application research series - reboot communications...application protection research series •...
TRANSCRIPT
Application Protection Research Series
Using data to unite tactics and strategy in risk-based security
Application Protection Research Series
• PHP, the weak point of the Internet
• Attack methods follow business models
• Injection, rejuvenated
• Access attacks predominant
• APIs changing the landscape
2019 Conclusions
Applications
are the
business
Applications
are the
gateway to
your data
Sub domains hosting other versions of the main
application site
Dynamic web page
generators
HTTP headers
and cookies
Admin interfaces Apps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
How Are Applications Targeted?
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—
triggeredserver-side code
Backend connections through the server
(injection)
APIs
Cookies/state tracking
mechanisms
Data/active content pools—the data that populates and
drives pages
SERVICES
ACCESS
TLS/SSL
DNS
NETWORK
How Can We Organize This Better?
Sub domains hosting other versions of the main
application site
Dynamic web page
generators
HTTP headers
and cookies
Admin interfaces Apps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—
triggeredserver-side code
Backend connections through the server
(injection)
APIs
Cookies/state tracking
mechanisms
Data/active content pools—the data that populates and
drives pages
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Man-in-the-browser
Session hijacking
Malware
Cross-site request forgery
Cross-site scripting
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
Dictionary attacks
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
CLIENT
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Man-in-the-browser
Session hijacking
Malware
Cross-site request forgery
Cross-site scripting
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
Dictionary attacks
CLIENT
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Breach Analysis 761 87%
The unauthorized access involved the insertion of rogue code into our checkout page.
Breach Analysis 1025 85%
The unauthorized access involved the insertion of rogue code into our checkout page.
Caveats for Public Breach Notifications
•
•
•
•
47.0%
17.3%
14.0%
9.0%
5.0% 4.0%2.1% 1.6%
Access-related Web Accidental Physical security Malware Insider Phishing (nodetails)
Third-partycompromised
2018 US Breaches by Cause (%)
51.8%
18.9%
13.0%
6.1% 6.6%
3.1%0.5%
Access related Web Accidental Physical Malware Insider Third-partycompromised
2019 US Breaches by Cause (%)
Access(mostly
phishing and email)
Web(mostly
injection)
Industry
Access(mostly
phishing and email)
Web(mostly
injection)
Industry
Web Attacks:
Don’t fix it if it ain’t broke
Stolen data exfiltrated
via HTTPS to a
drop server
Targeted SiteMalicious PHP Code
Payment Card Info Breached
Injects usually due to
weak input filters common
in PHP, JS, CMS sys
Can add fake
fields to page
Bob’s Bikes
A typical
shopping siteThird party widgets/content
Bike image: istock1070233662
$52.00
Yellow Bike
All linked off main app site but hosted elsewhere…
Third party widget
injects not seen by WAF
Access Attacks:Primary cause of breach
• Brute force• Credential Stuffing• Phishing
22.2% 23.1% 23.5%25.0%
27.3%
41.7%
47.8%50.0%
Telecom Retail Tech Service Education Health Finance Public
Brute Force attacksby industry from reported 2018 F5 SIRT incidents
•
•
•
API breaches
API incidentTrendsAPI Attacks
Ship
Visualize data
Logstash Kibana
ElasticServer 1
Server 2
Server 3
Parse filter and transform
Ship
Ship
Sep 2011
Westfield
Mar 2018
Mar 2018
Binance
Oct 2018
Github
Dec 2018
Kubernetes
Dec 2018
Aug 2018
T-Mobile
Sep 2018
Nov 2018
US Postal Service
Nov 2018
City of New York
Feb 2019
Uber
Feb 2019
Kubernetes
Mar 2019
63red Safe
Jun 2019
OnePlus Mobile App
Jun 2019
Venmo
Jun 2019
GateHub
Apr 2019
Shopify
Apr 2019
Portainer Docker Tool
Apr 2019
JustDial Link
Apr 2019
Nagios XI
Apr 2019
Facebook Marketplace
Apr 2019
TchapMessaging App
Feb 2019
Pandora & Viper
Feb 2019
Drupal’s RESTful
Feb 2019
LandMarkWhite Limited
Dec 2018
Nov 2018
SKY Brasil
Nov 2018
Urban Massage
Nov 2018
Brazil Fed of Indus
Oct 2018
Girl Scouts
Sep 2018
British Airways
Sep 2018
Apple MDM
2018
Aug 2018
SalesForce
Apr 2018
RSA Conference
App
Jul 2018
Venmo
201720162015201420132012
Mar 2015
Tinder
Attack
1. Mobile Apps
2. Direct APIs
Basic Security Fails
1. Authentication
2. Injection
3. Permissions
2011 2019
Feb 2017
Wordpress
Aug 2017
Nov 2017
US Postal Service
Jan 2018
Tinder
Oct 2018
Quoine
API vulnerable to Facebook
credential spoofing attack that was
used for a prank on Tinder users.
A vulnerability in the REST API allowed
1.5 million websites to be hacked.
Security researchers were able to
download 200 million customer
payment transactions via public API.
A vulnerability in the REST API allowed
1.5 million websites to be hacked.
Access control vuln
leaves DMs open
Information leakage of Uber APIVuln leaks information
USERNAME
Customer
Attacker
Payment Processing
Data
AccountsOrder
Management
Web UI Inventory Shipping
Large Platform with Extensive Integration
Attacker
Attacker
Desktop
OR
Mobile
Brute Force,Injects, ETC
Brute Force,Injects, ETC
USERNAME
USERNAME
User Data
Survey (2018)
Recommendations
Protecting Applications
16%
22%24%
38%
Very Confident Confident Somewhat Confident No Confidence
F5 Ponemon Survey
25%
2%
24%
14%
9%
5%
7%
5%
9%
None
Unsure
Not Pre-scheduled
Every Time the Code Changes
Every Week
Every Month
Every 3 Months
Twice a Year
Annually
F5 Ponemon Survey
4%
7%
8%
13%
19%
30%
32%
41%
44%
44%
59%
Other
Lack of Leadership
Lack of Exec Level Support
Not a Priority
nsufficient Software Testing Tools
Lack of Budget
Turf/Silo Issues Between IT Security and App Dev
Proliferation of Mobile Devices
Lack of Skilled or Expert Personnel
Migration to the Cloud Environment
Lack of Visibility in the App Layer
F5 Ponemon Survey
Mitigation Recommendations
•• Inventory
• Vulnerability management
• Change control
• Access control
• Training
• Monitoring and Logging
•
•
Mobile apps do not support the same security capabilities as web browsers
Mobile APIs are often left under-protected
Automated attacks targeting mobile applications
• Content scraping• Denial of serving • API attacks
MOBILE
Phishing success without training.33%
Phishing success with training.13%
Twitter LinkedIn Email
Updates
RSS
Tell us what you want to read about
@F5Labs