The Hacking Evolution: New Trends in Web Application Exploits and Vulnerabilities Brian Christian, S - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

The Hacking Evolution: New Trends in Web Application Exploits and Vulnerabilities Brian Christian, S

Description:

Part 1: Introduction How on earth did we get to this point? ... PETCO. Guess. Many others. SPI Dynamics Confidential. Visa PCI ... – PowerPoint PPT presentation

Number of Views:737
Avg rating:3.0/5.0
Slides: 57
Provided by: spid4
Category:

less

Transcript and Presenter's Notes

Title: The Hacking Evolution: New Trends in Web Application Exploits and Vulnerabilities Brian Christian, S


1
The Hacking Evolution New Trends in Web
Application Exploits and Vulnerabilities Brian
Christian, Senior Security Engineer and
Co-Founder, S.P.I Dynamics
2
Agenda
  • Part 1 Introduction How on earth did we
    get to this point?
  • Part 2 Identifying the Problem How does this
    stuff happen?
  • Part 3 Key Application Vulnerabilities
    Past, present and future
  • Part 4 What Application Security Means to
    Compliance Efforts and how to fix the problem.
  • Part 5 More information and online resources
  • Part 6 QA

3
Part One
  • Introduction
  • Who We Are - SPI Dynamics in a nutshell
  • Application Security -How did we get to this
    point?

4
SPI Dynamics
The Leader In Web Application Security Assessment
  • We manufacture and license WebInspect, our
    industry leading web application security
    assessment product, to enterprises, consultants,
    and other institutions, both directly and via
    global partners.
  • We own the worlds leading database of web
    application security vulnerabilities,
    SecureBase. SecureBase is updated frequently by
    SPI Labs, our U.S.-based research development
    organization.

5
Web Sites
Simple, single server solutions
  • Web Server
  • HTML
  • CGI

Browser
6
Web Applications
Very complex architectures, multiple platforms,
multiple protocols
Web Services
Database Server Customer Identification Access
Controls Transaction Information Core Business
Data
Application Server Business Logic Content services
Web Servers Presentation Layer Media Store
Wireless
Browser
7
Common Web Applications
8
The Absolute Truth
  • All code has bugs regardless of platform,
    language or application.
  • From a Microsoft to a Mom and Pops home- brewed
    application, all code has bugs.
  • Some bugs are functionality bugs, which are
    discovered by QA.
  • Other bugs are security bugs, which largely go
    unidentified.
  • As long as functionality is the main objective
    and not security, there will always be
    vulnerabilities in computer applications.

9
Why These Thing Happen
This is all the stuff that your application is
supposed to do.
10
Why Web Application Attacks Occur
The Web Application Security Gap
Application Developers and QA Professionals
Dont Know Security
Security Professionals Dont Know The
Applications
As a Network Security Professional, I dont know
how my companys web applications are supposed to
work so I deploy a protective solutionbut dont
know if its protecting what its supposed to.
As an Application Developer, I can build great
features and functions while meeting deadlines,
but I dont know how to develop my web
application with security in mind.
11
Web Applications Breach the Perimeter
HTTP
INTERNET
IMAP SSH POP3
FTP TELNET
Firewall only allows PORT 80 (or 443 SSL) traffic
from the internet to the web server. Any Web
Server 80
DMZ
Firewall only allows applications on the web
server to talk to application server. Web
Server Application Server
TRUSTED INSIDE
Firewall only
allows application
server to talk to database
server. Application Server
Database
CORPORATE INSIDE
12
Web Applications Invite Public Access
Today over 70 of attacks against a companys
website or web application come at the
Application Layer not the network or system
layer.
- Gartner Group
13
Web Application Risk
Web application incidents cost companies more
than 320,000,000 in 2001.
Forty-four percent (223 respondents) to the 2002
Computer Crime and Security Survey were willing
and/or able to quantify their financial losses.
These 223 respondents reported 455,848,000 in
financial losses.
2002 Computer Crime and Security
Survey Computer Security Institute San
Francisco FBI Computer Intrusion Squad
14
Part Two
  • Identifying the Problem
  • What are the primary vulnerabilities?
  • How and why they occur

15
Web Application Vulnerabilities
Web application vulnerabilities occur in multiple
areas.
Application
Parameter Manipulation Cross-Site Scripting SQL
Injection Buffer Overflow Reverse Directory
Transversal JAVA Decompilation Path
Truncation Hidden Web Paths Cookie
Manipulation Application Mapping Backup
Checking Directory Enumeration
Administration
Extension Checking Common File Checks Data
Extension Checking Backup Checking Directory
Enumeration Path Truncation Hidden Web
Paths Forceful Browsing
Platform
Known Vulnerabilities
16
Cross Site Scripting
  • (or XSS)

17
Cross Site Scripting (XSS)
  • Cross-site scripting (also know as XSS or CSS)
    occurs when dynamically generated web pages
    display input that is not property validated.
  • A user passes input in the form of a parameter to
    the web server.
  • The web server returns the user provided input
    back to the user without proper encoding.
  • Again, a demonstration!

18
SQL Injection
19
SQL Injection Defined
  • SQL injection is a technique for exploiting web
    applications that use client-supplied data in SQL
    queries without stripping potentially harmful
    characters first.
  • Allow me to demonstrate!

20
Part Three
  • Key Application Vulnerabilities
  • Past, Present and Future
  • Google Hacking

21
Google Hacking
  • More then searching for great pr0n.

22
Google Hacking
  • Find vulnerable sites using Google (Old method
    new life)
  • Example Search Queries
  • filetypemdb inurladmin 180 results
  • Filetypexls inurladmin 14,100 results
  • ORA-00921 unexpected end of SQL command
    3,470 results
  • allintitleNetscape Enterprise Server Home Page
    431 results

23
Google Hacking
  • Take this method a step further and use it to
    narrow your attack victims.
  • inurlid filetypeasp sitegov 572,000
    results
  • inurlid filetypeasp sitecom 7,150,000
    results
  • inurlid filetypeasp siteorg 3,240,000
    results
  • Use this list as a baseline for identifying SQL
    injection vulnerabilities

24
Google Hacking
  • Take this method a step further and use it to
    narrow your attack victims.
  • inurlid filetypeasp sitegov 572,000
    results
  • inurlid filetypeasp sitecom 7,150,000
    results
  • inurlid filetypeasp siteorg 3,240,000
    results
  • Use this list as a baseline for identifying SQL
    injection vulnerabilities

25
Google Hacking
  • Took 1 hour of coding
  • 500 vulnerable sites were found in 1 minute and
    26 seconds

26
Google Hacking
Find next victim
Exploit victim
Exploit victim
  • Application Worm

27
Enter the Santy Worm
  • Perl.Santy is a worm written in Perl script that
    attempts to spread to Web servers running
    versions of the phpBB 2.x bulletin board software
    Viewtopic.PHP PHP Script Injection Vulnerability
  • Other systems are not affected. If successful,
    the worm copies itself to the server and
    overwrites the files with the following
    extensions.asp, .htm, .jsp, .php, .phtm, .shtm
  • The worm uses the Google search engine to find
    potential new infection targets. Google has now
    implemented blocking Perl.Santy search requests,
    which is expected to greatly reduce the worm's
    ability to propagate and lower the risk of
    further infections.

28
Enter the Santy Worm
  • Perl.Santy.A Computer Associates, Santy
    F-Secure, Net-Worm.Perl.Santy.a Kaspersky,
    Perl/Santy.worm McAfee, PHP/Santy.A.worm
    Panda, Perl/Santy-A Sophos, WORM_SANTY.A
    Trend Micro
  • UNIX, LINUX, Windows 2000, Windows 95, Windows
    98, Windows Me, Windows NT, Windows Server 2003,
    Windows XP

29
http//www.google.com/search?num100hlenlras_
qdrallqallinurl3A22viewtopic.php2222
30
The Past, the Present, and the Future of Hacking
  • How prolific could this whole scenario be?

31
Where Weve Been The Past
  • Since most sites were static HTML, not much to do
    but try to obtain root / admin privileges on the
    machine or deface the website.
  • This proved for some great comedy.

32
Where Were At The Present
  • Since more dynamic and unique content has been
    added to websites, and users demand even MORE
    functionality so that they can do everything
    electronically, insecure content was added at an
    expedited pace!
  • And users and management demand even more!

33
Where Were Going The Future
  • Application hacking is becoming more complex as
    applications are becoming more complex. The
    possibilities are endless when it comes down to
    what can you exploit in web applications.
  • Take for Instance Application Worms, Web
    Application Worms.

34
What Application Security Means to Compliance
Efforts
  • How prolific could this whole scenario be?

35
Types of Compliance Regulations
  • Privacy
  • HIPPA (Health Insurance Portability and
    Accountability Act)
  • SOX (The Sarbanes-Oxley Act )
  • GLBA (Gramm-Leach-Bliley Act)
  • Disclosure
  • CA1386
  • Federal Trade Commission
  • Privacy Policy
  • Practice
  • PCI

36
Privacy
  • Privacy
  • HIPAA (Health Insurance Portability and
    Accountability Act)
  • SOX (The Sarbanes-Oxley Act )
  • GLBA (Gramm-Leach-Bliley Act)

37
HIPAA
  • The Health Insurance Portability and
    Accountability Act (HIPAA) mandates the privacy
    and security of personal health
  • The Security Rule of the Act recommends
    information security best practices to protect
    personal information.
  • HIPAA requires organizations to perform a HIPAA
    security risk assessment to determine what
    applications and data are vulnerable, to ensure
    proper authentication, access control, and
    logging systems, and to conduct ongoing auditing
    of information systems to test for newly
    discovered vulnerabilities.
  • Web Challenge
  • Establishing a security policy
  • Establishing standards that support the policy
  • Effectively auditing to ensure policy compliance

38
SOX - The Sarbanes-Oxley Act
  • Sarbanes-Oxley focuses on regulating corporate
    behavior for the protection of financial records
    instead of enhancing the privacy and security of
    confidential customer information.
  • Difficult because it was not written specifically
    with information technology or information
    security in mind
  • Addresses
  • How information is accessed
  • What leaves the corporate network
  • Other financial controls
  • Web Challenges
  • Financial information resides on the same
    networks as web applications or there associated
    systems (Databases, etc)
  • Web front ends for financial systems are a common
    interface to financial systems.
  • These can be susceptible to web application
    attacks
  • Requires the development of a policy

39
GLBA - The Gramm-Leach-Bliley Act
  • The Gramm-Leach-Bliley Act (GLBA), formally known
    as the Financial Modernization Act of 1999,
  • Established requirements for financial
    institutions in the United States to protect
    consumers personal financial information.
  • The GLBA contains three principle requirements
  • The Financial Privacy Rule requires financial
    institutions to publish a privacy notice to their
    customers
  • Consumers also must be given the right to limit
    the sharing of their personal information.
  • The Safeguards Rules require all financial
    institutions to design, implement and maintain
    safeguards and a security plan to protect
    customer information that they handle.
  • Web Challenges
  • Customer information resides on the same networks
    as web applications or there associated systems
    (Databases, etc)
  • Web front ends for financial systems are a common
    interface to customer financial systems.
  • These can be susceptible to web application
    attacks
  • Requires the development of a policy

40
Disclosure
  • Disclosure
  • CA1386
  • MANY others are coming VERY SOON

41
CA 1386
  • Enacted in order to force anyone holding private
    personal information, to inform consumers
    immediately if their personal information has
    been compromised.
  • The law also gives consumers the right to sue
  • Any business, organization or individual that
    holds private personal information for a person
    residing in the state of California is bound by
    the provisions of the law, so California SB 1386
    has a much greater impact nationally than is
    typical for state legislation.
  • Web Challenges
  • Is a performance based law, not policy based
  • If you get hacked you have to disclose the
    incident

42
Federal Trade Commission
  • Federal Trade Commission
  • Privacy Policy
  • www.owasp.org
  • www.webappsec.org
  • www.securityfocus.com
  • www.spidynamics.com

43
Federal Trade Commission
  • From http//www.ftc.gov/privacy/
  • Under the FTC Act, the Commission guards against
    unfairness and deception by enforcing companies'
    privacy promises about how they collect , use and
    secure consumers' personal information.
  • Web security challenge
  • Companies are being investigated for FTC
    violations because they are not living up to
    there stated policy
  • http//www.webappsec.org/documents/real_world_web_
    hacking.shtml
  • PETCO
  • Guess
  • Many others

44
Visa PCI
  • The Payment Card Industry (PCI) Data Security
    Standard is a collaborative effort by Visa,
    MasterCard, American Express and Discover to
    ensure the protection of customers' personal
    information.
  • The standard establishes 12 security requirements
    that all members, merchants and service providers
    must adhere to.
  • Sections 6, 11 and 12 have specific web related
    issues.
  • Web security challenges
  • PCI is the most comprehensive and specific
    standard in the industry.
  • Following the standard will greatly improve a
    companies web application security overall
  • Not following PCI can cost a company its ability
    to process credit cards

45
VISA PCI
  • http//usa.visa.com/business/accepting_visa/ops_ri
    sk_management/cisp.html
  • Go to VISA.COM and search for PCI
  • Build and Maintain a Secure Network
  • 1. Install and maintain a firewall configuration
    to protect data
  • 2. Do not use vendor-supplied defaults for system
    passwords and other security parameters
  • Protect Cardholder Data
  • 3. Protect stored data
  • 4. Encrypt transmission of cardholder data and
    sensitive information across public networks
  • Maintain a Vulnerability Management Program
  • 5. Use and regularly update anti-virus software
  • 6. Develop and maintain secure systems and
    applications
  • Implement Strong Access Control Measures
  • 7. Restrict access to data by business
    need-to-know
  • 8. Assign a unique ID to each person with
    computer access
  • 9. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
  • 10. Track and monitor all access to network
    resources and cardholder data
  • 11. Regularly test security systems and processes

46
General compliance needs
  • Establish a security policy
  • Identify what will be done to address web
    application security needs and who will be
    responsible for it
  • Follow the policy
  • Ensure that security policies are being followed
    throughout the software lifecycle
  • Document that the policy was followed
  • Have a record of testing that was done to ensure
    that the policy was followed
  • SDLC
  • The Software Development Lifecycle Cycle needs to
    respect and support compliance efforts
  • Unlike other compliance efforts, web application
    security needs to be integrated into the SDLC

47
ASAP Process
Support Services
Release
Requirements
Design
Development
Test (QA)
Security Training
Security services
Source code review
Development Assessment Tools
QA Automated Assessment tools
Automated assessment tools
Threat Modeling
Security Kickoff
Infrastructure Assessment
Create Development Standards
Secure coding libraries
QA Manual Assessment tools
Infrastructure Design
Pen Testing
Regulatory Compliance
48
Enterprise-Wide Web Application Security
  • Web Application Security testing must be applied
    in all phases of the Application Lifecycle and by
    all constituencies throughout the enterprise
    Auditors, Application Developers, QA and Security
    Operations.

49
Enterprise-Wide Web Application Security
  • Application Developers
  • Must have clear cut security requirement to
    follow during Development and QA phases
  • Need to run automated tests on code during
    Development phase
  • Must utilize secure code for re-use
  • Require automated testing products that integrate
    into current environment

50
Enterprise-Wide Web Application Security
Quality Assurance Professionals
  • Must test applications not only for functionality
    but also for security
  • Must test environments for potential flaws and
    insecurities
  • Must provide detailed security flaw reports to
    development
  • Require automated testing products that integrate
    into current environment

D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
S
51
Enterprise-Wide Web Application Security
  • Security Operations
  • Must continually test application in a real world
    environment to asses impact of ongoing code
    changes
  • Must look for all levels of web vulnerabilities
  • Platform
  • Informational
  • Application

D
D
A
A
Web
Web
Web
Web
Application
Application
Application
Security
Security
Q
Q
S
S
Security
52
Enterprise-Wide Web Application Security
Security Auditors and Risk and
Compliance Officers
  • Help define regulatory requirements during the
    Definition phase of the Application Lifecycle
  • Assess applications once they are in the
    Production phase to validate compliance
  • Must act as resource for what is and is not
    acceptable

D
D
Web
Web
Web
Web
Application
Application
Application
Security
Security
S
Q
S
Q
53
Part Five
  • Other Online Resources
  • Websites and mailing lists on the net

54
Websites
  • - www.spidynamics.com
  • Web Application Security Consortium -
    www.webappsec.org
  • CGISecurity.net http//www.cgisecurity.net/
  • Open Web Application security Project -
    www.owasp.org
  • WebAppSec Mailing list Security Focus

55
Questions?
56
Contact
Brian Christian bchristian_at_spidynamics.com
SPI Dynamics, Inc. 115 Perimeter Center
Place Suite 1100 Atlanta, GA 30346
For a free WebInspectTM 15-day trial download
visit www.spidynamics.com
Write a Comment
User Comments (0)
About PowerShow.com