Key concepts : Solutions for specific web attacks : HTTP/HTTPS threats
 
HTTP/HTTPS threats
Servers are increasingly being targeted by exploits at the application layer or higher. These attacks use HTTP/HTTPS and aim to compromise the target web server, either to steal information, deface it, or to post malicious files on a trusted site to further exploit visitors to the site, using the web server to create botnets.
Among its many threat management features, FortiWeb’s fends off attacks that use cross-site scripting, state-based, and various injection attacks. This helps you comply with protection standards for:
credit-card data, such as PCI DSS 6.6
personally identifiable information, such as HIPAA
Table 2 lists several HTTP-related threats and describes how FortiWeb appliances protect servers from them. FortiWeb can also protect against threats at higher layers (HTML, Flash or XML applications).
Table 2: Web-related threats
Attack Technique
Description
Protection
FortiWeb Solution
Adobe Flash binary (AMF) protocol attacks
Attackers attempt XSS, SQL injection or other common exploits through an Adobe Flash client.
Decode and scan Flash action message format (AMF) binary data for matches with attack signatures.
Enable AMF3 Protocol Detection
Botnet
Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s).
Decode and scan Flash action message format (AMF) binary data for matches with attack signatures.
IP Reputation
Browser Exploit Against SSL/TLS (BEAST)
A man-in-the-middle attack where an eavesdropper exploits reused initialization vectors in older TLS 1.0 implementations of CBC-based encryption ciphers such as AES and 3DES.
Use TLS 1.1 or greater, or
Use ciphers that do not involve CBC, such as stream ciphers, or
Use CBC only with correct initialization vector (IV) implementations
Prioritize RC4 Cipher Suite (server pool)
Prioritize RC4 Cipher Suite (server policy)
Brute force login attack
An attacker attempts to gain authorization by repeatedly trying ID and password combinations until one works.
Require strong passwords for users, and throttle login attempts.
Brute Force Login
Clickjacking
Code such as <IFRAME> HTML tags superimposes buttons or other DOM/inputs of the attacker’s choice over a normal form, causing the victim to unwittingly provide data such as bank or login credentials to the attacker’s server instead of the legitimate web server when the victim clicks to submit the form.
Scan for illegal inputs to prevent the initial injection, then apply rewrites to scrub any web pages that have already been affected.
Cookie tampering
Attackers alter cookies originally established by the server to inject overflows, shell code, and other attacks, or to commit identity fraud, hijacking the HTTP sessions of other clients.
Validate cookies returned by the client to ensure that they have not been altered from the previous response from the web server for that HTTP session.
Credit card theft
Attackers read users’ credit card information in replies from a web server.
Detect and sanitize credit card data leaks.
Helps you comply with credit card protection standards, such as PCI DSS 6.6.
Credit Card Detection
Cross-site request forgery (CSRF)
A script causes a browser to access a web site on which the browser has already been authenticated, giving a third party access to a user’s session on that site. Classic examples include hijacking other peoples’ sessions at coffee shops or Internet cafés.
Enforce web application business logic to prevent access to URLs from the same IP but different client.
Cross-site scripting (XSS)
Attackers cause a browser to execute a client-side script, allowing them to bypass security.
Content filtering, cookie security, disable client-side scripts.
Cross Site Scripting
Denial of service (DoS)
An attacker uses one or more techniques to flood a host with HTTP requests, TCP connections, and/or TCP SYN signals. These use up available sockets and consume resources on the server, and can lead to a temporary but complete loss of service for legitimate users.
Watch for a multitude of TCP and HTTP requests arriving in a short time frame, especially from a single source, and close suspicious connections. Detect increased SYN signals, close half-open connections before resources are exhausted.
DoS Protection
HTTP header overflow
Attackers use specially crafted HTTP/HTTPS requests to target web server vulnerabilities (such as a buffer overflow) to execute malicious code, escalating to administrator privileges.
Limit the length of HTTP protocol header fields, bodies, and parameters.
HTTP Protocol Constraints
Local file inclusion (LFI)
LFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an LFI, a client includes directory traversal commands (such as ../../for web servers on Linux, Apple Mac OS X, or Unix distributions) when submitting input. This causes vulnerable web servers to use one of the computer’s own files (or a file previously installed via another attack mechanism) to either execute it or be included in its own web pages.
This could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft of /etc/passwd, display of database query caches, creation of administrator accounts, and use of any other files on the server’s file system.
Many platforms have been vulnerable to these types of attacks, including Microsoft .NET and Joomla.
Block directory traversal commands.
Generic Attacks
Man-in-the-middle (MITM)
A device located on the same broadcast network or between the client and server observes unencrypted traffic between them. This is often a precursor to other attacks such as session hijacking.
Redirect clients from HTTP to secure HTTPS, then encrypt all traffic and prevent subsequent accidental insecure access.
Remote file inclusion (RFI)
RFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an RFI, a client includes a URL to a file on a remote host, such as source code or scripts, when submitting input. This causes vulnerable web servers to either execute it or include it in its own web pages.
If code is executed, this could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft.
If code is included into the local file system, this could be used to cause other, unsuspecting clients who use those web pages to commit distributed XSS attacks.
Famously, this was used in organized attacks by Lulzsec. Attacks often involve PHP web applications, but can be written for others.
Prevent inclusion of references to files on other web servers.
Generic Attacks
Server information leakage
A web server reveals details (such as its OS, server software and installed modules) in responses or error messages. An attacker can leverage this fingerprint to craft exploits for a specific system or configuration.
Configure server software to minimize information leakage.
To hide application structure and servlet names, Rewriting & redirecting
SQL injection
The web application inadvertently accepts SQL queries as input. These are executed directly against the database for unauthorized disclosure and modification of data.
Rely on key word searches, restrictive context-sensitive filtering and data sanitization techniques.
Malformed XML
To exploit XML parser or data modeling bugs on the server, the client sends incorrectly formed tags and attributes.
Validate XML formatting for closed tags and other basic language requirements.
Illegal XML Format
Caution: Unlike XML protection profiles in previous versions of FortiWeb, Illegal XML Format does not check for conformity with the object model or recursive payloads.