a model: look for information inside the model. − Operations on models: union, intersection, difference. Models can be stored in many ways, including OWL files, as well as representations of the ontology on a relational database. In this last case, there are several storing possibilities, depending on the library used to represent the ontology on the database. Precisely, SDB is a Jena library specifically designed to provide storage in SQL databases, both proprietary and open source. This storage can be done through the SDB API. 4.2 Query Generator The Knowledge base, where the alerts are stored, can be queried through semantic web interface by other SIMS. For this, another module has been developed, which performs SPARQL queries to a Joseki server through HTTP. This server accesses the Knowledge Base and it obtains the results of that query. These results are then received by the query module. To connect the query module to Joseki, it is necessary to use the ARQ library [15], which is a query engine for Jena. The query module can execute any SPARQL query. For most habitual queries, we have implemented a program which does the query depending on a series of parameters. For instance: • All alerts depending on the time: − Alerts in the last week. − Alerts in the current day. − Alerts in a day. − Alerts in an interval of time. • Alerts queried using other parameters: − Source IP address. − Target IP address. − Source port. − Target port. − Alert type. − Target of the attack. − Source of the attack. − Tools of the attack. − Overflow Alert. − Analyzer. • Assessments of the attacks: impact, actions, etc.
5 Results The implemented modules, presented above, have been tested to know their performance. All the results have been obtained in a computer equipped with an Intel Core2 Duo E8500 processor at 3.16 GHz with 6 MB L2 Cache and 2 Gbyte RAM. Previous tests with older computers provided worse results.
34
J.E. López de Vergara et al.
5.1 Instance Generator To evaluate the generation of instances, IDMEF messages available in [2] have been used. Table 1 shows the times measured in milliseconds. Table 1. Time to generate instances of well known IDMEF messages
IDMEF message Assessment Correlated Alert Disallowed Service Load Module Load Module 2 Phf Ping of Death Policy Violation Scanning Teardrop
JDBC 1235 1250 1250 1220 1250 1220 1220 1265 1235 1220
SDB 1040 1035 1050 1050 1035 1035 1035 1035 1035 1035
SPARQL/Update 640 640 625 640 610 625 640 610 610
These times are measured after the database is created and the ontology model is represented on the database. If the database and the model have to be created, there are two possibilities: • Use of JDBC (Java Database Connectivity), with a time of around 1.900 s. • Use of SDB library, with a time of around 1.125 s, faster than the previous case. Both JDBC and SDB libraries facilitate the connection to databases containing ontologies from Java application independently of the operating system. These libraries are also compatible with different databases. In addition, SDB is a Jena component designed specifically to support SPARQL queries and it provides storage in both proprietary and open source SQL databases. Once the database has been created, there are three alternatives to insert the instances on the ontology database: JDBC, SDB and SPARQL/Update [16]. With respect to the last alternative, SPARQL/Update is an extension to SPARQL that lets a programmer the definition of insert clauses, whereas JDBC and SDB can insert data in the ontology by creating ontology data structures in memory that are later stored. From our experiments, the best measurements are obtained if the language SPARQL/Update is used to insert the instances. They are approximately a 60% of the time when SDB library is used, and a 50% compared to when plain JDBC is used. In the case of the Assessment message there is an exception, because it contains characters that cannot be used in the SPARQL/Update sentence. In this case, the SDB library should be used instead. 5.2 Query Generator Some measurements have also been taken with respect to the time that it takes to perform a concrete query from the query module to a test knowledge base with 112 alerts
A Semantic Web Approach to Share Alerts among SIMS
35
through the Joseki server. Simplified versions of the queries used for the experiment are shown below (they also included other variables that could be useful about other alert properties): • Alerts depending on a time interval: PREFIX rdf: PREFIX idmef: SELECT ?alert ?time WHERE { ?alert rdf:type idmef:Alert . ?alert idmef:alert_createTime ?createTime . ?createTime idmef:createTime_time ?time . FILTER (?time > time1). FILTER (?time < time2) }
where time1 and time2 are properly replaced to query for a concrete period of time. • Alerts depending on the source IP address. PREFIX rdf: PREFIX idmef: SELECT ?alert ?sourceAddress WHERE { ?alert rdf:type idmef:Alert. ?alert idmef:alert_source ?source. ?source idmef:source_node ?node. ?node idmef:node_address ?address. ?address idmef:address_address ?sourceAddress. FILTER (?sourceAddress = ipAddr) }
where ipAddr is replaced with a concrete IP address • Alerts depending on the target IP address. PREFIX rdf: PREFIX idmef: SELECT ?alert ?sourceAddress WHERE { ?alert rdf:type idmef:Alert. ?alert idmef:alert_target ?target. ?target idmef:target _node ?node. ?node idmef:node_address ?address. ?address idmef:address_address ?targetAddress. FILTER (?targetAddress = ipAddr) }
where ipAddr is replaced with a concrete IP address.
36
J.E. López de Vergara et al.
• Alerts depending on their type: PREFIX rdf: PREFIX idmef: SELECT ?alert ?alertName WHERE { ?alert rdf:type idmef:Alert. ?alert idmef:alert_classification ?classification. ?classification idmef:classification_text ?aName. FILTER (?aName = alertName ) }
where alertName is replaced for a concrete alert. Tables 2, 3, 4 and 5 show below the results obtained when querying the alert knowledge base with these queries: Table 2. Knowledge base query times depending on the time interval
Obtained results 23 9 32
Time (ms) 547 500 641
Table 3. Knowledge base query times depending on the source IP of an alert
Obtained results 1
Time (ms) 453
Table 4. Knowledge base query times depending on the target IP of the alerts
Obtained results 11 33 77
Time (ms) 500 625 750
Table 5. Knowledge base query times depending on the alert type
Obtained results 2 13 7
Time (ms) 468 484 468
As shown, the time to retrieve the results is dependent on the number of alerts that match the query, but not on the query itself. Further tests have to be performed with larger knowledge bases.
A Semantic Web Approach to Share Alerts among SIMS
37
6 Conclusions This work has assessed the applicability of semantic web technologies in security information management systems, providing a way to semantically share information among different security domains. For this, an ontology based on IDMEF has been defined, which can hold all the information of any IDMEF message. To test this ontology, we have also defined and implemented a semantic collaborative SIMS architecture, where each SIMS stores its IDMEF alerts in a knowledge base and can query other SIMS knowledge bases using a SPARQL interface. The test performed to store alerts showed the times to save such alerts, which can be acceptable for a prototype but not for a production system that receives tens of alerts per second. Thus, some approaches have been done to improve these times. On the one hand, Jena SDB library has been used to optimize the storage of the ontology in a database. On the other hand, the use of SPARQL/Update has been proposed, to limit the saving time to that information contained on each alert. Another improvement has been the parsing of alerts continuously, to avoid launching a Java process each time an IDMEF message arrives the instance generator. In this way, we could reduce the storing time to a half from the initial approach. With respect to the query modules, we have done preliminary tests with good results. We will generate further tests, modifying the size of the knowledge base to check how the system performs with larger data sets. It is also important to note that the instances of old alerts are periodically deleted from the knowledge base. This avoids its size grow ad infinitum. As another future work, we will study how to do inference with the information contained in the knowledge bases. Acknowledgements. This work has been done in the framework of the collaboration with Telefónica I+D in the project SEGUR@ (reference CENIT-2007 2004, https://www.cenitsegura.es), funded by the CDTI, Spanish Ministry of Science and Innovation under the program CENIT.
References 1. Dubie, D.: Users shoring up net security with SIM. Network World (September 30, 2001) 2. Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). IETF Request for Comments 4765 (March 2007) 3. Gruber, T.R.: A Translation Approach to Portable Ontology Specifications. Knowledge Acquisition 5(2), 199–220 (1993) 4. Undercoffer, J., Joshi, A., Pinkston, A.: Modeling computer attacks: an ontology for intrusion detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003) 5. Geneiatakis, D., Lambrinoudakis, C.: An ontology description for SIP security flaws. Computer Communications 30(6), 1367–1374 (2007) 6. Dritsas, S., Dritsou, V., Tsoumas, B., Constantopoulos, P., Gritzalis, D.: OntoSPIT: SPIT management through ontologies. Computer Communications 32(1), 203–212 (2009) 7. Joseki – A SPARQL Server for Jena, http://www.joseki.org/ 8. Jena – A Semantic Web Framework for Java, http://jena.sourceforge.net/
38
J.E. López de Vergara et al.
9. Prud’hommeaux, E., Seaborne, A.: SPARQL Query Language for RDF. W3C Recommendation (January 15, 2008) 10. SDB - A SPARQL Database for Jena, http://jena.sourceforge.net/SDB/ 11. McGuinness, D.L., van Harmelen, F.: OWL Web Ontology Language Overview. W3C Recommendation (February 10, 2004) 12. López de Vergara, J.E., Vázquez, E., Martin, A., Dubus, S., Lepareux, M.N.: Use of ontologies for the definition of alerts and policies in a network security platform. Journal of Networks 4(8), 720–733 (2009) 13. Gennari, J.H., Musen, M.A., Fergerson, R.W., Grosso, W.E., Crubézy, M., Eriksson, H., Noy, N.F., Tu, S.W.: The evolution of Protégé: an environment for knowledge-based systems development. Int. J. Hum.-Comput. Stud. 58(1), 89–123 (2003) 14. Object Management Group: Ontology Definition Metamodel Version 1.0. OMG document number formal/2009-05-01 (May 2009) 15. ARQ - A SPARQL Processor for Jena, http://jena.sourceforge.net/ARQ/ 16. Seaborne, A., Manjunath, G., Bizer, C., Breslin, J., Das, S., Davis, I., Harris, S., Idehen, K., Corby, O., Kjernsmo, K., Nowack, B.: SPARQL Update, A language for updating RDF graphs. W3C Member Submission (July 15, 2008)
WASAT- A New Web Authorization Security Analysis Tool Carmen Torrano-Gimenez, Alejandro Perez-Villegas, and Gonzalo Alvarez Instituto de Física Aplicada, Consejo Superior de Investigaciones Científicas, Serrano 144, 28006 Madrid, Spain {carmen.torrano,alejandro.perez,gonzalo}@iec.csic.es
Abstract. WASAT (Web Authentication Security Analysis Tool) is an intuitive and complete application designed for the assessment of the security of different web related authentication schemes, namely Basic Authentication and Forms-Based Authentication. WASAT is able to mount dictionary and brute force attacks of variable complexity against the target web site. Password files incorporate a syntax to generate different password search spaces. An important feature of this tool is that low-signature attacks can be performed in order to avoid detection by anti-brute-force mechanisms. This tool is platformindependent and multithreading too, allowing the user to take control of the program speed. WASAT provides some features not included in many of the existing similar applications and hardly any of their drawbacks, making this tool an excellent one for security analysis. Keywords: web authentication security, security analysis tool, password cracking.
1 Introduction Nowadays web applications handle more and more sensitive information. As a consequence, web applications are an attractive target for attackers, who are able to perform attacks causing devastating consequences. Therefore, the proper protection of these systems is very important and it becomes necessary for the site administrators to assess the security of web applications. In addition, these days, most of network-capable devices, including simple consumer electronics such as printers and photo frames, have an embedded web interface for easy configuration [1]. These web interfaces can also suffer a large variety of attacks, therefore they should also be protected [1]. This paper presents a tool for the assessment of the security of different web authentication schemes. Usually, some web application areas have restricted access. Authentication allows to verify the identity of the person accessing the web application. Our tool is able to analyse the security of web applications using two HTTP authentication schemes, namely Basic Authentication and Form-Based Authentication. The Basic Authentication is a challenge-response mechanism that is used by a server to challenge a client and by a client to provide authentication information. In this scheme the user agent authenticates itself providing a user-ID and a password C. Serrão, V. Aguilera, and F. Cerullo (Eds.): IBWAS 2009, CCIS 72, pp. 39–49, 2010. © Springer-Verlag Berlin Heidelberg 2010
40
C. Torrano-Gimenez, A. Perez-Villegas, and G. Alvarez
when accessing to a protected space. The server will authorize the request only if it can validate the user-ID and password for the protection space corresponding to the URI of the request. The Form-based Authentication is the most widely used authentication scheme. When the client accesses a protected service or resource, the user is required to fill in a form entering a username and a password. These credentials are submitted to the web server, where they are validated against the database containing the usernames and the passwords from all users registered in the web application. The access will only be allowed if the credentials are present in the database. Further information about these HTTP authentication schemes is presented in Sec.2. WASAT can be applied against any web application having an authentication mechanism. This tool can mount dictionary and brute force attacks of varying complexity against the target web site. User and password files can be configured to be used as search space. Variations on the passwords can be generated using an easy special syntax in the password file, which allows to perform exhaustive searches. Also, low-signature attacks can be developed with this tool, in order to avoid detection. Several strategies can be used to generate low-signature attacks, like distributing the requests of a user in several time periods. The number of threads used by the application can be configured by the user in order to improve the speed of the program. Also, a list of proxies can be specified by the user in order to make the request anonymous. The configuration session data can be stored in a file and opened later, making easier to initialize a new session. Moreover, the process can be paused and continued later. WASAT also has a useful and complete help file for users. The rest of the paper is organized as follows. Section 2 reviews different authentication schemes. In Sec. 3 several mechanisms that can be used by web servers to detect brute force attacks are exposed. Section 4 refers to related work. In Sect.5 the features and the behavior of WASAT are explained. Section 6 exposes the future work and finally, in Sec.7, the conclusions of this work are captured.
2 HTTP Authentication Schemes WASAT can assess the security of both HTTP schemes Basic Authetication and Forms-Based Authentication. Below a short description of both schemes is included. 2.1 Basic Authentication HTTP provides a simple challenge-response authentication mechanism which is used by a server to challenge a client after it has made a request and by a client to provide authentication information. It uses a token to identify the authentication scheme, which is “Basic” in this case. In this scheme there are no optional authentication parameters. Upon receipt of an unauthorized (401) request for a URI within the protection space, the server should challenge the authorization of the user agent. This response must include a WWW-Authenticate header field containing the following:
WASAT- A New Web Authorization Security Analysis Tool
41
WWW-Authenticate: Basic realm=“WallyWorld” where “WallyWorld” is the string assigned by the server to identify the protection space of the Request-URI. A user agent that wishes to authenticate itself with a server after receiving a 401 response includes an Authorization header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested. Thus, to receive authorization, the client sends the user-ID and password, separated by a single colon (”:”) character, within a base64 [5] encoded string in the credentials. For instance, if the user agent wishes to send the user-ID ”Aladdin” and password ”open sesame”, it would use the following header field: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==. The domain over which credentials can be automatically applied by a user agent is determined by the protection space. If a prior request has been authorized, the same credentials may be reused for all subsequent requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preference. Further details can be found in [2]. 2.2 Forms-Based Authentication This is the most common authentication scheme, used in web servers with thousands and even millions of users. It consists of the creation of a database table storing usernames and passwords of all users. When the protected service or resource is to be accessed, the user fills in a form with the corresponding username and password. These credentials are submitted to the web server, where they are validated against the database. If the username and password exist in the database, access is granted, otherwise, the user is rejected. The HTML web form includes at least two input text fields: the username and the password. Additionally, many other fields, usually included in the form as hidden fields, may be present. Moreover, the authentication process may require the presence of certain cookies and HTTP headers, such as “Referer:” and “User-Agent:”.When the user is successfully logged in, it can happen that a token or a cookie are issued to the user or that a memory space is assigned in the server, which will identify the user in future requests without asking again for validation.
3 Security Mechanisms against Brute Force Attacks Web servers can use several security mechanisms in order to detect dictionary and brute force attacks. This section exposes the main existing mechanisms and how WASAT can avoid them. Web servers can analyze the number of received requests, the time interval and the source (username or IP address) to detect brute force attacks. Therefore, when web servers receive big amounts of requests in a short period of time from the same user or from the same IP address, they can assume a brute force attack is taking place. When an attack is detected, the server can block the corresponding user or IP address temporarily or permanently, requiring in the last case a different communication channel for the user/IP to be admitted again.
42
C. Torrano-Gimenez, A. Perez-Villegas, and G. Alvarez
WASAT provides diverse features to avoid all of these security mechanisms. In WASAT the user can define a list of proxies that are used to send the requests to the server. As different proxies are used to send every request to the server, the IP address block can be evaded. WASAT offers two mechanisms to evade user block. The first one is defining the inter-request time, which establish the minimum time between requests from the same user. The second one is the reverse search: reading the passwords from the file and for every password, trying to log in with every username. As a consequence of both mechanisms, the requests from the same user are distributed over time.
4 Related Work There are several popular tools similar to our application, such as Crowbar [3], Brutus [4], Caecus [5], THC-Hydra [6] andWebSlayer [7]. All these tools have been tested and several of their features have been considered. The importance of some of these features was explained in the section 3. The considered features are the following: • Multi-Threading. It refers to the ability to establish different connections with the server concurrently and speed up the process. • Proxy Connection. Using proxies make possible to establish anonymous connections to the server. • Password Generation. Automatic password generation allows the user build many password combinations without writing a huge wordlist. • Inter-Request Time. It refers to the minimum time interval between attempts with the same username. • Restore Sessions. The use of sessions let the user restore previous aborted sessions. • Multi-Platform. It means the tool can run in any platform, thus the application is not platform-dependent. Proxy Connection and inter-Request-Time make possible to avoid IP-based and time-based anti-brute-force mechanisms respectively. In Table 1, these tools are compared against WASAT, according to the selected features. Table 1. Cracking tools comparison Feature/Tool
Hydra
Multi-Threading Yes Proxy Connection Single Password Generation No Inter-Request Time No Restore Sessions Yes Multi-Platform No
Caecus Brutus
Yes List No No No No
Yes Single Limited No No No
Crowbar WebSlayer WASAT
Yes No No No No No
Yes Yes Single List Generator Script No Yes No Yes No Yes
WASAT- A New Web Authorization Security Analysis Tool
43
A experimental comparison regarding the time required for brute force attacks has not been included in this paper as it depends on the bandwidth and the server load.
5 Application Description WASAT offers the possibility to specify the configuration of the target web application and the desired authentication method to be used. The program preferences can also be configured by the user. After specifying the configuration, the analyses can start. It can also be paused or stopped. The configuration parameters of every session can be saved in a file and a configuration file can be loaded as well. The current version of WASAT can be downloaded from http://www.iec.csic.es/wasat. A snapshot of the main window of WASAT is presented in Fig. 1.
Fig. 1. Main Window of WASAT after assessment
5.1 Analysis Configuration Before starting a new analysis session, the configuration parameters have to be defined. The parameters are filled through the following tabs: Target Definition. The target web application is defined by the URL and the port. The URL should refer to the login page of the web application. Usually, this parameter corresponds to the string in the “action” part of the HTML