Almost perfect protection for websites and other services - Mutual TLS

Its hard to secure your IT services and applications. The list of possible attacks is long, as shown in the Mitre Att&ck framework, the OWASP lists and so on.

What helps drastically reducing the attack surface is to use mutual TLS (explanations see https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/ or https://en.wikipedia.org/wiki/Mutual_authentication#mTLS or https://www.youtube.com/watch?v=x7B5CwcxCDI or https://www.ietf.org/rfc/rfc5246.txt) for authentication to establish access to your service/application. If you use certificates to authenticate your clients before accessing the first byte to of your service/application, you stop attacks at OSI layer 5. The attackers cant reach OSI layer 6 and 7 which  contain the most vulnerabilites and weaknesses by far.

I've asked ChatGPT to make a list to compare regular web applications with web applications, which use mutual TLS:

Attack TypeRegular Web ApplicationSecured Web Application (Mutual TLS)Mitre ATT&CK Tactic(s)
Cross-Site Scripting (XSS)VulnerableProtectedInitial Access, Execution, Persistence
SQL InjectionVulnerableProtectedCollection, Credential Access, Execution
Cross-Site Request Forgery (CSRF)VulnerableProtectedInitial Access, Collection
Session HijackingVulnerableProtectedCollection, Credential Access
Brute Force AttacksVulnerableProtectedCredential Access, Execution
ClickjackingVulnerableProtectedCollection, Defense Evasion
Directory TraversalVulnerableProtectedCollection, Exfiltration
File Upload VulnerabilitiesVulnerableProtectedExecution, Collection
LDAP InjectionVulnerableProtectedCollection, Credential Access
Man-in-the-Middle (MitM) AttacksVulnerableProtectedCollection, Credential Access, Execution
Remote File InclusionVulnerableProtectedExecution, Collection
XML External Entity (XXE) InjectionVulnerableProtectedCollection, Credential Access
Security MisconfigurationsVulnerableWay less vulnerableDefense Evasion, Discovery
HTTP Header InjectionVulnerableProtectedDefense Evasion, Execution
DDoS AttacksVulnerableWay less vulnerableImpact
API Security IssuesVulnerableProtectedCollection, Credential Access, Execution
HTTP Parameter PollutionVulnerableProtectedDefense Evasion, Execution
Session SidejackingVulnerableProtectedCredential Access, Collection
Social Engineering AttacksVulnerableProtectedCollection, Defense Evasion
Cross-Site Tracing (XST)VulnerableProtectedCredential Access, Collection
Fuzzing AttacksVulnerableProtectedExecution, Defense Evasion
CryptanalysisVulnerableWay less vulnerableCollection, Credential Access
Reverse EngineeringVulnerableProtectedCollection, Credential Access
Subdomain TakeoverVulnerableProtectedInitial Access, Collection
Session Token TheftVulnerableProtectedCredential Access, Collection
Vulnerabilies/0daysVulnerableWay less vulnerableInitial Access
Broken Object Level Authorization (BOLA)VulnerableProtectedCredential Access, Authorization
Improper Rate LimitingVulnerableWay less vulnerableDefense Evasion, Impact
Insecure Direct Object References (IDOR)VulnerableProtectedCollection, Credential Access
Insufficient Logging and MonitoringVulnerableWay less vulnerableDiscovery, Defense Evasion
Insecure DeserializationVulnerableProtectedExecution, Defense Evasion
Lack of Resources and Rate LimitingVulnerableProtectedDefense Evasion, Impact
Mass AssignmentVulnerableProtectedCredential Access, Collection
Insecure Cryptographic StorageVulnerableVulnerableCollection, Credential Access
Use of Components with Known VulnerabilitiesVulnerableWay less vulnerableCollection, Execution
Unvalidated Redirects and ForwardsVulnerableProtectedDefense Evasion, Initial Access
XML External Entity (XXE) InjectionVulnerableProtectedCollection, Credential Access

Caution: This is a simplified point of view - it is only focusing on the inital access. Mutual TLS certificate based authentication make the initial access for attackers almost impossible. Therefore most attacks are not possible anymore without the attackers gets his hands on a client certificate with its private key. However your IT stack is still vulnerable to OSI layer 1-5 attacks as well as e.g. to vulnerabilities within OpenSSL, LibreSSL etc.


No comments:

Post a Comment

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...