Trusting user inputs leaves Web applications open to attacks, and is by far one of the most common mistakes made by Web developers, therefore all data should be properly validated and ‘cleaned’ before being sent to the back-end servers. Barracuda Web Application Controllers plug this security hole by analyzing input data present in online forms, cookies and URLs and by sanitizing the data wherever needed.
Form Protection
Many Web programmers assume that user input from certain HTML controls, such as radio buttons or drop down menu lists, can only be a predetermined value and that browsers can be relied upon to enforce this constraint. This assumption is incorrect and can leave networks vulnerable to attacks. A browser will indeed attempt to limit user input as appropriate, but a malicious user can put a proxy between the browser and the application to modify field types outside the visibility of the browser. Therefore it is possible that a radio button field could come back containing an executable buffer overflow exploit. This style of attack is known as "form tampering".
Barracuda Web Application Controllers remember all the field types created by the application per session and ensure that when the user's responses for those fields come back they remain as the programmer defined them.
Cookie Protection
Exploiting vulnerabilities in cookie-handling code is another common tactic of hackers. Because cookies are the most common means of identifying users, if the hacker can guess a legitimate user's cookie, the hacker essentially “becomes” that user. Barracuda Web Application Controllers use two methods to foil such attacks:
- Cookie Encryption: makes it impossible to interpret the cookie, thus rendering the entire line of attack unproductive. Barracuda Web Application Controllers encrypt cookies sent to the user, and upon subsequent user requests the Barracuda Web Application Controller decrypt the cookies before sending it back to the back-end Web server with no changes to the application itself.
- Cookie Signing: for each cookie generated by the server, Barracuda Web Application Controllers add a second cookie which is the digital signature of the first. Barracuda Web Application Controllers can detect tampering of the first cookie if a mismatch between the original cookie and its digital signature is identified.
SQL & OS Command Injection
Application-layer attacks take on numerous forms including SQL injection, OS Command injection attacks and phishing attacks built on JavaScript injection, also known as a Cross-Site Scripting attack (XSS.) These attacks are especially pernicious because they compromise the actual program code of an application in order to steal database tables or to trick users into revealing their identities and personal data. Ultimately, both types of attack stem from a common programmer mistake – forgetting to validate the input received from the user.
Barracuda Web Application Controllers protect against these type of attacks by continuously monitoring all user input for elements of SQL and JavaScript syntax. Even if a programmer forgets to validate input, Barracuda Web Application Controllers automatically protect the application by normalizing the offending data.