cerberhost

Today ends our series of articles detailing the most common web threats (vulnerabilities and attacks) and how our very high security Cloud, CerberHost, protects websites against it. It is thus the occasion to summarize, in one article, all these attacks and their solutions.

These threats and their solutions can be divided in two groups: on the one hand, the configuration issues, of which websites are responsible and which make the pirates’ work much easier; on the other hand, the attacks themselves, which can use these vulnerabilities. For an optimal protection of your website, you must thus pair a good security configuration with external tools covering all the possibilities.

Configuration issues

Configuration issues Internal configuration solutions Protections offered by CerberHost

Using components with known vulnerabilities

It can seem obvious not to use components that are known to be vulnerable, but the case remains common and can be caused by numerous situations. It is also important to note that a website can be protected one day and not be protected anymore the next day. A state of security must always be considered as temporary.

  •  Regular update of the website components (platforms, plugins…)
  • Preproduction / human expertise:
    • Intrusive audit of the source code seeking vulnerabilities
    • Virtual Patching of the found vulnerabilities
  • Human expertise:
    • R&D watch of the new vulnerabilities and update of the infrastructural components

Missing function-level access control 

A web program depends on a client-server mechanism, sometimes including a webservice. A poor control of the access of the server/webservice allows a pirate to alter it for his own purposes.

  • Set up of an efficient authentication module
  • Security relying only on the server’s side, never on the browser’s side
  • Filtration by IP and/or ID/password on the server and webservices
  • Choice of strong passwords
  • Preproduction / plateforms validation:
    • Checking of the IP filtration
    • Checking of the strenght of the rights on components
  • Website:
    • NAXSI : blocking of malevolent HTTP requests
    • Strong password policy, chosen by our experts
    • Encrypted protocols
  • Network:
    • Blocking of malevolent IP and GEOIP filtration

Security misconfiguration

This threat includes the precedent ones, but covers an even wider perimeter. Security configuration on third-party / network components, user accounts or even files, among other things, too often remain neglected by many websites.

  • All the solutions above
  • Beware of unused pages whose security is often neglected
  • Filtration and limitation of the IN/OUT flows to known IPs
  • Preproduction / platforms validation:
    • standardisation of software configurations
  • Network:
    • standardisation of the reporting in the logs

Sensitive data exposure

It is the main risk, which can result from and often is the purpose of the exploitation of vulnerabilities. That is why it is vital to ensure a good protection of the data itself.

  •  Clear security policy with importance classing
  • “store only what you need” method
  • Data encryption
  •  All the protection mentioned above
  • Network:
    • Recorded transfers allowing to find information in case of a compromising

Being able to handle the security configuration and data security of a website allows to provide it with a first protection layer, quite simply. However, one must never be 100% sure about his or her website’s security, and take every possibility into account! New vulnerabilities are discovered every day, and the kind of attacks that can exploit them are numerous.

Attacks

Before explaining the most common of these attacks, let us stop for a moment and pay attention to passwords. Indeed, we will never emphasize enough the importance of strong passwords. The use of a weak password makes the potential hacker’s job extremely simple: indeed, it can be easily guessed thanks to the bruteforce method, which is used in many attacks.

Attack Internal configuration solution Protections offered by CerberHost

Bruteforce

This method consists in guessing a password by testing, automatically, all possible solutions until finding the right one.

  • Strong password policy
  • Website:
    • anti-bruteforce Fail 2 ban: this tool prevents repeated requests and limits the number of request/fail per second

Let us now look over the attacks themselves, and the internal and external solutions to protect your website from it.

Attacks Internal configuration solution Protections offered by CerberHost

Broken authentication and session management

The attacker will try to access private sessions. To do so, he/she will rely on weak passwords, a cookies/session ID association, or even use the session timeout.

  •  Strong passwords
  • Not putting the session identifiers in URL
  •  Website:
    • NAXSI : blocking of malevolent HTPP requests
    • Anti-bruteforce Fail 2 ban
    • Strong password policy, chosen by our experts
    • Encrypted protocols
    • Double authentication with IP and/or ID-password
  • Network:
    • double authentication with password + key

SQL Injections

This attack consists in injecting language (often SQL), in a web form for instance, in order to access sessions, back offices or even databases. It can take the form of a sentence written instead of a password and cheating the computer, giving the attacker access to sessions.

  • Preproduction / human expertise:
    • Intrusive audit of the source code seeking vulnerabilities
    • Virtual Patching of the found vulnerabilities
  • Website:
    • NAXSI : blocking of malevolent http requests (based on the terms used in SQL)
  • Database :
    • MySQL Sniffer: SQL analyzer blocking requests that imply a too big data sending, thus malevolent, or with potential exploitation signs.

 Insecure Direct Object References

On some websites, session identifiers are clear in the URL. If the website has a missing function level access control vulnerability, the pirate will only have to change the identifier to access another account and its information.

  •  Accounts referencing with non-trivial identifiers (limiting the likelihood of the attacker to find an existing identifier
  • Cookie / session / users rights association
  • Preproduction / human expertise:
    • Intrusive audit of the source code seeking vulnerabilities
    • Virtual Patching of the found vulnerabilities
  • Website:
    • NAXSI : blocking of malevolent HTTP requests
    •  Anti-bruteforce Fail 2 ban

 Cross-Site Scripting (XSS)

The attacker places language (often Javascript) on a website, which will be read and interpreted by the visitors’ browsers. They will thus, unknowingly, download a virus, or will have their data or accesses stolen…. There are several possibilities.

  • Preproduction / human expertise:
    • Intrusive audit of the source code seeking vulnerabilities
    • Virtual Patching of the found vulnerabilities
  • Website:
    • NAXSI : blocking of malevolent HTTP requests

Cross-Site Request Forgery (CSRF)

This attack affects websites whose functionalities are known (for instance opensource applications). The pirate will attract on his website a visitor who is also connected on the vulnerable application; he uses this to send the website a request, that is interpreted as legitimate. The consequences go from password changing to data theft.

  •  Inclusion , within requests, of a random element for the attacker not to know all the functionalities to put in his request.
  • Preproduction / human expertise:
    • Intrusive audit of the source code seeking vulnerabilities
    • Virtual Patching of the found vulnerabilities

  Unvalidated redirects and forwards

The attacker will use a redirect on a website to lead visitors to his illegitimate website, often a look-alike of the attacked site, and thus gather information about the visitors, including data.

  •  Limitation of the number of possible URLs
  • Preproduction / human expertise:
    • Intrusive audit of the source code seeking vulnerabilities
    • Virtual Patching of the found vulnerabilities

Buffer Overflows

The pirate will here use the computer memory to take control over a machine. By overflowing the memory booked for a program’s function and injecting code, it will be able to do whatever he wants to a machine..

  •  Human expertise:
  • R&D watch of the new vulnerabilities for optimum reactivity
  • Operating System:
    • GRSEC/PAX patches for Linux, introducing a random element increasing the complexity of the attack
  • Operating system & applicative stack:
    • Profiling of daemons to notice unusual behavior (ExecVE Killer + patchs GRSEC/PAX

 File uploads

A pirate sends an image to a website (for instance, his avatar on a forum), but hides some code inside the image data. If the website in question is vulnerable, then this request won’t be blocked, and the pirate will be able to have this code executed by the visitor’s browsers. It will allow him to steal data or even take control of the website.

  • Not allowing the sending of files
  • Forbidding the execution of code from the file containing the sent data
  • Check out the files’ extension
  • Rely on the MIME type of the files
  • Randomly renaiming the files for them to not easoly be found by the attacker
  • Website:
    • Waking of a daemon everytime a file is created, raising an alarm if it contains code and preventing the access to the malevolent file
    • NAXSI: filtration forbidding the upload of executable filesWebsite:
  •  Applicative stack:
    • In-house anti-virus detecting malevolent php files

The case of DDoS

All attacks mentionned above mainly have for final purpose data theft. Another type of attack exists, very widely spread because it is easy to set in place, consisting in putting down a website: DDoS.

Attack Internal configuration solution Protections offered by CerberHost

DDoS

This type of attacks consists in exhausting the resources of a website by sending it too much illegitimate requests (automatically, often using zombie machines) for them to no longer be accessible to legitimate users.

  • Blackholing of the IP address for it not so receive any more requests. However, the site becomes inaccessiblee.
  • Website:
    • NAXSI : blocking of malevolent http requests
    • Limitation of the number or requests per secondWebsite:
  • Network:
    • Arbor Network tool mitigating network DoS
  • Operating system:
    • GRSEC/PAX patchs with rules to avoid the exhaustion of resources

 

Discover CerberHost

video de présentation de CerberHost

CerberHost protects your website against all Top 10 OWASP attacks, and much more.

To discover CerberHost in pictures, watch its presentation video HERE.

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.