Note:

This is not a comprehensive list. The threats outlined here had been reported during security vulnerability scan reports generated by APIGEE customers. Necessary corrective actions have been taken and these vulnerabilities have been mitigated. This blog is an attempt to list down common vulnerabilities that needs to be taken care of esp when building web app based solutions.

THREATS

1. Threat Name: Cross Site Tracing (XST)

Details:

HTTP methods like TRACE,TRACK allows the clients to see what is being received at the other end of the request chain. These methods are usually used for data testing or diagnostic information. These methods, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate user's credentials.

In a nut shell the real outcome of XST is that it exposes HTTP headers that are usually inaccessible to Javascript.

Rating: LOW-MEDIUM

Sample Use-Case:

Request:

curl TRACE http://test.in -H "Host: test.in"

Response:

200 OK HTTP/1.1

Host:"test.in"

Authorization: Basic "xyz"

cookie: sessionId=test;

Mitigation:

1.) Do not expose undocumented methods (TRACE,TRACK)

Apigee Policies for mitigation:

Sanitize response headers (either java script or using AssignMessage policy)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<AssignMessage name="fault_invalid_client">

<Remove>

<Headers>

<Header name="Server">*</Header>

</Headers>

<Remove>

<Set>

<Headers>

<Header name="Server">something</Header>

</Headers>

<Payload>{// PAYLOAD

}</Payload>

<StatusCode>{STATUS CODE}</StatusCode>

<ReasonPhrase>{response phrase}</ReasonPhrase>

</Set>

</AssignMessage>

2. Threat Name: Cross Site Scripting (XSS)

Details:

In XSS an attacker injects a client side code to the remote server. Of the several types of XSS two types majorly used are:

a) non-persistant xss

Also known as reflective XSS , this usually occurs when the web server reflects attacker's payload scripts ,such as in an error message , or a part of search result etc where some or all of the input is sent to the server as a part of the request.

b) persistant xss

This is similar to non-persistant xss with the difference being that the attacker's payload script is permanently stored in target application(example within a comment field of a blog etc ).so when the victim navigate to the afected page , he inadvetantly ends-up executing the payload script ,once the page is viewed in the browser

Sample Use-Cases:

Lets say we have a simple server side script (say for a blogging site) which stores/display's the user's comments .

print "<html>"

print "Latest comment:"

print database.latestComment

print "</html>"

The script assumes that the comments consists of text only .However an attacker could submit the below in the comments field :"<script>......malicious script....</script>". So any user visting the page will recieve the following response

<html>

latest comments:

<script>......malicious script....</script>

</html>

Rating: MEDIUM-HIGH

Mitigation:

1) Have secure input handling by encoding

Ensure that the input characters are appropriately escaped. For example the most recogonizable form of encoding is HTML escaping, whcih converts characters like "<" and ">" into < and > respectively

2) Input handling by validation

Validate the type and data of input that is provided in the requests. Also there are situations where encoding becomes inadequate. In such cases encoding has to be complemented with validation.

3) Usually encoding and validation are sufficient in most of the cases to prevent XSS. As a third line of defense use of CSP (Content Security Policy) is recommended. CSP is used to constrain the browser viewing a web page so that it can only use resources (script/stylesheet etc) loaded from a trusted site. To enable CSP ,the HTTP response should be served with an additional "Content‑Security‑Policy" Header.

Apigee Policies for mitigation:

Input validation and Ecoding can be done in APIGE by using a combination of "extract Varibles" and Javascript policy.

CSP can be added in HTTP/HTTPS response bby using java script or "AssignMessage" policy.

<AssignMessage name="AssignMessage-3">

<AssignTo createNew="true" type="request">request1</AssignTo>

<Set>

<Headers>

<Header name="Content-Security-Policy">default-src 'self'</Header>

</Headers>

</Set>

<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>

</AssignMessage>

3. Threat Name: Cross Site Reference Attack (CSRF or XSRF) or 'Sea Surf' ,Session Riding attacks

Details:

In this attack a malicious website will send a request to a web application that a user is already authenticate against from another website. This way the attacker can target the web application via victim's already authenticated web browser.

It is different form XSS in that while in XSS the attacker exploits the trust that the user has for a web site , in this case the attacker exploits the trust teh website has for a user.

Rating: MEDIUM-HIGH

Sample Use-Cases:

Assuming the victim is already authenticated in his banking website , the attacker can include a link or script in a third-party website that the victim visits. For instance, in a chat forum, an attacker posts a message that contains an image tag or an HTML image element. However, the source of the image contains a link which performs an action on a victim’s bank website account. So, instead of an image file the attacker has included a link that performs a bank transaction. Below is an example of the image tag containing a rogue URL.

<img src="http://mybank.example.com/withdraw?account=test&amount=1000000&for=me">

Mitigations:

1) Use Tokens

It is always going to be difficult for a attacker to guess a token.

Use of Apigee Edge OAuth V2 policies can be use to manage the tokens

2) Add a per-request nonce to the URL and all forms in addition to the standard session

3) Checking for 'referer' Header can help mitigate this attack , by ensuring that the HTTP request has come from the original site

Apigee Policies for mitigation:

In APIGEE edge one way of achieving this is to have a conditional check(conditional referencing) on out of the box system variable(request.headers.referer) value and take appropriate actions.

Sample:

<RouteRule name="default">

<Condition>request.header.referer != "abc.com"</Condition>

<TargetEndpoint>RaiseFault</TargetEndpoint>

</RouteRule>

4. Threat Name: Broken Authorization - session management exploits

Details:

This is particularly important for web apps. Attackers, both internal and external, can take advantage of these flaws to steal accounts from others and impersonate users. One of the more prominant flavor of the above exploit is the "Session fixation" exploit. In such exploit the attacked "fixes" the session id even before the user logs into the target server

Rating: LOW-MEDIUM

Sample Use-Cases:

A typical use case is the ability to retrieve the response using the browser's "BACK" button. For example for a 3 legged Oauth , with an improper implementation of the Authorization Code grant flow , the access token can be retrieved multiple time ,by hitting the back button in the browser

Apigee Policies for mitigation:

1) Cache-Control:no-cache & Pragma:no-cache headers are set in every response to the web app

In APIGEE Edge using the OOTB policy "Assign Message" the above headers can be added to response.

<AssignMessage name="AssignMessage-3">

<AssignTo createNew="false" type="response"/>

<Set>

<Headers>

<Header name="Cache-Control">no-cache</Header>

<Header name="Cache-Control">no-cache</Header>

</Headers>

</Set>

<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

</AssignMessage>

2) Ensure that SSL is used for all the authentication parts of the application

In APIGEE edge the application proxy must be exposed on a secure virtual host(port 443)

5. Threat Name: Insecure HTTP Redirect and covert redirect vulnerability

Details:

In correct and insecure 301 http redirection has sever security ramification , as it would allow a malicious attacker to persistently alter and remote control the way the application functions.

Rating: LOW-MEDIUM

Sample Use-Cases:

Consider two cases .

Case 1: An 301 redirection from https to http

In a few implementations of OAuth (3-legged), which required user authorization, it was observed that the redirection would happen from HTTPS to HTTP web page. It exposes the user data (that is captured on http) to be vulnerable to Man-In-Middle attack

Case 2: An 301 redirection form http to https

Since we are doing a 301 redirect over HTTP, someone could man-in-the-middle that connection and redirect the request anywhere they wanted - in particular they could actually not redirect at all, and instead get between the computer and the server(say http://example.com) , monitoring the connection and serving its contents under the name (http://example.com) instead.

Apigee Policies for mitigation:

One way to mitigate these threats is to use the HSTS HTTP header. This header tells the browser or browser like applications to load the pages only in HTTPS until some date in future. To cover the edge cases of the attack (case where the exploiter MITM the redirect even before HSTS is read by the browser), one can add the domain to the HSTS preload list.

Additionally ensure that every response over HTTPS has the below security headers.

Strict-Transport-Security

X-XSS-Protection

X-Content-Type-Options

X-Frame-Options

In Apigee Edge this can be achieved by using the "Assign Message" policy attached at the "post flow" response path of Client end point.

Sample code:

<AssignMessage name="AssignMessage-3">

<AssignTo createNew="false" type="response"/>

<Set>

<Headers>

<Header name="Strict-Transport-Security">max-age=31536000; includeSubDomains</Header>

<Header name="X-XSS-Protection">1; mode=block</Header>

<Header name="X-Content-Type-Options">nosniff</Header>

<Header name="X-Frame-Options">deny</Header>

</Headers>

</Set>

<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

</AssignMessage>

6. Threat Name: HTTP PARAMETER POLLUTION(HPP)

Details:

This vulnerability belongs to "injection" class of vulnerabilities. Under this attack, the attacker supplies multiple HTTP parameters with the same name. One consequence is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.

The consequence depends on the application's logic and can vary from a irritant to complete corruption of applications behavior.

Rating: LOW-MEDIUM

Sample Use-Cases:

Consider the below sample request

http://www.test.com/employee?id=-1+UNION+SELECT+username,password+FROM+users

Typically any server implemention remediation for SQL injection attack would reject the above request. But using HPP we can by pass this injection check.

http://www.test.com/employee?id=-1+UNION+SELECT+username&id=password+FROM+users

Depending on how the application is implemented, the resultant request.QueryString["id"] might be a glued value of the split parameters .

Apigee Policies for mitigation:

Ensure that an informed decision is been taken on handling of multiple occurrences of query parameters.

Also w.r.t APigee Edge , where ever we are adding a new parameter / modifying any existing query parameter ,ensure that the query param is first "removed" and then we "set" the new parameter.

Sample code:

<AssignMessage name="AssignMessage-3">

<AssignTo createNew="true" type="request">request1</AssignTo>

<Remove>

<QueryParams>

<QueryParam name='address'/>

</QueryParams>

</Remove>

<Set>

<QueryParams>

<QueryParam name="address">{value}</QueryParam>

</QueryParams>

<Verb>GET</Verb>

</Set>

<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>

</AssignMessage>

7. Threat Name: Response splitting

Details:

The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response

Here the attacker completely controls the second response. HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. A very common use is in redirection URL.

Rating: LOW-MEDIUM

Sample Use-Cases:

Consider a request

http://www.example.com/index.jsp?lang=en

The parameter value for "lang" is coming from the end user.

For this request ,lets say that the typical response is a 302 redirect

Request:

http://www.example.com/index.jsp?lang=en

Response:

HTTP/1.1 302 Moved Temporarily

Date: xxxxxxxx

Location: http://example.com/by_lang.jsp?lang=eng

Server: xxxxxxxxxx

Content-Type: text/html

Attack scenario:

Now say the attacker send a malicious request in the below format

Request:

http://example.com/index.jsp?lan=foobar%0d%0aContentLength:%200%0d%0d%0a%0aHTTP/1.1%20200%20OK%0d

%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Attack</html>

This results in teh following response

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 15:26:41 GMT

Location: http://10.1.1.1/by_lang.jsp?lang=foobar

Content-Length: 0

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 19

<html>Shazam</html>

Server: xxxxxxxxxxxxxxxx

271009 with

Content-Type: text/html

The target parses this response as follows, A first HTTP response, which is a 302 (redirection) response.. A second HTTP response, which is a 200 response, with a content comprising of 19 bytes of HTML. Superfluous data - everything beyond the end of the second response is superfluous, and does not conform to the HTTP standard.

This exploit can be used to

-- take over a user's browser

-- redirect to a different host/web page

-- It can poison the cache

-- can lead to XSS

Mitigation:

1) If there are values beyond the trust boundaries that are used in HTTP messages ,validate the values by white listing 2)Remove all hazardous characters before embedding data into any HTTP response headers 3) In event the parameter are allowed to to contain a CR/LF,URL encode all data in HTTP headers with HTML entity reference

Apigee Policies for mitigation: In APIGEE Edge parameter values can be accessed using system variables in request/response flow(request.queryparams.{parmetername}/request.headers.{header-name}) Assignmessage Policy can be used to overwrite the values of existing parameters

Sample code: <AssignMessage name="AssignMessage-3"> <AssignTo createNew="true" type="request">request1</AssignTo> <Set> <QueryParams> <QueryParam name="address">{sanatized value}</QueryParam> </QueryParams> <Headers> <Header name="Location">{sanatized value}</Header> </Headers> </Set> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> </AssignMessage> The same can be achieved using the get/set methods via javascript