Application Protection Research Series

Using data to unite tactics and strategy in risk-based security

Application Protection Research Series

• PHP, the weak point of the Internet

• Attack methods follow business models

• Injection, rejuvenated

• Access attacks predominant

• APIs changing the landscape

2019 Conclusions

Applications

are the

business

Applications

are the

gateway to

your data

Sub domains hosting other versions of the main

application site

Dynamic web page

generators

HTTP headers

and cookies

Admin interfaces Apps/files linked

to the app

Web service methods

Helper apps on client

(java, flash)

Server-side features such as search

How Are Applications Targeted?

Web pages and directories

Shells, Perl/PHP

Data entry forms

Administrative and monitoring stubs

and tools

Events of the application—

triggeredserver-side code

Backend connections through the server

(injection)

APIs

Cookies/state tracking

mechanisms

Data/active content pools—the data that populates and

drives pages

SERVICES

ACCESS

TLS/SSL

DNS

NETWORK

How Can We Organize This Better?

Sub domains hosting other versions of the main

application site

Dynamic web page

generators

HTTP headers

and cookies

Admin interfaces Apps/files linked

to the app

Web service methods

Helper apps on client

(java, flash)

Server-side features such as search

Web pages and directories

Shells, Perl/PHP

Data entry forms

Administrative and monitoring stubs

and tools

Events of the application—

triggeredserver-side code

Backend connections through the server

(injection)

APIs

Cookies/state tracking

mechanisms

Data/active content pools—the data that populates and

drives pages

Certificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DDoS

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Man-in-the-browser

Session hijacking

Malware

Cross-site request forgery

Cross-site scripting

DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

Dictionary attacks

Abuse of functionality

Man-in-the-middleDDoS

Malware

API attacks

InjectionCross-site scripting

Cross-site request forgery

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

CLIENT

Certificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DDoS

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Man-in-the-browser

Session hijacking

Malware

Cross-site request forgery

Cross-site scripting

DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

Dictionary attacks

CLIENT

Abuse of functionality

Man-in-the-middleDDoS

Malware

API attacks

InjectionCross-site scripting

Cross-site request forgery

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

Breach Analysis 761 87%

The unauthorized access involved the insertion of rogue code into our checkout page.

Breach Analysis 1025 85%

The unauthorized access involved the insertion of rogue code into our checkout page.

Caveats for Public Breach Notifications

•

•

•

•

47.0%

17.3%

14.0%

9.0%

5.0% 4.0%2.1% 1.6%

Access-related Web Accidental Physical security Malware Insider Phishing (nodetails)

Third-partycompromised

2018 US Breaches by Cause (%)

51.8%

18.9%

13.0%

6.1% 6.6%

3.1%0.5%

Access related Web Accidental Physical Malware Insider Third-partycompromised

2019 US Breaches by Cause (%)

Access(mostly

phishing and email)

Web(mostly

injection)

Industry

Access(mostly

phishing and email)

Web(mostly

injection)

Industry

Web Attacks:

Don’t fix it if it ain’t broke

Stolen data exfiltrated

via HTTPS to a

drop server

Targeted SiteMalicious PHP Code

Payment Card Info Breached

Injects usually due to

weak input filters common

in PHP, JS, CMS sys

Can add fake

fields to page

Bob’s Bikes

A typical

shopping siteThird party widgets/content

Bike image: istock1070233662

$52.00

Yellow Bike

All linked off main app site but hosted elsewhere…

Third party widget

injects not seen by WAF

Access Attacks:Primary cause of breach

• Brute force• Credential Stuffing• Phishing

22.2% 23.1% 23.5%25.0%

27.3%

41.7%

47.8%50.0%

Telecom Retail Tech Service Education Health Finance Public

Brute Force attacksby industry from reported 2018 F5 SIRT incidents

•

•

•

API breaches

API incidentTrendsAPI Attacks

Ship

Visualize data

Logstash Kibana

ElasticServer 1

Server 2

Server 3

Parse filter and transform

Ship

Ship

Sep 2011

Westfield

Mar 2018

Google

Mar 2018

Binance

Oct 2018

Github

Dec 2018

Kubernetes

Dec 2018

Facebook

Aug 2018

T-Mobile

Sep 2018

Facebook

Nov 2018

US Postal Service

Nov 2018

City of New York

Feb 2019

Uber

Feb 2019

Kubernetes

Mar 2019

63red Safe

Jun 2019

OnePlus Mobile App

Jun 2019

Venmo

Jun 2019

GateHub

Apr 2019

Shopify

Apr 2019

Portainer Docker Tool

Apr 2019

JustDial Link

Apr 2019

Nagios XI

Apr 2019

Facebook Marketplace

Apr 2019

TchapMessaging App

Feb 2019

Pandora & Viper

Feb 2019

Drupal’s RESTful

Feb 2019

LandMarkWhite Limited

Dec 2018

Twitter

Nov 2018

SKY Brasil

Nov 2018

Urban Massage

Nov 2018

Brazil Fed of Indus

Oct 2018

Girl Scouts

Sep 2018

British Airways

Sep 2018

Apple MDM

2018

Aug 2018

SalesForce

Apr 2018

RSA Conference

App

Jul 2018

Venmo

201720162015201420132012

Mar 2015

Tinder

Attack

1. Mobile Apps

2. Direct APIs

Basic Security Fails

1. Authentication

2. Injection

3. Permissions

2011 2019

Feb 2017

Wordpress

Aug 2017

Instagram

Nov 2017

US Postal Service

Jan 2018

Tinder

Oct 2018

Quoine

API vulnerable to Facebook

credential spoofing attack that was

used for a prank on Tinder users.

A vulnerability in the REST API allowed

1.5 million websites to be hacked.

Security researchers were able to

download 200 million customer

payment transactions via public API.

A vulnerability in the REST API allowed

1.5 million websites to be hacked.

Access control vuln

leaves DMs open

Information leakage of Uber APIVuln leaks information

USERNAME

Customer

Attacker

Payment Processing

Data

AccountsOrder

Management

Web UI Inventory Shipping

Large Platform with Extensive Integration

Attacker

Attacker

Desktop

OR

Mobile

Brute Force,Injects, ETC

Brute Force,Injects, ETC

USERNAME

USERNAME

User Data

Survey (2018)

Recommendations

Protecting Applications

16%

22%24%

38%

Very Confident Confident Somewhat Confident No Confidence

F5 Ponemon Survey

25%

2%

24%

14%

9%

5%

7%

5%

9%

None

Unsure

Not Pre-scheduled

Every Time the Code Changes

Every Week

Every Month

Every 3 Months

Twice a Year

Annually

F5 Ponemon Survey

4%

7%

8%

13%

19%

30%

32%

41%

44%

44%

59%

Other

Lack of Leadership

Lack of Exec Level Support

Not a Priority

nsufficient Software Testing Tools

Lack of Budget

Turf/Silo Issues Between IT Security and App Dev

Proliferation of Mobile Devices

Lack of Skilled or Expert Personnel

Migration to the Cloud Environment

Lack of Visibility in the App Layer

F5 Ponemon Survey

Mitigation Recommendations

•• Inventory

• Vulnerability management

• Change control

• Access control

• Training

• Monitoring and Logging

•

•

Mobile apps do not support the same security capabilities as web browsers

Mobile APIs are often left under-protected

Automated attacks targeting mobile applications

• Content scraping• Denial of serving • API attacks

MOBILE

Phishing success without training.33%

Phishing success with training.13%

Twitter LinkedIn Email

Updates

RSS

Tell us what you want to read about

@F5Labs