Toward a Moving Target Defense for Web Applications

Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.