The tCell team at Rapid7 has always been a big believer in the power of protecting applications "from within" (aka RASP) as a game-changing way of protecting applications in production. We're excited to be able to offer a new protection to address a large category of attacks involving the application compromise of the local file system.
Everyone knows that if the host of an application is compromised, the application can be compromised, so it's no surprise that securing hosts by such things as access controls and network segregation (among other things) are usually top of the security to-do list. However, what people often overlook is how the application itself can be a threat to the host (and, in turn, the entire infrastructure). One very common category of vulnerability is rooted in how an application accesses the file system. Unauthorized reads and writes to local files via the application process can have catastrophic consequences.
The application threats that lead to compromising local files
Local File Inclusion is when a web application returns in the HTTP response a file it should not have. A typical example is when local files are used as part of the response logic of the application. Consider this HTTP GET request:
If the developer failed to sanitize the input, the following could return a sensitive file:
Another example is Directory Traversal whereby traversal logic is included in the file name expected, and similar to the above, a sensitive file is accessed.
One can think of even more catastrophic traversals—for instance, when a Java app requests a filename for upload, and a traversal is included, resulting in a JSP file being overwritten by the attacker.
WAFs alone cannot defend against advanced threats
Every Web Application Firewall (WAF) will typically have rules to detect such traversal patterns. However, in reality, such filename manipulations only scratch the surface. Take, for instance, a remote code execution (RCE) vulnerability via an injection exploit. One such example was CVE-2017-5638, which allowed a crafted payload in the Content-Type request header to be executed, and that put Equifax on the front pages of mainstream press. In this case, an attacker could run arbitrary code, including reading and writing local files.
Or more recently, the Zip Slip vulnerability whereby a carefully crafted zip file can exploit faulty unzipping logic to compromise a system presents another challenge: In order to detect it in the HTTP request, one would have to inspect the zip contents.
Why WAFs are not enough
In all these cases, the attack vectors that can lead to a compromise of local files through the application are numerous. Once a known vulnerability is discovered and remediated, there are previously unknown vulnerabilities discovered, which may have in fact been introduced even earlier. As such, zero-days are a serious problem not only in the application code, but the third-party libraries the application depends on.
Traditional WAFs will attempt to prevent these by utilizing a signature to detect such exploits, and perform blocking operations when such an exploit is attempted. While this can be effective in reducing the ease in which a vulnerability can be exploited, it isn't comprehensive for the following reasons:
- WAFs can be bypassed by varying the attack payloads to evade the pattern detection.
- A WAF serving as a proxy to the application will not be able to detect if the payload will be successful if it reaches the application.
- Blocking is often at the HTTP request level, whereas, the compromise might happen outside of an HTTP request.
Because WAFs are limited by being a perimeter-oriented defense, a new breed of next-generation WAFs have come to market in recent years.
Going deeper: WAFs need RASP
Effectively stopping known and unknown vulnerabilities requires deeper protection. This is where RASP comes in. RASP techniques focus on surgical choke points that are data-driven, highly effective against bypass, and secured by intuitive policies.
In the case of tCell by Rapid7, in addition to WAF capabilities, the solution guards the file access at the code level, looking for any code that is reading and writing local files. The protection policy is derived from data collected on read/write operations by the application. When the policy is set, tCell then validates file operations conform to the policy. When violations of the policy occur, events with details of each violation are sent to the cloud for analysis and reporting, where incident response can be alerted within seconds of a breach. Further, the instrumentation can be configured to be "failed close" as opposed to "fail open," which means the attacker is thwarted immediately.
Despite having the vulnerability in the code, the attacker's attempt at exploiting it fails.
WAF + RASP = defense in depth
tCell is a solution that has both RASP and WAF capabilities and is designed for any team that adheres to the principle of defense in depth. With attackers who are highly motivated, reliance on perimeter controls are a good start but not sufficient. And while it's admirable that "shift left" has risen in awareness, it's for certain that vulnerabilities will still get through.
The new Local Files protection feature in tCell joins other RASP protections, such as tCell's ability to prevent Client/Browser compromise via XSS and prevent host compromise via attackers executing unauthorized OS commands, to provide defense against some of the most serious compromises that can occur.