Dec 19 2008
Tamper Proofing Web Applications at Run-Time
Earlier this week we presented at the OWASP NY/NJ chapter meeting on “Tamper Proofing Web Applications at Run-Time”. The talk presented some strategies and free solutions for protecting web applications from input driven attacks. The goal is to harden web applications so their non-editable inputs cannot be manipulated, which when left unchecked are a root cause of authorization bypass vulnerabilities such as parameter manipulation, forceful browsing, business logic flaws, etc. You can download the presentation slides here.
Non-editable inputs are those that end-users do not need to modify directly – hidden form fields, URIs and QueryString parameters, cookies, etc. Traditional approaches to protecting this data – black list and/or white list validation – are insufficient as they cannot normally prevent authorization flaws within the context of a user’s session.
Our talk demonstrated two freely available solutions that provide this type of protection for existing web applications without the need to modify the underlying application source code. In general, they both operate on the theory that the application should only permit users to perform those actions that the UI has rendered to them. The idea is to leverage HTTP responses at run-time to identify all legitimate requests (forms and links), collect the state of each possible request, and then validate subsequent requests against the stored state information. Specifically, we cover HDIV (HTTP Data Integrity Validator) for J2EE web applications and SPF (Secure Parameter Filter) for .NET web applications. The implementation details of each are discussed as well as related pros and cons.
You can download the presentation slides here.