Mitigating the WASC Web Security Threat Classification with Apache | WebReference

Mitigating the WASC Web Security Threat Classification with Apache


[next]

Mitigating the WASC Web Security Threat Classification with Apache

Do you know what threats exist for web applications? Do you have an accurate definition of the attack scenarios? The Web Application Security Consortium created the Web Security Threat Classification document for exactly this purpose. The goals of this chapter are twofold. The first goal is to arm the reader with practical information regarding the threats that are associated with running web applications and to present the corresponding Apache mitigation strategies. Second is to highlight the limits of control that Apache can inflict on the overall security of web applications. There are limits to what can be accomplished with Apache—a few issues are highlighted in this chapter that are outside the scope of Apache's control.

The most up-to-date document can be found at the WASC web site. Please keep in mind that the WASC Threat Classification was a cooperative effort created by the brilliant, dedicated members who generously donated their time and expertise to create this resource. I was merely one of the contributing members for this project. [Other contributing members are listed in the book]

Web Security Threat Classification Description

The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security-related issues.

Goals

The main goals of the threat classification document are as follows:
  • Identify all known web application security classes of attack.
  • Agree on naming for each class of attack.
  • Develop a structured manner to organize the classes of attack.
  • Develop documentation that provides generic descriptions of each class of attack.

Documentation Uses

This document may be used in a variety of ways, including the following:
  • To further understand and articulate the security risks that threaten web sites.
  • To enhance secure programming practices to prevent security issues during application development.
  • To serve as a guideline to determine if web sites have been designed, developed, and reviewed against all the known threats.
  • To assist with understanding the capabilities and selection of web security solutions.

Overview

For many organizations, web sites serve as mission-critical systems that must operate smoothly to process millions of dollars in daily online transactions. However, the actual value of a web site needs to be appraised on a case-by-case basis for each organization. Tangible and intangible value of anything is difficult to measure in monetary figures alone.

Web security vulnerabilities continually impact the risk of a web site. When any web security vulnerability is identified, performing the attack requires using at least one of several application attack techniques. These techniques are commonly referred to as the class of attack (the way a security vulnerability is taken advantage of). Many of these types of attack have recognizable names such as Buffer Overflows, SQL Injection, and Cross-site Scripting. As a baseline, the class of attack is the method the Web Security Threat Classification will use to explain and organize the threats to a web site.

The Web Security Threat Classification will compile and distill the known unique classes of attack, which have presented a threat to web sites in the past. Each class of attack will be given a standard name and explained with thorough documentation discussing the key points. Each class will also be organized in a flexible structure.

The formation of a Web Security Threat Classification will be of exceptional value to application developers, security professionals,software vendors, or anyone else with an interest in web security. Independent security review methodologies, secure development guidelines, and product/service capability requirements will all benefit from the effort.

Background

Over the last several years, the web security industry has adopted dozens of confusing and esoteric terms describing vulnerability research. Terms such as Cross-site Scripting, Parameter Tampering, and Cookie Poisoning have all been given inconsistent names and double meanings attempting to describe their impact.

For example, when a web site is vulnerable to Cross-site Scripting, the security issue can result in the theft of a user's cookie. Once the cookie has been compromised, an attacker may take over the user's online account through session hijacking. To take advantage of the vulnerability, an attacker uses data input manipulation by way of URL parameter tampering.

This previous attack description is confusing and can be described using all manner of technical jargon. This complex and interchangeable vocabulary causes frustration and disagreement in open forums, even when the participants agree on the core concepts. Through the years, there has been no well-documented, standardized, complete, or accurate resource describing these issues. In doing our work, we've relied upon tidbits of information from a handful of books, dozens of white papers, and hundreds of presentations.

When web security newcomers arrive to study, they quickly become overwhelmed and confused by the lack of standard language present. This confusion traps the web security field in a blur and slows ongoing progress. We need a formal, standardized approach to discuss web security issues as we continue to improve the security of the web.


[next]

URL: