The Hacking Evolution: New Trends in Web Application Exploits and Vulnerabilities Brian Christian, S

1
The Hacking Evolution New Trends in Web
Application Exploits and Vulnerabilities Brian
Christian, Senior Security Engineer and
Co-Founder, S.P.I Dynamics
2
Agenda

• Part 1 Introduction How on earth did we
  get to this point?
• Part 2 Identifying the Problem How does this
  stuff happen?
• Part 3 Key Application Vulnerabilities
  Past, present and future
• Part 4 What Application Security Means to
  Compliance Efforts and how to fix the problem.
  
• Part 5 More information and online resources
• Part 6 QA

3
Part One

• Introduction

• Who We Are - SPI Dynamics in a nutshell
• Application Security -How did we get to this
  point?

4
SPI Dynamics
The Leader In Web Application Security Assessment

• We manufacture and license WebInspect, our
  industry leading web application security
  assessment product, to enterprises, consultants,
  and other institutions, both directly and via
  global partners.
• We own the worlds leading database of web
  application security vulnerabilities,
  SecureBase. SecureBase is updated frequently by
  SPI Labs, our U.S.-based research development
  organization.

5
Web Sites
Simple, single server solutions

• Web Server
• HTML
• CGI

Browser
6
Web Applications
Very complex architectures, multiple platforms,
multiple protocols
Web Services
Database Server Customer Identification Access
Controls Transaction Information Core Business
Data
Application Server Business Logic Content services
Web Servers Presentation Layer Media Store
Wireless
Browser
7
Common Web Applications
8
The Absolute Truth

• All code has bugs regardless of platform,
  language or application.
• From a Microsoft to a Mom and Pops home- brewed
  application, all code has bugs.
• Some bugs are functionality bugs, which are
  discovered by QA.
• Other bugs are security bugs, which largely go
  unidentified.
• As long as functionality is the main objective
  and not security, there will always be
  vulnerabilities in computer applications.

9
Why These Thing Happen
This is all the stuff that your application is
supposed to do.
10
Why Web Application Attacks Occur
The Web Application Security Gap
Application Developers and QA Professionals
Dont Know Security
Security Professionals Dont Know The
Applications
As a Network Security Professional, I dont know
how my companys web applications are supposed to
work so I deploy a protective solutionbut dont
know if its protecting what its supposed to.
As an Application Developer, I can build great
features and functions while meeting deadlines,
but I dont know how to develop my web
application with security in mind.
11
Web Applications Breach the Perimeter
HTTP
INTERNET
IMAP SSH POP3
FTP TELNET
Firewall only allows PORT 80 (or 443 SSL) traffic
from the internet to the web server. Any Web
Server 80
DMZ
Firewall only allows applications on the web
server to talk to application server. Web
Server Application Server
TRUSTED INSIDE
Firewall only
allows application
server to talk to database
server. Application Server
Database
CORPORATE INSIDE
12
Web Applications Invite Public Access
Today over 70 of attacks against a companys
website or web application come at the
Application Layer not the network or system
layer.
- Gartner Group
13
Web Application Risk
Web application incidents cost companies more
than 320,000,000 in 2001.
Forty-four percent (223 respondents) to the 2002
Computer Crime and Security Survey were willing
and/or able to quantify their financial losses.
These 223 respondents reported 455,848,000 in
financial losses.
2002 Computer Crime and Security
Survey Computer Security Institute San
Francisco FBI Computer Intrusion Squad
14
Part Two

• Identifying the Problem

• What are the primary vulnerabilities?
• How and why they occur

15
Web Application Vulnerabilities
Web application vulnerabilities occur in multiple
areas.
Application
Parameter Manipulation Cross-Site Scripting SQL
Injection Buffer Overflow Reverse Directory
Transversal JAVA Decompilation Path
Truncation Hidden Web Paths Cookie
Manipulation Application Mapping Backup
Checking Directory Enumeration
Administration
Extension Checking Common File Checks Data
Extension Checking Backup Checking Directory
Enumeration Path Truncation Hidden Web
Paths Forceful Browsing
Platform
Known Vulnerabilities
16
Cross Site Scripting

• (or XSS)

17
Cross Site Scripting (XSS)

• Cross-site scripting (also know as XSS or CSS)
  occurs when dynamically generated web pages
  display input that is not property validated.
• A user passes input in the form of a parameter to
  the web server.
• The web server returns the user provided input
  back to the user without proper encoding.
• Again, a demonstration!

18
SQL Injection
19
SQL Injection Defined

• SQL injection is a technique for exploiting web
  applications that use client-supplied data in SQL
  queries without stripping potentially harmful
  characters first.
• Allow me to demonstrate!

20
Part Three

• Key Application Vulnerabilities

• Past, Present and Future
• Google Hacking

21
Google Hacking

• More then searching for great pr0n.

22
Google Hacking

• Find vulnerable sites using Google (Old method
  new life)
• Example Search Queries
• filetypemdb inurladmin 180 results
• Filetypexls inurladmin 14,100 results
• ORA-00921 unexpected end of SQL command
  3,470 results
• allintitleNetscape Enterprise Server Home Page
  431 results

23
Google Hacking

• Take this method a step further and use it to
  narrow your attack victims.
• inurlid filetypeasp sitegov 572,000
  results
• inurlid filetypeasp sitecom 7,150,000
  results
• inurlid filetypeasp siteorg 3,240,000
  results
• Use this list as a baseline for identifying SQL
  injection vulnerabilities

24
Google Hacking

• Take this method a step further and use it to
  narrow your attack victims.
• inurlid filetypeasp sitegov 572,000
  results
• inurlid filetypeasp sitecom 7,150,000
  results
• inurlid filetypeasp siteorg 3,240,000
  results
• Use this list as a baseline for identifying SQL
  injection vulnerabilities

25
Google Hacking

• Took 1 hour of coding
• 500 vulnerable sites were found in 1 minute and
  26 seconds

26
Google Hacking
Find next victim
Exploit victim
Exploit victim

• Application Worm

27
Enter the Santy Worm

• Perl.Santy is a worm written in Perl script that
  attempts to spread to Web servers running
  versions of the phpBB 2.x bulletin board software
  Viewtopic.PHP PHP Script Injection Vulnerability
  
• Other systems are not affected. If successful,
  the worm copies itself to the server and
  overwrites the files with the following
  extensions.asp, .htm, .jsp, .php, .phtm, .shtm
• The worm uses the Google search engine to find
  potential new infection targets. Google has now
  implemented blocking Perl.Santy search requests,
  which is expected to greatly reduce the worm's
  ability to propagate and lower the risk of
  further infections.

28
Enter the Santy Worm

• Perl.Santy.A Computer Associates, Santy
  F-Secure, Net-Worm.Perl.Santy.a Kaspersky,
  Perl/Santy.worm McAfee, PHP/Santy.A.worm
  Panda, Perl/Santy-A Sophos, WORM_SANTY.A
  Trend Micro
• UNIX, LINUX, Windows 2000, Windows 95, Windows
  98, Windows Me, Windows NT, Windows Server 2003,
  Windows XP

29
http//www.google.com/search?num100hlenlras_
qdrallqallinurl3A22viewtopic.php2222
30
The Past, the Present, and the Future of Hacking

• How prolific could this whole scenario be?

31
Where Weve Been The Past

• Since most sites were static HTML, not much to do
  but try to obtain root / admin privileges on the
  machine or deface the website.
• This proved for some great comedy.

32
Where Were At The Present

• Since more dynamic and unique content has been
  added to websites, and users demand even MORE
  functionality so that they can do everything
  electronically, insecure content was added at an
  expedited pace!
• And users and management demand even more!

33
Where Were Going The Future

• Application hacking is becoming more complex as
  applications are becoming more complex. The
  possibilities are endless when it comes down to
  what can you exploit in web applications.
• Take for Instance Application Worms, Web
  Application Worms.

34
What Application Security Means to Compliance
Efforts

• How prolific could this whole scenario be?

35
Types of Compliance Regulations

• Privacy
• HIPPA (Health Insurance Portability and
  Accountability Act)
• SOX (The Sarbanes-Oxley Act )
• GLBA (Gramm-Leach-Bliley Act)
• Disclosure
• CA1386
• Federal Trade Commission
• Privacy Policy
• Practice
• PCI

36
Privacy

• Privacy
• HIPAA (Health Insurance Portability and
  Accountability Act)
• SOX (The Sarbanes-Oxley Act )
• GLBA (Gramm-Leach-Bliley Act)

37
HIPAA

• The Health Insurance Portability and
  Accountability Act (HIPAA) mandates the privacy
  and security of personal health
• The Security Rule of the Act recommends
  information security best practices to protect
  personal information.
• HIPAA requires organizations to perform a HIPAA
  security risk assessment to determine what
  applications and data are vulnerable, to ensure
  proper authentication, access control, and
  logging systems, and to conduct ongoing auditing
  of information systems to test for newly
  discovered vulnerabilities.
• Web Challenge
• Establishing a security policy
• Establishing standards that support the policy
• Effectively auditing to ensure policy compliance

38
SOX - The Sarbanes-Oxley Act

• Sarbanes-Oxley focuses on regulating corporate
  behavior for the protection of financial records
  instead of enhancing the privacy and security of
  confidential customer information.
• Difficult because it was not written specifically
  with information technology or information
  security in mind
• Addresses
• How information is accessed
• What leaves the corporate network
• Other financial controls
• Web Challenges
• Financial information resides on the same
  networks as web applications or there associated
  systems (Databases, etc)
• Web front ends for financial systems are a common
  interface to financial systems.
• These can be susceptible to web application
  attacks
• Requires the development of a policy

39
GLBA - The Gramm-Leach-Bliley Act

• The Gramm-Leach-Bliley Act (GLBA), formally known
  as the Financial Modernization Act of 1999,
• Established requirements for financial
  institutions in the United States to protect
  consumers personal financial information.
• The GLBA contains three principle requirements
• The Financial Privacy Rule requires financial
  institutions to publish a privacy notice to their
  customers
• Consumers also must be given the right to limit
  the sharing of their personal information.
• The Safeguards Rules require all financial
  institutions to design, implement and maintain
  safeguards and a security plan to protect
  customer information that they handle.
• Web Challenges
• Customer information resides on the same networks
  as web applications or there associated systems
  (Databases, etc)
• Web front ends for financial systems are a common
  interface to customer financial systems.
• These can be susceptible to web application
  attacks
• Requires the development of a policy

40
Disclosure

• Disclosure
• CA1386
• MANY others are coming VERY SOON

41
CA 1386

• Enacted in order to force anyone holding private
  personal information, to inform consumers
  immediately if their personal information has
  been compromised.
• The law also gives consumers the right to sue
• Any business, organization or individual that
  holds private personal information for a person
  residing in the state of California is bound by
  the provisions of the law, so California SB 1386
  has a much greater impact nationally than is
  typical for state legislation.
• Web Challenges
• Is a performance based law, not policy based
• If you get hacked you have to disclose the
  incident

42
Federal Trade Commission

• Federal Trade Commission
• Privacy Policy
• www.owasp.org
• www.webappsec.org
• www.securityfocus.com
• www.spidynamics.com

43
Federal Trade Commission

• From http//www.ftc.gov/privacy/
• Under the FTC Act, the Commission guards against
  unfairness and deception by enforcing companies'
  privacy promises about how they collect , use and
  secure consumers' personal information.
• Web security challenge
• Companies are being investigated for FTC
  violations because they are not living up to
  there stated policy
• http//www.webappsec.org/documents/real_world_web_
  hacking.shtml
• PETCO
• Guess
• Many others

44
Visa PCI

• The Payment Card Industry (PCI) Data Security
  Standard is a collaborative effort by Visa,
  MasterCard, American Express and Discover to
  ensure the protection of customers' personal
  information.
• The standard establishes 12 security requirements
  that all members, merchants and service providers
  must adhere to.
• Sections 6, 11 and 12 have specific web related
  issues.
• Web security challenges
• PCI is the most comprehensive and specific
  standard in the industry.
• Following the standard will greatly improve a
  companies web application security overall
• Not following PCI can cost a company its ability
  to process credit cards

45
VISA PCI

• http//usa.visa.com/business/accepting_visa/ops_ri
  sk_management/cisp.html
• Go to VISA.COM and search for PCI
• Build and Maintain a Secure Network
• 1. Install and maintain a firewall configuration
  to protect data
• 2. Do not use vendor-supplied defaults for system
  passwords and other security parameters
• Protect Cardholder Data
• 3. Protect stored data
• 4. Encrypt transmission of cardholder data and
  sensitive information across public networks
• Maintain a Vulnerability Management Program
• 5. Use and regularly update anti-virus software
• 6. Develop and maintain secure systems and
  applications
• Implement Strong Access Control Measures
• 7. Restrict access to data by business
  need-to-know
• 8. Assign a unique ID to each person with
  computer access
• 9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
• 10. Track and monitor all access to network
  resources and cardholder data
• 11. Regularly test security systems and processes
  

46
General compliance needs

• Establish a security policy
• Identify what will be done to address web
  application security needs and who will be
  responsible for it
• Follow the policy
• Ensure that security policies are being followed
  throughout the software lifecycle
• Document that the policy was followed
• Have a record of testing that was done to ensure
  that the policy was followed
• SDLC
• The Software Development Lifecycle Cycle needs to
  respect and support compliance efforts
• Unlike other compliance efforts, web application
  security needs to be integrated into the SDLC

47
ASAP Process
Support Services
Release
Requirements
Design
Development
Test (QA)
Security Training
Security services
Source code review
Development Assessment Tools
QA Automated Assessment tools
Automated assessment tools
Threat Modeling
Security Kickoff
Infrastructure Assessment
Create Development Standards
Secure coding libraries
QA Manual Assessment tools
Infrastructure Design
Pen Testing
Regulatory Compliance
48
Enterprise-Wide Web Application Security

• Web Application Security testing must be applied
  in all phases of the Application Lifecycle and by
  all constituencies throughout the enterprise
  Auditors, Application Developers, QA and Security
  Operations.

49
Enterprise-Wide Web Application Security

• Application Developers

• Must have clear cut security requirement to
  follow during Development and QA phases
• Need to run automated tests on code during
  Development phase
• Must utilize secure code for re-use
• Require automated testing products that integrate
  into current environment

50
Enterprise-Wide Web Application Security
Quality Assurance Professionals

• Must test applications not only for functionality
  but also for security
• Must test environments for potential flaws and
  insecurities
• Must provide detailed security flaw reports to
  development
• Require automated testing products that integrate
  into current environment

D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
S
51
Enterprise-Wide Web Application Security

• Security Operations

• Must continually test application in a real world
  environment to asses impact of ongoing code
  changes
• Must look for all levels of web vulnerabilities
• Platform
• Informational
• Application

D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
Q
Q
S
S
Security
52
Enterprise-Wide Web Application Security
Security Auditors and Risk and
Compliance Officers

• Help define regulatory requirements during the
  Definition phase of the Application Lifecycle
• Assess applications once they are in the
  Production phase to validate compliance
• Must act as resource for what is and is not
  acceptable

D
D
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
Q
S
Q
53
Part Five

• Other Online Resources

• Websites and mailing lists on the net

54
Websites

• - www.spidynamics.com
• Web Application Security Consortium -
  www.webappsec.org
• CGISecurity.net http//www.cgisecurity.net/
• Open Web Application security Project -
  www.owasp.org
• WebAppSec Mailing list Security Focus

55
Questions?
56
Contact
Brian Christian bchristian_at_spidynamics.com
SPI Dynamics, Inc. 115 Perimeter Center
Place Suite 1100 Atlanta, GA 30346
For a free WebInspectTM 15-day trial download
visit www.spidynamics.com