Protecting Against the Top 10 Application Vulnerabilities
The Open Web Application Security Project (OWASP) periodically compiles a list of the Top 10 web threats in the interest of improving application security. This list is used as a basis for regulatory standards such as the Payment Card Industry Data Security Standard (PCI DSS) to ensure the secure storage and transfer of sensitive data on the web.
The Barracuda Web Application Firewall offers comprehensive Web Application and API protection for your web, API, and mobile applications. The table below lists the Top 10 Risks and the protective measures offered by the Barracuda Web Application Firewall.
| Vulnerability | Description | Barracuda Web Application Firewall Solution |
|---|---|---|
| Broken Access Control | Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. | Intelligently profiles web traffic to build a positive security profile that can be used as an allow list of valid application resources and usage; traffic anomalous to this profile is denied. Web-based Allow Deny Rules (ADRs) allow for granular specifications of precise application domains that are accessible with and without authentication. Provides a granular URL and form-level rules engine that restricts access to unauthorized resources. Seamless integration with multiple credentialing systems (for example, LDAP, RADIUS, RSA SecurID, SAML, AD FS, etc.) provides strong single and multifactor access control. |
| Cryptographic Failures | Many web applications and APIs do not properly protect sensitive data such as financial, healthcare, and PII. Attackers may steal or modify such weakly- protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. | Intercepts and filters server responses to prevent data leakage of sensitive information like SSN and credit card numbers. Custom patterns can also be defined and blocked or masked from being leaked. Sensitive information can be masked inside logs. Implements strong cryptography in SSL offloading and instant SSL features to secure data in transit. Instant SSL easily transforms HTTP-only applications to use an HTTPS front-end, which is offloaded to the Barracuda Web Application Firewall. Enables usage of the most secure TLS protocols, with cipher- suite selection, Perfect Forward Secrecy (PFS), and HSTS. |
| Injection | Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. | Employs a mix of positive and negative security for filtering all web-based inputs inside URL, forms, cookies, and headers to prevent known and unknown (zero-day) attacks. Blocks any inputs that can be executed unintentionally inside interpreters. Detects obfuscated malicious payloads meant to evade detection. Deep- inspects entire client requests ( URL, query and form parameters, cookies, headers, etc.) to detect script injection. Prior to the inspection, it de-obfuscates (normalizes) all malicious payloads for common encoding schemes and applies other protocol and limit-based checks. |
| Insecure Design | Broad category representing different weaknesses, expressed as “missing or ineffective control design”. | Provides comprehensive API for all the configuration elements, which can be used to implement a secure development life cycle (SDLC) policy. For inherent flaws in the back-end application, virtual patching can be done to suitably handle implementation risks. |
| Security Misconfiguration | Exploits application stack vulnerabilities such as unpatched software, zero-day threats, and undeleted default accounts. Also exploits misconfigured HTTP headers and verbose error messages that contain sensitive information. | Filters application error or status responses to prevent attackers from profiling software vulnerabilities or identifying sensitive application-related information. Employs a mix of positive and negative security for filtering all web-based inputs to prevent known and unknown (zero-day) attacks. Applies strong authentication and authorization policies to secure access control. Proxies traffic to prevent direct access to backend servers. XML firewall protects against XML attacks including XXE attacks. All untrusted user inputs are validated, and any malicious data is identified and blocked. Protects the entire API attack surface, including dynamically generated URLs and URLs that use resource names as directories. Allows for virtual patching to easily close any open vulnerabilities. Protects the XML parser against any type of attack and enables SSL/TLS and AAA offload to completely secure the API surface. |
| Vulnerable and Outdated Components | Occurs when attackers can take control of and exploit vulnerable libraries, frameworks, and other modules running with full privileges. | Implements a hardened operating system and networking stack that proxies and shields vulnerable system stacks and components. Achieves security through obscurity by cloaking or masking responses that expose information about libraries, frameworks, and other modules. Virtual patching capability, with integration with over 25 well-known vulnerability scanners, ensures that any identified vulnerabilities are automatically patched on the Barracuda WAF. The Barracuda WAF provides support for implementing a Content Security Policy and Sub-Resource Integrity to safeguard users of the application and to ensure that external files/library references are monitored for changes. |
| Identification and Authentication Failures | Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. | Enforces session security and integrity in web applications by encrypting session tokens. Prevents MITM, MITB, and cookie replay attacks. Protects against tampering of hidden variables. Integrates with hardened browsers to prevent client-side session hijacking by keyloggers, framegrabbers, and other client-side malware. |
| Software and Data Integrity Failures | Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. | XML and JSON firewalls ensure that all XML, JSON, and SOAP requests are inspected and validated. Also inspects all incoming requests for deserialization attack patterns and block any matching requests. Enforce size checks on all incoming traffic and block attacks against the parsers. |
| Security Logging and Monitoring Failures | Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. | Provides extensive logging and reporting for all HTTP/HTTPS requests with ready integration with multiple SIEM vendors. Detailed log entries provide visibility into each part of the incoming request. This enables a centralized auditing and regulatory compliance framework for any protected application. Powerful reporting and notification modules provide a large number of pre-canned reports and threshold-based notifications to immediately identify security issues. |
| Server-Side Request Forgery (SSRF) | Occurs whenever the web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by security controls such as firewalls, VPNs, or any type of network access control list. | Sanitizes all user input to ensure that client-supplied data is not malicious. ACLs can be created to block HTTP redirections. Additional checks can be implemented for parameters and headers of a request to implement strict control on input values. |