Проблема непрерывной защиты веб-приложений. Взгляд со стороны исследователей и эксплуатантов

. , - , : WAF ( , SolidLab) , WAF (@avpavlov, Solar JSOC).



, WAF.









SolidLab. – application security – offensive ( , , ) defensive ( SDLC – , , , WAF ).



-, . , SOC, WAF’ /. . :

• 2001 Microsoft Research (?).
• Continuous delivery 2011 .
• 2014 Continuous Delivery Conference.
• 5 (. Google Scholar) (, “Continuous Software Engineering and Beyond: Trends and Challenges”) (, “Continuous delivery? easy! just change everything (well, maybe it is not that easy)”).

, – (, – «» «» ), QA- security-: « » . «» : – , , , .



, ( ) . ( ) :

• , .
• , / .
• , ( , ): .

, - (RoR, Django, Spring, Struts, ASP.NET MVC ..) , , , , CSRF find/replace. , - , CSRF, SQL injection, XSS. , XML- (.. safe defaults).



:

• (, -). , , / (. Insecure Direct Object Reference).
  
  
  
  
• , : , , , devops’). , (. Insecure File Upload), , (, SSO, , ).
  
  
  
  
• , 3rd-party // . , , , ( ImageMagic – CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718) ffmpeg. 3rd-party- . 2017 . Joomla (, CVE-2016-8870 + CVE-2016-8869) Apache Struts (CVE-2017-5638).

sSDLC , .



whateverbox- , , aka Bug Bounty. , (. Vulners, WhiteSource, OWASP dependency-check), – , . .



/ – , . , -, ( ) , (, ), (, ) . , - , - ( ), , , , .



, / .



, , -:

1. 1-day . – 1-day ( 0-day) , - .
   
   
   
   
2. ( , ). – ( , , ).
   
   
   
   
3. . – () , . , sSDLC, , , : Bug Bounty .

, , , ( WAF’ ), WAF'.



WAF’ ( ) ( benchmark WAF’ , ), , , . – WAF .



WAF



: WAF , , (injection/tampering).



:

1. / . PATH URL. , URL- (, /do), “action”, – “page” “res”. / HTTP-.
   
   
   
   
2. , . , HTTP - HTTP-.

, WAF’ – HTTP-, , , , .



:

• 3D-Secure. : POST- application/x-www-form-urlencoded, PaReq. PaReq XML-, DEFLATE, Base64 URL-. , XML-. WAF «» XML (/ ), WAF Fail Open. – XML JSON , , BASE64.
  
  
  
  
• Google Web Toolkit , ( JSON/XML/YAML/...). – :
  
  
  
  
  
  
  
  , WAF , , WAF . , ( !).
  
  
  
  
• Oracle Application Express (APEX). URL APEX :
  
  
  
  

  http://apex.app:8090/apex/f?p=30:180:3426793174520701::::P180_ARTICLE_ID:5024
        
        
  
          
          
          
        
  
      
          
          
          
        
        
  
          
          
          
        
  
      
      

  
  
  POST- URL- – , (x-www-urlencoded), – : x01=val1&x02=val2… .. :
  
  
  
  
  
  
  
  
  
  

, WAF , . , APEX x01, x02,… , , XML/JSON, base64, , , X-WWW-URLENCODED .



WAF



APEX : WAF // HTTP- ( URL, , ), .



, APEX x01, x02 .. , :

• (. x01 ).
• , , .

, WAF :

• x01, N , .
  
  
  
  
• x01 , K (<N) x01 .
  
  
  
  
• x01 - (, ), scope HTTP ( URL, ), , x01 (, , — ).

, WAF User Tracking^[1] APEX- - , login-, login-, logout- — HTTP-.



, , APEX-, URL: XML-RPC, JSON-RPC, SOAP ..



WAF



, - ( injection-) , ( //OTP, , – , , DoS ). , – (. Insecure Direct Object Reference). «» -.



– ?



, , - – , , , , , .



, WAF’ , , , , .

1. User Tracking , , . , (- , , logout- URL ..).
   
   
   
   
2. gamer.ru