Hackers of India

Injecting Security into Web apps with Runtime Patching and Context Learning

By  Ajin Abraham  on 23 Jun 2017 @ Hackinparis


Presentation Material

Abstract

Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.

This research focuses on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications and will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level.

Research In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.

I will discuss the following methodologies with proof of concept code and demo:

Preventing Code Injection Vulnerabilities

Preventing SQL Injection by monkey patching SQL drivers to extract the SQL queries and tokenise them for generating dynamic rules. Detecting Remote Command Injection by money patching shell execution APIs of the programming language, extracting the shell command and tokenise them to generate dynamic rules. Detecting Reflected and Stored XSS by monkey patching render function of the web framework to identify contexts and context breakouts. Neutralising XSS by determining the injection contexts and providing per context escaping. Detecting and Preventing DOM XSS by monkey patching html rendering methods in popular JS frameworks like jQuery, UnderscoreJS, MustacheJS, DustJS etc. Comparison with a traditional WAF

Preventing Modern AppSec challenges that a WAF cannot handle

Detecting and Preventing Session Hijacking. Detecting and Preventing Layer 7 DDoS that rely on targeting slow routes of the web application. Detecting Credential Stuffing attempts. Detecting Application Specific vulnerabilities like arbitary file upload, HTTP verb tampering, header injection etc. Preventing Zero days that affects framework/language components. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker discusses the advantages and characteristics of Rust, in protection mode. The biggest advantage is the ability to run something in protection mode without significant performance impact. When evaluating products, , consider factors such as minimal performance impact, no introduction of vulnerabilities,<|begin_of_text|>201, and non-consumption of customer PII information.

In response to a question about how Rust knows when the learning step is finished and all routes are covered, the speaker suggests using functional tests to go through most application routes. Additionally, security teams can use Rust during security testing to learn from legitimate requests and identify potential vulnerabilities.

Another question raised concerns about blocking regular browsing due to false positives or over-validation. The speaker emphasizes that Rust learns from application behavior and user input, but if the initial learning is incorrect, it may be challenging to determine the legitimate purpose of the application. Therefore, it’s essential to ensure accurate learning from the start.

Overall, the discussion focuses on the benefits and considerations of using Rust in protection mode for security and vulnerability prevention.