SWAF@DTS Ali Hur

Semantic Based Web Application Firewall
NUST
Defining Future
SEMANTIC BASED WEB APPLICATION

FIREWALL (SWAF)
M ALI HUR
Team Lead
Web Application Security Group
AVAILABILITY INTEGRITY CONFIDENTIALITY
Semantic System Research Lab

NUST-SEECS, Pakistan
AGENDA
 Existing Solutions
 Core Objectives
 Proposed Solution
 Semantic based Validation
 Why Ontology?
 Intro to SWAF
 SWAF Features
 Business Prospects of SWAF
 Benchmark & Evaluation
 SWAF Screen Shots
 Demo
2
APPLICATION LAYER SECURITY
3
EXISTING SOLUTIONS box

te
Whi •
Vulnerability
Scanners
box
list
k
kBlac
ed
Blac •
•
Validation List
Bas
list
ion
te
licat
Whi
App •
•
Intrusion
Detection System
ed
bas
k
4
wor
EXISTING SOLUTIONS - AUTOMATED &

MANUAL SCANNING
 Validation List
• White-list
• Black-list
 Problems
• Updating and Maintenance problem
• Time consuming task
• Incompatibility with legacy applications
• Dealing with many sources of input
• Effective only for highly structured data
5 09/16/2024 NUST School of Electrical Engineering and Co

EXISTING SOLUTIONS - UPDATING &

MAINTENANCE PROBLEM
 Application specific.(integrated into the code)
 To Cater Newly Born attacks.
• ….// instead of ../
• Passing ….// will give again ../
 Requires Continuous updating and
maintenance that is rarely possible.
 Patches and updates are provided but are not
sufficient.
EXISTING SOLUTIONS - TIME CONSUMING

TASK
 Very time consuming, usually result in crossing
deadlines.
 Mostly ignored for meeting strict deadlines.
 Usually developers tend to focus on functionality
rather than security of application.
 Need thorough investigation of the all input entry
points like input form, fields etc that is very
difficult in large corporate level applications.
EXISTING SOLUTIONS - INCOMPATIBILITY

WITH LEGACY APPLICATIONS
 Modifications in source code are required in
existing applications.
 Problems in changing source code.
• Source code is copyrighted and prohibitive to be
altered.
• No source code is available.( e.g., binary format,
dll file, java .class file etc.)
 Application layer gateway remains the only
option.
EXISTING SOLUTION - DEALING WITH MANY

SOURCES OF INPUT
 Many sources of input.
 Validation criteria depends on the source of
input. (e.g. value returned as string but is used
as numeric).
 Time consuming job.
 Again the focus is to implement functionality.
EXISTING SOLUTION - DIFFERENT SOURCES

OF INPUT
EXISTING SOLUTIONS - LIMITATIONS

 Limitations in network based Solutions:
• Solely designed for detecting TCP/IP level exploits.
• Fails to work on encrypted/encoded web traffic.
• Susceptible to insertion and evasion techniques.
 Limitations in application level Solutions:
• Using signature based approach
• Signatures are manually created
• No protection for zero day attacks

CORE OBJECTIVES
 A generalized Solution for Application Security
• Not application dependent
 Context based content filtering
• Should understand the context of the input
 Zero day attack detection.
 To minimize human intervention
• Adopts its working according to the changing
environment.
• Automatic rule generation
12
PROPOSED SOLUTION
 Detecting attacks semantically using the context of protocol,
attack and target application.
• Improved Detection
• Zero day attack detection
 Rule based scheme instead of signature based
 Automatic rule generation support
• Logic based Context Reasoning
 Improved performance.
• Only related subset of the Rules are processed for each message
• Only related portions of the message are examined for each attack.

SEMANTIC BASED VALIDATION

 Syntax-based validation
• Size, content restrictions
• Effective only for Highly Structured Data.
 Semantic-based validation
• Restrictions like
• Input must match the specific data type.
• Input must match the specific format.
• Understanding potentially dangerous commands or
contents(context based filtering)
14
WHY ONTOLOGY?
Extensibility
Reasoning
Granularity
Generality & Specificity
Knowledge Sharing and Reusability
15
INTRODUCTION: WHAT IS SWAF ?
 SWAF is semantic based Web application firewall

 Installed within the premises of the Organization.
 Deployment mode - Secure Reverse Proxy
16
DEPLOYMENT SCENARIO
The SWAF is
deployed as
reverse proxy.
SWAF ARCHITECTURE OVERVIEW
Application Traffic Interceptor
DoS Validation
Response
https:// Assembly SWAF Service Startup
Request
Disassembly
Response SWAF Administration Console
Request
http:// Validation
Validation
INTERNET
Logging and Reporting
Application Traffic Analyzer
Access Log
Report
Rule Engine Generator
Infected Log
Knowledge Base
Store
SYSTEM ARCHITECTURE - SIMPLE XSS ATTACK
http://myserver.com/test.jsp?name=Stefan
<HTML>
<Body>
Welcome Stefan
</Body>
</HTML>
http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script>
<HTML>
<Body>
Welcome
<script>alert("Attacked")</script>
</Body>
</HTML>
SYSTEM ARCHITECTURE - SIMPLE XSS ATTACK
 Attack Vector – XSS1

• http://www.myserver.com/index.jsp?name=<script>alert”(Attacked”)</script>
QueryString
Hence the malicious code is inserted in Querystring.

The script can be detected by <script> tag.

SYSTEM ARCHITECTURE - SNORT SIGNATURE
 alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS

(
content: “<SCRIPT>”;
msg: “XSS attempt”;
uricontent;nocase;
classtype:web-application-attack; sid:7003; rev:1;
)
Snort Signature for XSS attack demonstrated in last example

SYSTEM ARCHITECTURE - TYPICAL HTTP REQUEST
Request Method
POST /index.jsp?var1=page1.html HTTP/1.1
Accept: */* Reqested Resource
Referer: http://www.myweb.com/index.html GET and POST Parameters
Accept-Language: en-us,de;q=0.5 Referer and User Agent
Accept-Encoding: gzip, deflate Cookie
Content-Type: application/x-www-url-encoded
Content-Lenght: 59
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.myweb.com
Cookie: CUSTOMER=WILE_E_COYOTE; PART_NUMBER=ROCKET_LAUNCHER_0001; SHIPPING=FEDEX
Connection: Keep-Alive
uid=fred&password=secret&pagestyle=default.css&action=login

SYSTEM ARCHITECTURE - TYPICAL HTTP REQUEST

StartLine
POST /index.jsp?name=<script>alert(“Attacked“)</script> HTTP/1.1

Accept: */*
Referer: http://www.myweb.com/index.html?name=<script>alert(“Attacked“)</script>
Accept-Language: en-us,de;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-url-encoded Referer
Content-Lenght: 59
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.myweb.com
Cookie: CUSTOMER=WILE_E_COYOTE; PART_NUMBER=ROCKET_LAUNCHER_0001;
SHIPPING=<script>alert(“Attacked“)</script> Cookie
Connection: Keep-Alive
uid=<script>alert(“Attacked“)</script> &password=secret&pagestyle=default.css&action=login
Post Parameters

SYSTEM ARCHITECTURE - SEMANTIC REASONING
HTTP Message
hasPart
Start Line Payload Header
hasPart hasPart
Version
But XSS malicious code
Method
Query String
can
Cookie
be anywhere where
Referrer
URI user input parameters
contains contains
are present
Parameters
hasPart Infects Infects
Param Name Param Value
infects
XSS Indicator XSS1

SYSTEM ARCHITECTURE - SEMANTIC REASONING
HTTP Message
hasPart hasPart hasPart [rule1:

(?a ex:hasPart ?b)
[rule2:
hasPart (?b
(?aex:hasPart
ex:hasPart?c)
?b)
Start Line Payload Header
->(?a ex:hasPart ?c)
(?b ex:contains ?c)]
hasPart Version
hasPart ->(?a ex:contains ?c)]
contains
Method
Query String Cookie Referrer
URI
contains
contains
[rule4:
[rule5: (?a rdf:type ex:Indicator)
Parameters (?a
(?mrdf:type
rdf:typeex:Indicator)
ex:HttpMessage)
(?m rdf:type ex:HttpMessage)
ex:immediatePart ?x)
hasPart Infects Infects (?m ex:immediatePart
(?x ex:contains ?y) ?x)
(?x
(?y ex:hasPart
ex:contains ?y)
?p)
Param Name Param Value (?y
(?a ex:contains ?p)
ex:infects ?p)
infects
infects (?a
-> ex:infects ?p)
->
(?a ex:infects ?y)
XSS Indicator XSS1 ] (?a ex:infects ?y)
]

SWAF FEATURES
 Defenses against all OWASP top ten vulnerabilities and complex attacks.
 Protocol Validation
• Validation based on RFCs
 Dealing with SSL based Encrypted Traffic
• SSL offloading
 Output Filtering (Filtering the HTTP Responses coming from the web
server)
 Validation of Requests using Positive & Negative Policy Rules
• Application specific positive security model.
 Performance, Reliability and Fault tolerance
• SSl offloading
• Load balancing
• Http traffic compression
• caching
26
BUSINESS PROSPECTS OF SWAF

 Successful release of SWAF V - 1.0
 Team of professionals that know how to deal
with the current web application firewall
issues and provide security to them.
 Achieving the OWASP and PCI 6.6 compliance
for better market outreach.
27
WHY TO INVEST IN WAF’S

According to Forrester Research e-Commerce
Forecast U.S. online retail sales will touch to $
329 billions by 2010.
 According to center for Economics and Business

research Currently U.K online retail sales is 82
billions and will mark US $336 billions by 2020.
China’s online shopper will mark 100 million by

2010.
28
EVALUATION
Cross Site SQL injection Directory
Scripting Traversal
SWAF 100% 93.3% 100%
MOD SECURITY 90% 60% 100%
Total 10% 33.3% 0%

% improvements
29
TEST RESULTS(HARDWARE AND SYSTEM

SPECIFICATION).
30
WEB SERVER MACHINE SPECIFICATION
31
TEST RESULTS
32
EVALUATION CRITERIA
False Positive = FP: the total number of records that are
classified as anomalous
False Negative = FN: the total number of anomalous
records that are classified as normal
Total #Normal = TN: the total number of normal records
Total #Attack = TA: the total number of attack records
Detection Rate = [(TA-FN)/TA]*100
False Alarm Rate = [FP/TN]*100
33
Evaluation EVALUATION
FRAMEWORK
False
Attack #Normal #Attack False False Detection
Alarm
Type Record Record Positive Negative Rate
Rate
XSS 190 57 1 1 98.25 0.53
SQL
Injection 190 76 2 1 98.68 1.05
Directory
traversal 190 38 2 0 100 1.05
34
GUI’S SCREEN SHOTS (FRONT PANEL )
35
ACCESS LOG
36
INFECTED LOG
37
CONFIGURATION
38
STATISTIC
39
PDF REPORTS
40
PDF REPORTS
41
PDF REPORTS
42
DEMO
43
THANKS & ??
44
WHAT IS APPLICATION LEVEL FIREWALL

Access Control Application
And Firewall IDS/IPS Firewall
The Enterprise
Web Server
DoS Databases
Parameter
Anti- Tampering Backend
spoofing Web Server Server/System
Cross Site Application
know Server
vulner- Scripting
abilities
The Internet
SQL
Pattern- Injection
Based
Attacks
Cookie
Port
Poisoning
Scanning
• User Identification • Anomaly detection • Host protection

• Access Control • Intrusion prevention (server and desktop)
• Encrypted transport of • Vulnerability management • Layer 4 – 7 protection
data • Remediation/Patching (content, URL, Web)
• Firewall • Compliance and risk • Content Control
• Universal threat management • Data Leakage Sources:
management management IBM
45
NVC WEB SECURITY STATISTICS
L
SQ tion
j e c
In
S
XS L
SQ ctio
e
Inj n
46
IBM WEB SECURITY STATISTICS
47
TOP TEN ATTACKS

WhiteHat Statistics - Spring 2009
48
PROPOSED FRAMEWORK
Semantic Web Application Firewall- SWAF
Logger Log Store MYSQL
Log Viewer
Admin Console
Log Acess
HTTP Traffic Infected Message Log

Core Components
M
HTTPMInterceptor Analyzer Rule Cache
M
Rule Engine
Inference Engine
M
Web Server Knowledge Base
Web Application
49
FEATURES
 Detection of complex and zero day web attacks
 System understands the contextual nature of HTTP
request.
 System is based on shared representation of
ontology's that can be refined and expanded over
time according to the application requirements.
 Efficient system for analyzing the specified portion
of HTTP request where attack is possible and thus
provides significant search space reduction with low
false positive rate.
50
SYSTEM FEATURES CONT……….

 Fragment combination technique is also
considered for rule generation to understand
the contextual nature of attacks.
 By using semantic, automatic rule generation
has also been achieved and system also
provides protection against zero day attack.
 Platform& technology independence.
 System will be deployed as a reverse proxy in
front of the web servers.
51

SWAF@DTS Ali Hur

Uploaded by

Copyright:

Available Formats

SWAF@DTS Ali Hur

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SWAF@DTS Ali Hur

Uploaded by

Copyright:

Available Formats

Semantic Based Web Application Firewall

SEMANTIC BASED WEB APPLICATION

AVAILABILITY INTEGRITY CONFIDENTIALITY

Semantic System Research Lab

APPLICATION LAYER SECURITY

EXISTING SOLUTIONS box

EXISTING SOLUTIONS - AUTOMATED &

5 09/16/2024 NUST School of Electrical Engineering and Co

EXISTING SOLUTIONS - UPDATING &

EXISTING SOLUTIONS - TIME CONSUMING

EXISTING SOLUTIONS - INCOMPATIBILITY

EXISTING SOLUTION - DEALING WITH MANY

EXISTING SOLUTION - DIFFERENT SOURCES

EXISTING SOLUTIONS - LIMITATIONS

11 09/16/2024 NUST School of Electrical Engineering and Co

13 09/16/2024 NUST School of Electrical Engineering and Co

SEMANTIC BASED VALIDATION

Generality & Specificity

Knowledge Sharing and Reusability

INTRODUCTION: WHAT IS SWAF ?

 SWAF is semantic based Web application firewall

SYSTEM ARCHITECTURE - SIMPLE XSS ATTACK

SYSTEM ARCHITECTURE - SIMPLE XSS ATTACK

 Attack Vector – XSS1

Hence the malicious code is inserted in Querystring.

20 09/16/2024 NUST School of Electrical Engineering and Co

SYSTEM ARCHITECTURE - SNORT SIGNATURE

 alert tcp $EX_NET any -> $HTTP_SRVS $HTTP_PRTS

Snort Signature for XSS attack demonstrated in last example

21 09/16/2024 NUST School of Electrical Engineering and Co

SYSTEM ARCHITECTURE - TYPICAL HTTP REQUEST

22 09/16/2024 NUST School of Electrical Engineering and Co

SYSTEM ARCHITECTURE - TYPICAL HTTP REQUEST

POST /index.jsp?name=<script>alert(“Attacked“)</script> HTTP/1.1

23 09/16/2024 NUST School of Electrical Engineering and Co

SYSTEM ARCHITECTURE - SEMANTIC REASONING

Start Line Payload Header

hasPart Infects Infects

Param Name Param Value

XSS Indicator XSS1

24 09/16/2024 NUST School of Electrical Engineering and Co

SYSTEM ARCHITECTURE - SEMANTIC REASONING

hasPart hasPart hasPart [rule1:

25 09/16/2024 NUST School of Electrical Engineering and Co

BUSINESS PROSPECTS OF SWAF

WHY TO INVEST IN WAF’S

 According to center for Economics and Business

China’s online shopper will mark 100 million by

SWAF 100% 93.3% 100%

MOD SECURITY 90% 60% 100%

Total 10% 33.3% 0%

TEST RESULTS(HARDWARE AND SYSTEM

WEB SERVER MACHINE SPECIFICATION

XSS 190 57 1 1 98.25 0.53

GUI’S SCREEN SHOTS (FRONT PANEL )

WHAT IS APPLICATION LEVEL FIREWALL

• User Identification • Anomaly detection • Host protection

NVC WEB SECURITY STATISTICS

IBM WEB SECURITY STATISTICS