Fool proof URL protection with URL encryption is a new feature in WAF 7.9. Let us begin with a couple of screenshots to illustrate this new feature.
The following is the “normal page”. Note that when you hover your mouse over the “Learn More” button, you can see the complete link in clear text:
The link to “Learn More” now shows up as encrypted for the most part. In fact, under the covers, this has happened for all the embedded links on this page.
Manipulating URL parameters is often the first and easiest step in attacking application logic (business logic attacks). Encrypting the URL path and parameters completely provides bullet-proof security for this attack surface. The Barracuda Web Application Firewall intercepts all outbound Web content and dynamically encrypts the protected site’s URLs in real time. The site’s visitors interact with the web application using only the encrypted URLs.
On subsequent requests, it ensures the integrity of the encrypted URLs before decrypting them back and forwarding to the protected web application. Any tampering of values is immediately detected and the request is dropped. Since this process is completely transparent to the protected applications, no change is required on them.
Application Logic Attacks
For example, consider a healthcare application that explicitly embeds patient IDs in URLs:
On encryption, this URL becomes:
This completely hides both the path “/ViewReport” as well as the parameter name “PatientID” and value “jjk45291”. This ensures that a malicious actor cannot get access to another user’s reports by manipulating the “PatientID” parameter. Even, if someone tries to manipulate the encrypted value, the request will be immediately blocked, since the decryption process would fail.
Tampering parameters in the URLs to get other user’s privileges is a very common attack, which has been seen numerous times in real life applications like bank screens, e-voting, healthcare sites, etc.
Application Layer Encryption is the only way to Trust User Inputs
One of the key insights here is that the core logic in the web applications sometimes accept inputs from the user, as the patient identifier in the URL above. However, applications can simply not trust this data, they have to implement a plethora of integrity and logic validations before they can trust it.
In the face of business pressures, how many folks would actually implement these checks? Would legacy applications be having these? For most of them – it’s a clear “NO”.
SSL encryption is not enough, as that only secures the data in transit but not on the client endpoint (browser). Even the “learning” feature in WAFs does not provide enough protection here, since the tampered input still adheres to the parameter class (alpha-numeral, etc).
URL Encryption completely secures the URL attack surface
Besides protecting against application logic attacks, this also provides strong protection against:
• Forceful browsing prevention, since the attackers cannot arbitrarily probe common URLs
• SQL and Cross Site Scripting Injection in URLs
• Zero-day attacks in the URLs
• CSRF protection (since the encrypted URLs are dynamically generated)
• Protection against referrer forgery (since attackers cannot predict referrer URLs)
In summary, URL Encryption is especially great for pages behind a login form, like in banks, etc, where users would not be expected to bookmark pages. You can turn this feature on at a granular level and do not need to turn it on for the whole site. Pages that are not vulnerable can be left out.
Further details can be found on http://techlib.barracuda.com.
For more information on the Barracuda Web Application Firewall and to order a risk-free 30-day trial, visit the product page here.