What Check Point Can Teach Us About the Problems of Web Application Security

06.18.15

Dan Ennis CEO

Signature_Security

Last week, Check Point issued a blog post boasting the discovery of two WordPress vulnerabilities and described how these vulnerabilities were updated promptly in their IPS (Intrusion Prevention System).

Unintentionally, Check Point highlighted the critical flaw of conventional web application security: its inability to deal with zero-day threats and its never-ending chase after the next vulnerability.

In the article, Check Point elaborates about the two vulnerabilities:

 “Check Point researcher…recently discovered critical vulnerabilities in two widely used WordPress plugins: the Broken Link Checker and the Download Manager. These vulnerabilities allow:

  • Access to private data by unauthenticated users via Path Traversal.
  • Execution of malicious code and theft of user sessions via a stored XSS vulnerability.

Both plugins are widely deployed over 1.4 million web sites & they [The Plugin Developers, N.R.] already issued a patch for these vulnerabilities”

The article follows with a detailed description of the way these vulnerabilities can be exploited to execute two widely used attacks on the application layer: Stored XSS (cross-site scripting) and Parameter Manipulation, and how their IPS blocks attacks that exploit these vulnerabilities.

Why Conventional Security Cannot Handle Zero-Day Threats

WordPress vulnerabilities are discovered on a weekly basis – we’ve been writing about these vulnerabilities regularly. But the problem is not in the vulnerabilities’ existence; rather, it is in the way conventional security approaches this problem.

The article highlights a major flaw in the way conventional security systems work. Check Point discovered these vulnerabilities around June 2015, the time their article was published. However, we see Download Manager flaws being reported as early as December 2011 and a nearly identical bug disclosed by Sucuri in December 2014. Most likely, plugin users were exposed to attacks for a reasonable amount or days, even weeks, before the vulnerability was discovered.

IPSs and various types of Web Application Firewalls (WAFs) use signature lists, or “blacklists” to register known attack patterns, similar to anti-virus systems. When an application vulnerability, such as a WordPress vulnerability, is discovered, security vendors update signature databases in their solutions with the new attack pattern so that they can block it in the future. Plugin developers patch their code to eliminate the vulnerability and encourage their customers to update to the new version. Until the version is patched and updated, or until the security vendor updates the blacklist, the organization is exposed to attacks.

Exploiting a new, unknown vulnerability is referred to as a “zero-day attack”. The threat is known to the attacker but not to the defenders. The attacker is free to compromise a vulnerable website with no early warning, hence the term “zero-day”.

Blacklist-based web application firewalls, IPSs and application developers cannot protect against zero-day attacks effectively as they are entangled in a never-ending loop trying to keep up with the next vulnerability, patching code and updating security systems. Check Point’s article is meant to reassure customers. Instead, it exposes the weaknesses of conventional, signature-based web application firewalls (WAFs) and IPS systems.

Alternative Approaches 

Our vision at Sentrix is different. We create contextual security systems based around whitelisting policies. Instead of updating signature lists our solution understands the protected website’s functionality by scanning it continuously. It knows exactly what transactions are allowed to hit the site (whitelisting), reduces the application’s attack surface by up to 99%, and only serves these legal transactions.

When using this approach organizations can stop chasing the next vulnerability, developers can stop worrying about code patching and plugin updates, and websites are protected against past and future threats automatically and continuously regardless of patching and even if underlying code is vulnerable.

The conventional approach of signature-based/blacklist WAFs and IPS is outdated. The alternative approach of whitelists is complex to update and maintain. Today, protecting the web application can only be done by understanding it’s functionality – deeply and continuously. We see the results in the field.

 

blog-post-logo