Presentation Material

Abstract

Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.

In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.

I will discuss the following methodologies with proof of concept code and demo:

• Preventing Code Injection Vulnerabilities
• Preventing SQL Injection by monkey patching SQL drivers to extract the SQL queries and tokenise them for generating dynamic rules.
• Detecting Remote Command Injection by money patching shell execution APIs of the programming language, extracting the shell command and tokenise them to generate dynamic rules.
• Detecting Reflected and Stored XSS by monkey patching render function of the web framework to identify contexts and context breakouts.
• Neutralising XSS by determining the injection contexts and providing per context escaping.
• Detecting and Preventing DOM XSS by monkey patching html rendering methods in popular JS frameworks like jQuery, UnderscoreJS, MustacheJS, DustJS etc.
• Comparison with a traditional WAF
• Preventing Modern AppSec challenges that a WAF cannot handle
• Detecting and Preventing Session Hijacking.
• Detecting and Preventing Layer 7 DDoS that rely on targeting slow routes of the web application.
• Detecting Credential Stuffing attempts.
• Detecting Application Specific vulnerabilities like arbitary file upload, HTTP verb tampering, header injection etc.
• Preventing Zero days that affects framework/language components.
• The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.