APP.3.1 Web Applications and Web Services
Web applications provide specific functions and dynamic (changing) content. For this purpose, web applications use the internet protocols HTTP (Hypertext Transfer Protocol) or HTTPS...
Description
Introduction
Web applications provide specific functions and dynamic (changing) content. For this purpose, web applications use the internet protocols HTTP (Hypertext Transfer Protocol) or HTTPS. With HTTPS, the connection is cryptographically secured by the TLS (Transport Layer Security) protocol. Web applications provide documents and user interfaces — e.g., in the form of input masks — on a server and deliver these upon request to the corresponding programs on clients, such as web browsers.
Web services are applications that use the HTTP(S) protocol to make data available to other applications. As a rule, they are not controlled directly by users.
To operate a web application or web service, multiple components are generally required. Common ones include web servers for delivering data and application servers for operating the actual application or web service. In addition, further background systems are required, which are often connected as data sources via various interfaces, e.g., databases or directory services.
Web applications and web services are used both in public data networks and in a local network (intranet) of an institution to provide data and applications. As a rule, clients must authenticate themselves in order to access a web application or web service.
Objective
The objective of this building block is to deploy web applications and web services securely and to protect information processed by them.
Scope and Modeling
The building block is to be applied to every web application and every web service used within the information domain.
Requirements for web servers and for the editorial planning of a web presence are not addressed in this building block. They are found in the building block APP.3.2 Web Servers. The development of web applications is addressed in the building block CON.10 Development of Web Applications.
Web service interfaces are often realized via Representational State Transfer (REST) and Simple Object Access Protocol (SOAP). This building block only considers REST-based web services. The focus is on the lifecycle phase “Operation”. Security requirements arising, for example, from planning and design as well as decommissioning and emergency preparedness are not addressed in this building block and must be determined separately within the scope of a risk analysis.
General requirements for the selection of software are addressed in the building block APP.6 General Software.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used as the basis for describing the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block APP.3.1 Web Applications and Web Services.
Insufficient Logging of Security-Relevant Events
If security-relevant events are insufficiently logged by the web application or web service, these may in some circumstances be difficult to trace at a later point in time. The causes of an event may then no longer be determinable. For example, critical errors or unauthorized changes in the configuration of the web application may be overlooked.
Disclosure of Security-Relevant Information in Web Applications and Web Services
Web pages and data generated and delivered by a web application or web service can contain information about background systems, e.g., details about databases or version statuses of frameworks. This information can make it easier during attacks to specifically target web applications or web services.
Misuse of a Web Application Through Automated Use
If the functions of a web application or web service are used in an automated manner, numerous operations can be executed in a short time. Using a repeatedly executed login process, it is possible, for example, to attempt to guess valid combinations of accounts and passwords (brute force). In addition, a list of valid accounts can be generated (enumeration) if the web application or web service returns information about existing accounts. Furthermore, repeated calls to resource-intensive functions such as complex database queries can be misused for denial-of-service attacks at the application level.
Insufficient Authentication
Often, special functions of a web application or web service are intended to be reserved for specific groups only. The corresponding persons then receive, for example, accounts that are exclusively equipped with the necessary access rights. Under these accounts, users authenticate themselves at the start of each session in the web application or web service, e.g., with an account name and password. If this authentication is not correctly configured, it may potentially be circumvented. Furthermore, a web application or web service can be configured so that access data is stored insecurely on the web server. In the event of a successful attack, attackers would then have access to large amounts of access data, which they could also use in other contexts.
Requirements
The following are the specific requirements of the building block APP.3.1 Web Applications and Web Services. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Beschaffungsstelle |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people SHOULD fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
APP.3.1.A1 Authentication (B)
IT Operations MUST configure web applications and web services so that clients must authenticate against the web application or web service when they want to access protected resources. An appropriate authentication method MUST be selected for this purpose. The selection process SHOULD be documented.
IT Operations MUST establish appropriate limits for failed login attempts.
APP.3.1.A2 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.1.A3 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.1.A4 Controlled Inclusion of Files and Content (B)
If a web application or web service offers a file upload function, this function MUST be restricted by IT Operations as far as possible. In particular, the permitted file size, permitted file types, and permitted storage locations MUST be specified. It MUST be determined which clients are permitted to use the function. Access and execution rights MUST also be set restrictively. Furthermore, it MUST be ensured that clients can only store files in the specified permitted storage location.
APP.3.1.A5 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.1.A6 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.1.A7 Protection Against Unauthorized Automated Use (B)
IT Operations MUST ensure that web applications and web services are protected against unauthorized automated use. However, it MUST be taken into account how the protection mechanisms affect the usage options of authorized clients. If the web application contains RSS feeds or other functions that are explicitly intended for automated use, this MUST also be taken into account when configuring the protection mechanisms.
APP.3.1.A14 Protection of Confidential Data (B)
IT Operations MUST ensure that access credentials for the web application or web service are protected server-side against unauthorized access using secure cryptographic algorithms. For this purpose, salted hash methods MUST be used.
The files containing the source code of the web application or web service MUST be protected against unauthorized retrieval.
APP.3.1.A16 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.1.A19 DISCONTINUED (B)
This requirement has been discontinued.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
APP.3.1.A8 System Architecture (S) [Beschaffungsstelle]
Security aspects SHOULD be considered already during the planning of web applications and web services. Care SHOULD also be taken to ensure that the architecture of the web application or web service accurately captures and correctly implements the institution’s business logic.
APP.3.1.A9 Procurement of Web Applications and Web Services (S)
In addition to the general aspects of software procurement, the institution SHOULD at a minimum consider the following when procuring web applications and web services:
- secure input validation and output encoding,
- secure session management,
- secure cryptographic methods,
- secure authentication methods,
- secure methods for server-side storage of access credentials,
- appropriate authorization management,
- sufficient logging capabilities,
- regular security updates by the software developer,
- protection mechanisms against common attacks on web applications and web services, and
- access to the source code of the web application or web service.
APP.3.1.A10 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.1.A11 Secure Connection of Background Systems (S)
Access to background systems on which functions and data are outsourced SHOULD only be possible via defined interfaces and from defined IT systems. For communication across network and site boundaries, data traffic SHOULD be authenticated and encrypted.
APP.3.1.A12 Secure Configuration (S)
Web applications and web services SHOULD be configured so that their resources and functions can only be accessed via the intended, secured communication paths. Access to resources and functions that are not required SHOULD be disabled. If this is not possible, access SHOULD be restricted as far as possible. The following SHOULD be implemented in the configuration of web applications and web services:
- Disabling unused HTTP methods,
- Configuring character encoding,
- Avoiding security-relevant information in error messages and responses,
- Storing configuration files outside the web root directory, and
- Setting limits for access attempts.
APP.3.1.A13 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.1.A15 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.1.A17 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.1.A18 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.1.A21 Secure HTTP Configuration for Web Applications (S)
To protect against clickjacking, cross-site scripting, and other attacks, IT Operations SHOULD set appropriate HTTP response headers. At a minimum, the following HTTP headers SHOULD be used:
- Content-Security-Policy,
- Strict-Transport-Security,
- Content-Type,
- X-Content-Type-Options, and
- Cache-Control.
The HTTP headers used SHOULD be as restrictive as possible.
Cookies SHOULD generally be set with the secure, SameSite, and httponly attributes.
APP.3.1.A22 Penetration Testing and Revision (S)
Web applications and web services SHOULD be regularly checked for security problems. In particular, revisions SHOULD be carried out regularly. The results SHOULD be documented in a comprehensible manner, adequately protected, and treated confidentially. Deviations SHOULD be investigated. The results SHOULD be presented to the ISO.
APP.3.1.A23 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered when there is a high protection need. The specific determination takes place in the context of an individual risk analysis.
APP.3.1.A20 Use of Web Application Firewalls (H)
Institutions SHOULD use Web Application Firewalls (WAF). The configuration of the WAF used SHOULD be adapted to the web application or web service to be protected. After each update to the web application or web service, the configuration of the WAF SHOULD be reviewed.
APP.3.1.A24 DISCONTINUED (H)
This requirement has been discontinued.
APP.3.1.A25 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The Open Web Application Security Project (OWASP) provides guidance on securing web applications and web services on its website.
The Federal Office for Information Security (BSI) provides guidance on the application of cryptographic methods in the document “Cryptographic Mechanisms: Recommendations and Key Lengths: BSI TR-02102”.