the 2011 mid-year top cyber security risks report - … dausin advanced security intelligence team...

The 2011 Mid-Year Top CYber SeCuriTY riSkS reporT

Table of contents

Contributors 2Overview 2Vulnerabilitytrends 4 Discoveryanddisclosureofnewvulnerabilities 5 Furtheranalysis:ZeroDayInitiative 7 Seeingthebigpicture:wherethevulnerabilitiesare 9 Staticanalysis 10 Dynamicanalysis 11 Manualanalysis 13Attacktrends 14 Newvulnerabilitiesareunnecessary;attackscontinueto riseregardless 15 Cross-SiteScripting 17 SQLInjectionplaysastarringrole 18Mitigation 20 Cross-SiteRequestForgery 21 SQLInjection 21 Cross-SiteScripting 23 RemoteFileIncludes 24References 24

2

ContributorsProducingtheTopCyberSecurityRisksReportisacollaborativeeffortamongHPDVLabsandotherHPteams,suchasFortifyandtheApplicationSecurityCenter.WewouldliketosincerelythanktheOpenSourceVulnerabilityDatabase(OSVDB)forallowingprintrightstotheirdatainthisreport.ForinformationonhowyoucanhelpOSVDB:

https://osvdb.org/account/signup

http://osvdb.org/support

Contributor Title

MikeDausin AdvancedSecurityIntelligenceTeamLead

AdamHils ApplicationSecurityCenterProductManager

DanHolden Director,HPDVLabs

PrajaktaJagdale WebSecurityResearchGroupLead

JasonJones AdvancedSecurityIntelligenceEngineer

RohanKotian DigitalVaccineTeamLead

JenniferLake ProductMarketing,HPDVLabs

MarkPainter ApplicationSecurityCenterContentStrategist

TaylorAndersonMcKinley Director,FortifyonDemand

AlenPuzic AdvancedSecurityIntelligenceEngineer

BobSchiermann SeniorTechnicalPublicationsWriter

OverviewIncreasingly,organizationsfacesecurityrisksimposeduponthembyattackersintentonachievingfame,glory,orprofit.Attackers,familiarwithcommonvulnerabilitiesinherentinmanyoftoday’swebsites,knowhowtoexploitthosevulnerabilitieswithattacksdesignedspecificallytotakeadvantageofthem.Examplesofsuchdestructiveactivitieshaverecentlyhitthenewsinstoriesabout“hacktivist”groupssuchasLulzSecandAnonymous.

TheHP2011mid-yeareditionofthebiannualTopCyberSecurityRisksReportfeaturesin-depthanalysisandattackdatafromHPDVLabs,ApplicationSecurityCenter,andFortifysecurityunitsaswellasvulnerabilitydisclosuredatagarneredfromtheOSVDB.Giventhemediaattentionpaidtotheserecentattacks,aswellasdataHPobtainedfromitspartnersandcustomers,thebulkofthisreportisfocusedonWebapplications,includingthevulnerabilitiesthatexistandtheattacksthatareexploitingthoseweaknesses.

ThisreportisintendedforIT,network,andsecurityadministratorswhoareresponsibleforsecuringthepublic-facingcommunicationwithanorganization’scustomers,partners,andemployees.TheprimaryobjectiveofthiseditionoftheTopCyberSecurityRisksReportistoclearlyarticulatetherisksandweaknessesinherentinWebapplications.We’llhighlighttheoverallvulnerabilitylandscape,includingvulnerabilitiesincommerciallyavailableandcustom-builtapplicationsthatcanleadtoattacks,aswellashowoftenthesearebeingreported.Thereportwillalsohighlighttherisingnumberofattacksthatareleveragingthevulnerabilitiesdiscussedthroughoutthepaper.

3

Keyfindingsfromthisreportinclude:

The number of Web application vulnerabilities that are reported differs significantly from the number that actually exist.

TheOpenSourceVulnerabilityDatabase(OSVDB)monitorsvulnerabilitydiscoveryandreportingthroughdisclosureprograms.Datafromthefirstsixmonthsof2011showsadistinctandsignificantdecreaseinthedisclosureofnewvulnerabilities.Whilethismightseemlikegoodnews,itisactuallytheopposite.DatacollectedfromscansofactualcustomerWebapplicationdeploymentsindicatesthatthenumberofvulnerabilitiesisnotdecreasing;itisonlythenumberofreportednewvulnerabilitiesthatisdecreasing.Productionwebsitesforsomeoftheworld’sleadingorganizationsarestillburstingwithvulnerabilitiesthatleavethewebsitesopentodevastatingattacks.

Web application attacks are on the rise, despite the lack of new vulnerabilities being disclosed.

HPDVLabscompiledattackdatafromitsnetworkofHPTippingPointintrusionpreventionsystems(IPS)todeterminethedangerthesevulnerabilitiesposetoInternetsecurity.InformationpulledfromthesesystemsshowsthatthenumberofattacksonWebapplicationsistentimesthenumberofvulnerabilitiesbeingreported.Thisfactleadsustobelievethatattackerseitherdon’tneedanynewvulnerabilitiestoachievetheirgoals,orthatthereareplentyofvulnerabilitiesincustomapplicationsthatareunknownoruntracked,increasingtheattacksurfacetoattackers.Therealityislikelyamixtureofboth.

Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools.

TwoofthemostcommonWebapplicationattacktypes,Cross-SiteScripting(XSS)andSQLInjection(SQLi),arecoveredin-depthinthisreport.BasedondataobtainedfromHPTippingPointIPSdevices,thesearetwoofthemostfrequentlyusedattacktypes—thoughmanytimesfordifferentreasons.XSS,whichisoftenusedforspamorphishingattempts,providesaneasywaytodistributeanattackonawidescale.Conversely,SQLicanbeusednotonlyforoverwritingadatabaseandthenredirectingvisitorstoamalicioussite—similarinfashiontohowXSSisleveraged—butalsoformassivedatabasetheft.

Theinformationinthisreportcomesfromvarioussources,allowingHPDVLabstoobtainabroadsetofdatafromwhichtocorrelatemeaningfulfindings.Thesesourcesinclude:•AworldwidenetworkofHPTippingPointIntrusionPreventionSystems•VulnerabilityinformationfromOSVDBandtheZeroDayInitiative(ZDI)•WebapplicationdatafromtheASCWebSecurityResearchGroup,theEBSWBTOProfessional

ServicesOrganization,andFortifyonDemand

4

2000

Tota

l vul

nera

bilit

ies

11K

8.8K

6.6K

4.4K

2.2K

02001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Figure1

DisclosedvulnerabilitiesaccordingtoOSVDB,2000–2011

VulnerabilitytrendsTobetterunderstandthethreatlandscape,itisimportanttostartwiththeweaknessespresentincomputinginfrastructures.Theseweaknessestypicallymanifestthemselvesasapplicationvulnerabilities,whicharethefocusofthissectionofthereport.Thevulnerabilitylandscapeisdiscussedinthefollowingthreesections:•Discovery and disclosure of new vulnerabilities:Thissectiondescribescurrenttrendsinvulnerability

reporting,highlightingvulnerabilitiesthathavebeendisclosedincommerciallyavailablecomputingsystems,includingWebapplications.Basedonthetrendinformation,onecandiscernthevolumeandcategoryofnewlydiscoveredvulnerabilities,whichprovidesinsightintohowsuchvulnerabilitiesattractattackers’attention.

•Trends in vulnerability research:ThissectionhighlightsdatafromtheHPDVLabs’ZeroDayInitiative(ZDI)vulnerabilityresearchprogram.ItprovidesadeeperlookintothetypesofvulnerabilitiesthattheZDIresearchesanddiscoversinanefforttogetabettersenseofwhatdrivesasecurityattack.

•Vulnerabilities discovered in production Web application environments:ThissectionhighlightsresultsfromscansofliveWebapplications.Datainthissectiondemonstratesthevulnerabilitiesthatarepresentinreal-worldWebapplications,includingnewvulnerabilitiesthatareunreportedaswellasthosethatwerepreviouslydisclosed,andas-yetunfixedvulnerabilities.

5

1.3K

1.04K

780

Tota

l vul

nera

bilit

ies

520

280

0

Figure2

VulnerabilitydisclosureaccordingtoOSVDB,2000–2011,brokendownbymonth

Discovery and disclosure of new vulnerabilities BasedondatapulledfromOSVDB,thetotalnumberofnewvulnerabilitiesreportedforthefirsthalfof2011isabout25percentlowerthanthenumberofnewvulnerabilitiesreportedatmid-year2010andpreviousyears.AsofJune30,2011,OSVDBcataloged3,087(Figure 1)reportedvulnerabilitiesinInternet-basedsystems,applications,andothercomputingtools,ascomparedto4,091catalogedinthecorrespondingperiodin2010.

Afterpeakingin2006,vulnerabilityreporting—forcommerciallyavailableproducts—hasbeeninaslowdecline(Figure 2).Thereasonsforthisdeclinearevaried,butseverallikelyreasonsstandout.Softwaremakersandsystemdevelopershaveincreasedtheirsecurityawarenessandhavetakenstepstoreducevulnerabilitiespriortoreleasingtheirproducts.Thesecondreasonisareductioninthedisclosuresofdiscoveredvulnerabilities,motivatedbyadesiretoinsteadsellthevulnerabilityforprofit.Anotheristhatsomeorganizationswouldratherannouncedetailsregardingvulnerabilitiesonlyafterthey’vebeenfixed.

Despitetheoveralldeclineinnewvulnerabilitiesbeingdiscoveredandreported,itisimportanttonotethattheratioofvulnerabilitiesdiscoveredinWebapplicationsstillmakesup31percent(Figure 3)ofallvulnerabilitiesdisclosed.Itisworthnotingthatroughlyhalfofallvulnerabilitydisclosuressince2006haveinvolvedWebapplications,sothedownwardtrendforthefirsthalfof2011isyetanotherproofpointfortheoveralldropinvulnerabilitydisclosurethusfar.

6

31%

69%

Web apps vulns

Other vulns

Figure3

ComparisonofWebapplicationvulnerabilitiesversusnon-Webapplicationvulnerabilities,January–June2011

ThereasonforthehighnumberofWebapplicationvulnerabilitiesisamatterofopportunityandprofit.First,thenumberofWebapplicationsincirculationgrowssteadilyeveryday.AWebapplicationinitssimplestformtiestogetheranoperatingsystem,aWebserver,adatabase,andsometop-levelapplicationthatcustomersusetointeractwiththeback-endsystems.Manyorganizationshaveadoptedthismodelforinteractingwithcustomersthroughretailsites,onlinebankingorfinanceapplications,orevenappointmentscheduling.Inaddition,manyorganizationshaveconfidentialorsensitivedatastoredinthedatabase(s)connectedtotheseapplications,offeringanalmostlimitlessfieldofopportunityforattackers,whoviewitallasaverylucrativeproposition.

Whenvulnerabilitiesarebrokendownbycategory,someinterestingtrendsbegintoemerge.DatapresentedinFigure 4showsthatcertaintypesofvulnerabilitiesaremorefrequentlydiscoveredanddisclosed.Cross-SiteScripting(XSS)stillcomprisesthemostsignificantamountofnewWebapplicationvulnerabilitydisclosures.XSSiscommonlyusedforspam,phishing,andWebbrowserexploits.BufferOverflowandDenialofService(DoS)vulnerabilitiesroundoutthetopthree.

Buffer OverflowAbufferoverflowattackoccurswhenattackerspurposelyoverloadasystems’temporarymemory(calledabuffer)towreakhavoconavictim’smachine.Oftentimesattackersalsoincludeinstructionalcodeininformationtheyusetooverflowthememory.Thatcodecaninstructtheaffectedsystemtoaccessorchangeconfidentialdataorevensendinformationbacktotheattacker.

Denial of Service (DoS)Atypeofvulnerabilitythatallowsanattackertoexhaustcomputerresourcesonavulnerablesystemtoapointwherelegitimateusageofthatsystemisimpossible.

Distributed Denial of Service (DDos)AtypeofDoSattackthatemploysanumberofseparatecomputers,whichsimultaneouslylaunchaDenialofServiceattackagainstasingleapplicationorsystem.

7

Tota

l vul

nera

bilit

ies

3K

2.4K

1.8K

1.2K

600

0

2000

2001

2002

2004

2005

2006

2007

2008

2009

2010

2011

Cross Site Scripting Cross Site Request Forgery SQL Injection Buffer Overflow Remote File Include Denial of Service

Figure4

Disclosedvulnerabilitiesbrokendownbycategory,January2000–June2011

Itisinterestingtonotethatthebreakdownofpopularvulnerabilitiesbycategoryremainsfairlyconsistentoverthepastthreeyears(Figure 5),likelybecauseXSSvulnerabilitiesarerelativelyeasytofindandareveryusefultoattackers.Spammersandphishersarealwayslookingforwaystomaketheirtrademoreprofitable,andXSScontinuestobeausefulvulnerabilityforthesepurposes.

Further analysis: Zero Day Initiative TheZeroDayInitiative(ZDI),foundedbyHPTippingPointin2005,isaprogramforrewardingsecurityresearchersforresponsiblydisclosingvulnerabilities.TheprogramisdesignedsothatresearchersprovideHPTippingPointwithexclusiveinformationaboutpreviouslyunpatchedvulnerabilitiestheyhavediscovered.HPDVLabsvalidatesthevulnerabilityandthenworkswiththeaffectedvendoruntilthevulnerabilityispatched.Atthesametime,HPDVLabsdevelopsasecuritysolutionthatprovidespreemptiveprotectionforHP’scustomersevenbeforetheapplicationvendordistributesafixforthevulnerability.

From2005throughJune2011,ZDIandHPDVLabsresearchershavediscoveredandresponsiblydisclosedmorethan980vulnerabilitiesinpopularcomputingsystemsincludingWebbrowsers,mediaplayers,anddocumentreaders.

In2010,ZDIannouncedchangestoitsdisclosurepolicythatincentvendorstointroducemoretimelybugfixesintotheirproducts.Underthenewpolicy,ZDIofferstheaffectedvendorssixmonthstoissuepatches,fixes,orworkaroundsforundisclosedvulnerabilitiesreportedtothemviatheZDIprogram.If,aftersixmonths,thevendorhasnotissuedafixorclearedanexceptionwithZDI,limiteddetailofthevulnerabilitywillbedisclosedsothatthedefensivecommunityandconsumersoftheseaffectedapplicationscanfindtheirownwaystomitigatetheriskassociatedwiththeseopenbugs.FurtherinformationregardingtheZDIdisclosurepolicycanbefoundhere:http://www.zerodayinitiative.com/advisories/disclosure_policy/.

8

0200400600800

10001200140016001800

2009 2010 2011

BO

DOS

PHP

SQLi

XSS

CSRF

(through 6/30/2011)

Figure5

Three-yearview:popularvulnerabilitiesbycategory

Inthetable(Figure 6)belowyoucanseethetop10applicationswithvulnerabilitiesdisclosedthroughtheZDIsincetheprogramwasstartedin2005.

Forthefirsthalfof2011,DVLabsandtheZDIeitherdiscoveredoracquired,anddisclosedtoaffectedvendors,231vulnerabilitiesinawiderangeofproducts.Onthenextpage(Figure 7)youcanseethetop10applicationsforwhichvulnerabilitiesweredisclosedthroughtheZDI.Whileonlyfourofthe10applicationsarerelatedtoWebbrowsers,thetotalnumberofvulnerabilitiesfromtheseapplicationsisstaggering.

0 10 20 30 40 50 60 70

Apple QuicktimeMicrosoft Internet Explorer

Oracle/Sun JavaMicrosoft OfficeMozilla FirefoxApple Webkit

RealNetworks Real PlayerAdobe Shockwave

HP OpenViewAdobe Reader

Figure6

MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIfrom2005–2011

9

0 5 10 15 20 25 30

CA Total Defense

IBM Lotus (general)

Microsoft Office Tools

HP OpenView Network Node Manager

Novell iPrint

Apple WebKit

Adobe Reader

HP Data Protector

Oracle Java (general)

Adobe Shockwave

Figure7

MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIin2011

Seeing the big picture: where the vulnerabilites areSofar,thisreporthasfocusedprimarilyonvulnerabilitydisclosure,whichmayormaynotreflectthecompletepictureofvulnerabilitytrendsunfoldingontheInternet.Inanefforttoseeaclearerpictureofthereal-worldvulnerabilitylandscape,theHPApplicationSecurityCenterWebSecurityResearchGroup(WSRG)compiledresultsfromover2,750securityassessmentsperformedagainstavarietyofcustomerWebapplicationsduringthefirstsixmonthsof2011.Whileitisgoodtoseeanoverallreductioninthenumberofnewvulnerabilitiesbeingreported,thathasunfortunatelyhadnoimpactonthedangersofexploitation.Theseresultshavebeendividedintothreesections:

•Thefirstcorrelatesresultsfromalmost250Webapplicationsanalyzedstatically(attheline-of-codelevel)forWebapplicationvulnerabilities.

•Thesecondgroupincludesresultsfromdynamicanalysis(duringtheactualrunningoftheapplication)conductedagainstover2,500uniqueWebapplications.

•Finally,thethirdsetofanalysesincludesacloserinspectionofamuchsmallergroupofassessmentstoexplorethedifferentwaysinwhichWebapplicationvulnerabilitiescanbeexploited,howthatimpactstheoverallriskstandingoftheapplication,andwhatmitigationmeasuresdevelopersareemployingthatarenotworking.

Eachsetofanalyseswillshedlightonthenature—andseriousness—ofWebapplicationvulnerabilitiesandhowprevalenttheyare.Whatsecurityprofessionalshavesteadilywitnessedinthelastdecadeisthatattackshavemovedfromdefacementandgeneralannoyancetoone-timeattacksdesignedtostealasmuchdataaspossible,andfromtheretoperniciousongoingattacksthatattempttodistributemalwareandstealasmuchdataforaslongaspossiblewithoutbeingdetected.ItisimperativetorealizethatitoftentakesonlyoneWebapplicationvulnerabilityforanentiresystemtobecompromised.Theenormityofthedangercannotbeoverstated.

10

Static analysisThefirstsetofapplicationswasstaticallyanalyzedbytheWSRGinconjunctionwiththeHPFortifyonDemandgroupandincluded236uniqueapplications.Thefirststatisticistrulystaggering:afull69%oftheapplicationstestedcontainedatleastoneSQLiflaw.Fundamentally,SQLiisanattackupontheWebapplication,nottheWebserverortheoperatingsystemitself.Asthenameimplies,itistheactofaddingunexpectedSQLcommandstoaquery,therebymanipulatingthedatabaseinwaysunintendedbythedatabaseadministratorordeveloper.Whentheattackissuccessful,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbyvulnerableWebapplications.IfattackerscanfindoneSQLInjectionvulnerabilityinanapplication,there’saverygoodchancetheycancompromiseitcompletely.Alotofhigh-profileattacksoverthecourseofthefirsthalfof2011werethedirectresultofSQLi.EvenLadyGagaisn’timmunetoSQLi.

ThesecondmostprevalentvulnerabilitydiscoveredinthisseriesofassessmentswasCross-SiteScripting(XSS),(specifically,thereflectedvariety).Putsimply,reflectedXSSattackscomefromsomewhereelse,suchaswhenuser-suppliedinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.Usingsomesocialengineering,anattackercantrickavictim,perhapsthroughamaliciouslinkora“rigged”form,tosubmitinformationwhichwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.Theinjectedcodeisthenreflectedbacktotheuser’sbrowserwhichexecutesitbecauseitcamefromatrustedserver.64%oftheassessedapplicationscontainedatleastonereflectedXSSflaw.

Itssistervulnerability,persistentXSS,wasdiscoveredin42%oftheapplicationstestedinthisgroup.Persistentattacksarejustthat:insomeformtheyarestoredonthetargetserver,suchasinadatabase,orviaasubmissiontoabulletinboardorvisitorlog.Thevictimwillretrieveandexecutetheattackcodeinhisbrowserwhenarequestismadeforthestoredinformation.What’salsointerestingaboutthisparticularvulnerabilityisthateventhoughitwasfoundin27%feweroftheapplicationsthanSQLi,therewereactuallymoreuniqueinstancesofpersistentXSSdiscoveredthananyothervulnerabilityforwhichtheWSRGtested.TheimpactsofeachflavorofXSSarethesame.

Amoregenericvulnerability,HeaderManipulation,wasfoundin37%oftheapplications.HeaderManipulationvulnerabilitiesoccurwhendataentersaWebapplicationthroughanuntrustedsource,mostfrequentlyaWebrequest.ThedataisincludedinanHTTPresponseheadersenttoaWebuserwithoutbeingvalidated.AswithmanyWebapplicationsecurityvulnerabilities,HeaderManipulationisameanstoanend,notanendinitself.Atitsroot,thevulnerabilityisstraightforward:anattackerpassesmaliciousdatatoavulnerableapplication,andtheapplicationincludesthedatainanHTTPresponseheader.IncludingunvalidateddatainanHTTPresponseheadercanenablecache-poisoning,XSS,cross-userdefacement,pagehijacking,cookiemanipulation,oropenredirectvulnerabilities.And18%oftheapplicationsalsocontainedaspecificcookieHeaderManipulationvulnerability.

Cross-Site Scripting (XSS)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationtoenableanattackertoinjectmaliciousclient-sidecodeintoaWebpagewhichisviewedbyavictim’sWebbrowser.VariousformsofXSSarecurrentlybeingusedtophishwebsiteusersintorevealingsensitiveinformationsuchasusernames,passwords,andcreditcarddetails.XSScangenerallybedividedintostored,reflected,andDOM-basedattacks.StoredXSSresultsinthepayloadbeingpersistedonthetargetsystemineitherthedatabaseorthefilesystem.Thevictimswillretrieveandexecutetheattackcodeintheirbrowserwhenarequestismadeforthestoredinformation.ExecutionofthereflectedXSSattacks,ontheotherhand,occurswhenuserinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.DOM-basedXSSattacksrelyonmaliciousmodificationoftheDOMenvironmentinavictim’sbrowser.ItdiffersfromthestoredandreflectedXSSinthefactthatthemaliciousdataisneversenttotheserver.Viasomesocialengineering,anattackercantrickavictim,suchasthroughamaliciouslinkor“rigged”form,tosubmitinformationthatwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.

Command ExecutionAtypeofvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertorunoperatingsystemcommandsonthevulnerableapplicationserver.Typically,thisvulnerabilitycategoryallowsattackerstoexploitWebapplicationsthatpassuserdataasparameterstoI/OoperationsbyappendingOScommandstousersuppliedinputusingspecialcharacterssuchasapipe(|).

11

AnotherwidespreadvulnerabilitydiscoveredduringtheWSRGanalysiswasPathManipulation.Thisoccurswhenuser-suppliedinputcancontrolorotherwiseinfluencefilenamesorpathsutilizedinfilesystemoperations,whichcanthengiveanattackerthemeanstoaccessorchangeprotectedsystemresources.63%ofthescansdetectedaPathManipulationvulnerability.

Whilenoneofthevulnerabilitiesdiscussedsofarcanbeconsideredinnocuous,oneextremelydangerousvulnerabilitywasalsodetectedinlargenumbers.CommandInjectionoccurswhenaremoteusercansupplyaspeciallycraftedvaluetoexecutearbitraryoperatingsystemcommandsonthetargetsystem.35%oftheapplicationscontainedatleastoneCommandInjectionvulnerability.

Anothersignificantvulnerabilityoccurswhendevelopersleavepasswordshardcodedintheircode.Hardcodedpasswordswerediscoveredin30%oftheapplications.Anattackerwhodiscoversahardcodedpasswordcouldobviouslygainunintendedaccesstotheapplication.Thedamageswoulddependonthefunctionalityoftheapplicationitself.

5%oftheapplicationscontainedXPathInjectionvulnerabilities.XPathInjectionisverysimilartoSQLi.Inthatscenario,SQLcommandsaremodifiedbyanattackertogainaccesstodatabasecontentsandinformation.InXPathInjection,XPathstatementsaremodifiedtogainaccesstothedatacontainedwithinanXMLdocument,whichoftenservesasthe“XMLdatabase.”Importantly,XPathdoesnotutilizeaccesscontrolrestrictionsasSQLdoesviaprivileges,soasuccessfulXPathInjectionattackwillyieldcompleteresultsinthatallthedatainthedocumentwillberevealed.TheXPathlanguageisalsouniform,unlikeSQL,sothatanyinstalledimplementationispotentiallyvulnerable.Intheseaspects,XPathInjectioniseasiertoexecutethanSQLiandhasgreaterresultsreturnedonaffectedsystems.

Anotherinterestingsetofdatadescribesthenumberofvulnerabilitiesfoundperapplication,andper1000linesofcode.Duringinitialscans(beforeremediationefforts),410vulnerabilitieswerefoundonaverageforeachofthe236applicationsevaluated,equatingto4.6vulnerabilitiesper1000linesofcode.Ofthethreelanguagescounted,PHPwasthemostvulnerableprogramminglanguage,with13.1vulnerabilitiesper1000lines,followedby.Netat7.7.Javawasthemostsecure,at4.1.

Dynamic analysisThesecondsetofdatawascollectedbytheWSRGinconjunctionwiththeHPEnterpriseBusinessSoftwareBTOProfessionalServicesorganizationandwassplitacrossthreeenterprise-levelorganizations:onefromtheenergysector,onefrombankingandfinance,andonefromproductmanufacturinganddistributiontoseehowWebapplicationvulnerabilitiesarepresentedinreal-worldapplicationsandareencounteredacrossalltypesofbusinesses.Eachassessmentwasconductedusingdynamic(real-time)analysismethods.Thefirsttwosetsofdatawereanalyzedagainstasmall(lessthan20)numberofapplications,whilethelastsetconsistedofmorethan2,300scansandwasactuallyanalyzed infargreaterdepththanthefirsttwo.However,allthreesetsofdatayieldedinterestingresults.Eachwastestedforaseriesofcommon,yetdangerous,Webapplicationvulnerabilities.

Cross-Site Request Forgery (CSRF)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofauthorizationonavulnerableWebapplicationtoallowanattackertoexecuteapplicationcommandsonbehalfofanotheruseroftheapplication.ThetypicalscenarioofaCross-SiteRequestForgeryattackinvolvesanattackertrickingavictimintoclickingonaspeciallycraftedlinkthatisdesignedtoperformamaliciousoperationonbehalfofthevictim.Forexample,avictimmayclickonamaliciouslinkthatforcesthevictimtotransfermoneyfromthevictim’sbankaccounttoanattacker’sbankaccount.

Remote File IncludeAtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizedcode(typicallyPHPorASP)onavulnerableserver.RemoteFileIncludeattackstypicallyarisefromascriptinglanguage’sinherentabilitytoincludecodefromexternalURLs,orarbitrarylocalfiles.Itisthisabilitythatallowstheattackertoincludeunauthorizedcodefromanexternalsource.

12

Theenergysectorapplicationscontainedanumberofvulnerabilitiesthatcouldbeutilizedtocompromisethesystem.Forexample,23%werevulnerabletoSQLi.15.3%werevulnerabletoRemoteFileInclude(RFI)vulnerabilities.53.8%werevulnerabletoReflectedXSS,whileanother23%werevulnerabletoPersistentXSS.Also,38.4%werevulnerabletoCross-SiteRequestForgery.Cross-SiteRequestForgeryreliesonabrowsertoretrieveandexecuteanattack.Itincludesalinkorscriptinapagethatconnectstoasitethattheusermayhaverecentlyused.Thescriptthenconductsseeminglyauthorized,yetmalicious,actionsontheuser’sbehalf.Othervulnerabilitiescouldbeexploitedtoblocktheaccessoflegitimateusers.30.76%weresusceptibletoaBufferOverflow,withanother15.3%vulnerabletoaDenial-of-Serviceattack.ItisimportanttonotethatanapplicationthatsuffersfromanyoneofthesevulnerabilitieswouldfailaPCIcomplianceaudit.

Whilenotasmanyspecificvulnerabilitiesweredetected,thebankingandfinancesectorapplicationsalsocontainedalargenumberofdisconcertingvulnerabilities.58.3%oftheapplicationswerevulnerabletoReflectedXSS,butonly8.3%containedaPersistentXSSvulnerability.16.6%werevulnerabletoCross-SiteRequestForgery.Exploitationofanyofthosevulnerabilitiescouldresultinanattackergaininglegitimateauthenticationcredentials,inadditiontootherpossibilities.Inabitofagoodanomalyforthisparticularorganization,only8.3%oftheapplicationswerefoundtocontaineitheraSQLiorRFIvulnerability.Yet,thatpositivesecuritypostureissomewhatlessenedbythefactthat21.4%oftheapplicationsweren’tusingSSLcookies.And50%sufferedfromDirectoryPathDisclosurevulnerabilities,whichattackerscanutilizetoformulatemoredamagingattacks(thinkofthisasastepinreconnaissance—if youknowwheresomethingis,it’smucheasiertoattackit).

Finally,thethirdsetofapplications(all2,345ofthem)isutilizedbyaverylargeproductmanufacturinganddistributionorganization.Althoughgreaterinnumber,theseapplicationswereactuallyassessedatahigherlevelofgranularitythantheprecedingsetsofdata.Oftheseapplications,31%werevulnerabletoXSSand15%werevulnerabletoaversionofXSSthatrequireduserinteraction,suchasclickingalinkormovingthemousepointerovertext.Another6.5%werevulnerabletoaspecificformofXSSresultingfromthewayApacheWebserversincorrectlyfilteredinputinthe“Expect”header.Another5.8%werevulnerableduetospecificfilteringvulnerabilitiesinMicrosoft®ASP.NET.

Whileonly1.9%oftheapplicationswereconfirmedtobevulnerabletoSQLi,and2.3%registeredasvulnerabletoSQLialbeitwithnodataabletobeextracted,18%werestillvulnerabletoBlindSQLi.NormalSQLiattacksdependinalargemeasureonanattackerreverse-engineeringportionsoftheoriginalSQLqueryusinginformationgainedfromerrormessages.However,applicationscanstillbesusceptibletoBlindSQLievenifnoerrormessageisdisplayed.Theconsequencesarethesame.

OneinterestingstatisticisthatonlytwooftheseapplicationsregisteredasbeingvulnerabletoCross-SiteRequestForgery.Whencodingapplications,developerstendtomakethesamesecuritymistakesinmorethanonceplace.Inotherwords,ifanapplicationisvulnerabletoSQLi,chancesareit’svulnerableinmanylocations,notjustone.However,theoppositecanholdtrue,too.Itisapparentthatthesedevelopersutilizedanti-CSRFtokensorothereffectivecountermeasuresintheirapplications.

AnotherissuethattheWSRGexaminedwasthatofinformationleakage.Informationleakageconsistsofdirectoryprobing,errormessagesthatrevealinformationunintendedbythedeveloper,common“guessed”directories,andotheritemsthatcouldrevealinformationbeneficialtoescalatingattackmethodology.Successfulexploitationwouldgiveanattackerunauthorizedaccesstosensitiveinformation.Themainproblemwithinformationleakageisthattheinformationgainedfromtheseattackscanbeusedtoconductfarmoredamagingattacks.

18.8%oftheapplicationscontainedlogininformationsentoverunencryptedconnection.AnyareaofaWebapplicationthatpossiblycontainssensitiveinformationoraccesstoprivilegedfunctionalitysuchasremotesiteadministrationfunctionalityshouldutilizeSSLoranotherformofencryptiontopreventlogininformationfrombeingsniffedorotherwiseinterceptedorstolen.5.6%oftheapplicationscontainedaknownfileordirectory.OneofthemostimportantaspectsofWebapplicationsecurityistorestrict

13

accesstoimportantfilesordirectoriestoonlythoseindividualswhoactuallyneedtoaccessthem.2.2%containedsomeformofcodedisclosurevulnerability.Anattackerwhogainsaccesstothesourcecodeofanapplicationobviouslyhasanupperhandindeterminingthebestmethodofattackingit.

Manual analysisTheWSRGalsoconductedextensivemanualanalysisofvulnerabilitiesdiscoveredwhileconductingautomatedsecuritytestsforadifferentgroupofcommercialapplications.Theanalysisfocusedondiscoveringtrendsthathelp:

1. Determinetheimpactofvariousfactorspertainingtothevulnerabilitysource/contextonitscriticalityandexploitability

2.AssessthemitigationsputinplacebydeveloperstosecuretheirWebapplicationsagainstthemostcommonvulnerabilitycategoriesandunderstandtheirshortcomings

WhilesecuringWebapplicationsagainsteverypossiblethreatisimportant,notallvulnerabilitiesarecreatedequal,eveniftheybelongtothesamecategory.Inthecaseofproductionsystems,thediscoveryofcriticalvulnerabilitiesnecessitatesanimmediateresponse.This,inturn,entailsprioritizingthediscoveredissuesbasedontheexploitability,severity,andimpactonthesecuritypostureoftheoverallsystem.ThemanualanalysishelpedtheWSRGidentifythefollowingnumerousfactorsthatimpactavulnerability’strueriskrating.

1. AccesscontrolrequirementfortheresourceAnyresourcerequiringtheusertoauthenticateaddsanextralayerofcomplexityfortheattackerindiscoveringtheissue.However,oncediscovered,asuccessfulexploitationcanprovedeadly,allowingtheattackertobypasstheaccesscontrol,escalateprivileges,andgaincontroloverprotectedandpossiblysensitivesectionsofthesystem.46%ofthevulnerabilitieswerediscoveredinprotectedresources.

2. Function/PurposeoftheresourceObviously,thesensitivityoftheWebpagecontentanditspurposegreatlyimpactsthecriticalityofanyvulnerability.AnXSSvulnerabilityintheloginpageprovidestheattackerwithmoreleveragetoachieveacompletetakeoverofthesystemthanonethatexistsonasearchpage.Ultimately,anygivensecurityissuecanbeturnedintoadeadlyweaponagainstaWebapplication.However,themoreeffortrequiredtoexploitavulnerability,thelessattractivetheapplicationbecomestoanattacker.Inthesampleset,31%ofvulnerabilitiesweredetectedinloginscriptswhile46%weredetectedinsearchpages.

3. In-houseapplicationsvs.third-partycomponentsDuringmanualanalysis,theWSRGdiscoveredthatvulnerabilitiesweredetectedinbothcustomcodeaswellasinthatofthird-partyapplications.In62%oftheapplications,thevulnerabilitieswereconcentratedinthesectionsofapplicationsthatweredevelopedin-house.In31%oftheapplications,thedistributionwasexactlyreversed.Securityissuesinthird-partysoftwarearedefinitelymoreconcerningsincethoseallowtheattackerstocompromisemultiplesystemsbypossiblyusingthesameexploit.Issuesdetectedwithincustomcodecouldtakelongertofixsincetheywillrequireunderstandingofallthevulnerableinputusagesandthenapplyingaseparatefixforeach.

4.ComplexityoftheexploitthatledtothediscoveryofthevulnerabilityAttackersalwaysprefertargetingsystemsthatareeasierandfastertocompromise.Thus,anyapplicationvulnerabletosimpleattackvectorswillattractmoreattackersthanonethathasatleastsomemitigatingsecuritycontrolsinplace.69%ofvulnerabilitieswerediscoveredusing“plainvanilla”attackvectors.

14

Despitethehigh-profilenatureofrecentWebapplicationcompromises,databreaches,andincreasedfinesfornoncompliancewithgovernmentalregulations,alargenumberofapplicationsstillremainvulnerabletothemostrudimentaryWebattacks.TheWSRGhasdeterminedthatafewrecurringissuescontributetothisproblem:

1. Mitigationsappliedwithoutaccuratelyunderstandingtheusagecontextoftheuserinput23%oftheWebapplicationsinthesamplesetactuallyemployedtheHTMLencodingtechniquetoprotectagainstXSS,15%usedablacklistingapproach,and54%hadnoprotectionmechanismsimplemented.Themitigationsfailedtoprovideanyprotectionbecausein54%oftheapplications,thereflectionsoccurredwithintheclient-sideJavaScriptcodeblocks,makingthesecuritycontrolsineffective.

2.RelianceonspecificmitigationtechniquesinsteadofaholisticapproachManualinspectionoftheclient-sideapplicationsourcecodeindicatedthatthefewsecuritycontrolsemployedbythedeveloperswereappliedinresponsetoindividualvulnerabilitiesdiscoveredmorethanlikelyduringautomatedscans.TherewasnoindicationofdevelopmenthavingadheredtoanyformofaSecureDevelopmentLifecycle(SDLC)processtodevelopanyofthetestedapplications.Thiswasevidentintheunbalanceddistributionofvulnerabilitiesindifferentsectionsoftheapplications.

3. LackofuniformityinimplementationofsecuritycontrolsAlso,themanualanalysisrevealedthatwhilecertainsectionsofWebpageswereprotectedagainstXSSattacks,otherswereleftopentoexploitation.Thisbehaviorcouldbeattributedtovariousfactorssuchasthemixtureofin-housecodevs.third-partyapplicationcode,divisionofapplicationdevelopmenteffortswithnouniformprocessputinplacetogovernbestpractices,areactiveapproachtosecuringapplications,andsoon.Thislackofuniformityobviouslymakesvulnerabilitypatchingextremelycomplexandchallenging.Thebestapproachistoestablishawell-definedsecuredevelopmentprocessthatisuniformlyadheredtobyallthepartiesinvolvedinthecreationoftheapplication.

AttacktrendsTheprevioussectionprovidedaviewintothevulnerabilitylandscape—specificallywhereandhowapplicationscanbecompromised.Whilevulnerabilitiesprovideasolidunderstandingofwhatexists,lookingatwhatattacksareexploitingthosevulnerabilitiesandhowoftenwillprovideadeeperunderstandingofenterpriserisk.Attackdatafromthissectionisbrokenoutintothreeareas:

• Frequency and number of attacks.DatainthissectionisobtainedfromanetworkofHPTippingPointIntrusionPreventionSystem(IPS)devices.Thisdataisimportantforunderstandingtheriskseverityofparticularvulnerabilities.

• A deeper look at Cross-Site Scripting (XSS) attacks.XSSisoneofthemostfrequentattacksmeasuredonHPTippingPointIPSdevices.ThissectiondelvesintothedifferenttypesofXSSattacksandthespecificdangerinherentinthesevariants.

• A timeline and breakdown of SQL Injection (SQLi) attacks.SQLiisthemostfrequentWebapplicationattackthatwetrack.ThissectionlooksathowSQLihasevolvedandwhyitposessuchahugeriskfortoday’senterprises.

15

0

200000000

400000000

600000000

800000000

1000000000

1200000000

1400000000

2009 2010 2011

Figure8

Totalnumberofattacksatmid-year,2009–2011

New vulnerabilities are unnecessary; attacks continue to rise regardlessDespitethefactthatthelevelofnewvulnerabilitydiscoveriesisdropping,thereisnoshortageofattacks.Whilethisistrueacrosstheboard—everysystem,everycategory—itisespeciallysignificantwhendiscussingWebapplications.GiventhelevelsofvulnerabilitiesthatarepresentinsomanyWebapplications,it’safairassessmentthatthisriseinattacksisduetoattackersleveragingexistingvulnerabilities.

First,thetrendofattacksforthefirsthalfoftheyearforthepastthreeyears(Figure 8)depictsadistinctupwardspike.

Next,comparingWebapplicationattacksatthemid-yearforthepastthreeyears(Figure 9),thereisadistinctincreaseinattacksonWebapplications—nearlyadoubleyear-on-yeargrowthforattacksaimedattheseapplications.

Lookingatthedataanotherway—comparingnumbersofWebapplicationattackstoallattacksinthegraph(Figure 10)onthenextpage—itisinterestingtonotethattherationofWebapplicationattacksisactuallyabithigher.

16

0

5000000

10000000

15000000

20000000

25000000

30000000

35000000

2009 2010 2011(through 6/30/2011)

Figure9

TotalnumberofWebapplicationattacksatmid-year,2009–2011

WhenWebapplicationattacksarebrokendownbycategory,wecanseesomedefinitetrendstakingshape.Let’sreferbacktothethreetypesofWebapplicationvulnerabilitiesdiscussedinanearliersection:PHP/RemoteFileInclude(PHP/RFI),SQLInjection(SQLi),andCross-SiteScripting(XSS).WhileXSSvulnerabilitiesaredisclosedmoreoften,itisSQLivulnerabilitiesthatarebeingattackedthemost(Figure 11)—byasignificantmargin.

DatainFigure 12 (onpage18)showsthatWebapplicationattacksareincreasingsorapidlythatthenumberofattacksforthefirsthalfof2011arenearlyatthesamelevelsasforthefullyearsin2009and2010.Andinonecase—SQLi—thenumbersarehigherthaninthepreviousyear.

63%

37%All attacks

Web attacks

Figure10

Webapplicationattacksversusnon-Webapplicationattacks,January–June2011

17

0

1000000

2000000

3000000

4000000

5000000

6000000

Jan Feb Mar Apr May Jun

PHP/RFI

SQLi

XSS

Figure11

Webapplicationattacksinthefirsthalf2011,brokendownbycategory

Cross-Site ScriptingCross-SiteScripting(XSS)vulnerabilityhasbeenaroundforawhileandhasbeenwell-documentedovertheyears.Torefresh,XSSisahackingtechniquethatallowsattackerstoexploitvulnerabilitiesinWebapplicationsandinjectclient-sidescriptintothevulnerableWebpagesthatareviewedbyunsuspectingusers.Asuccessfulattackwillallowanattackertohijackusersessions,stealsensitiveinformation,ordefacewebsites.TherearetwoprimarytypesofXSSvulnerability:non-persistent(orreflected),andpersistent(orstored).

Thereflected(non-persistent)XSSisbyfarthemostcommontypeofXSSattack.Therootcauseistheimproperhandling(lackofsanitization)ofHTTPrequestdatabytheservercode,allowingmalicioussitesto“reflect”maliciouscodeandattacktheuser.ThemainattackvectorisusuallyanemailmessagecontainingamaliciousURL.WhentheuserclicksontheURL,theyaretakentothevulnerablesitewherethemaliciouscodeisexecutedandreflectedbackontheuserinordertoexecutetheattack.ItistheXSSvulnerabilityofthewebsitethatallowsthistypeofattacktohappen.TheWebbrowserexecutesthecodebecauseitbelievesthecodeoriginates,andisunaltered,fromatrustedwebsite.

Apersistent,orstored,XSSattackisafarmoredevastatingXSSvariant.ThisattackdoesnotrequireuserstoclickURLsinordertopassmaliciouscodebacktothevulnerablewebsiteandattacktheuser.Inthiscase,themaliciouscodeisabletoliveonthevulnerableserverandisservedupalongsideregularHTMLcontent.Again,thistypeofattackisadirectresultofpoorinputvalidationontheserverside,whichallowsfornon-sanitizedinputtoendupbeingdisplayedonthesite.Thistypeofattackisparticularlyriskynotonlybecauseitdoesnotrequiredirectuserinteractionbutalsobecauseithasamuchwiderscope.Withnon-persistentattacks,theonlyuserswhogetattackedaretheoneswhoreflectthemaliciouscodetothesitebyclickingtheURL.WithpersistentXSSattacks,everyvisitortothesitemaygetcompromisedasthemaliciouscodelivesontheserveritself.Also,thismaliciouscodecanbeself-propagating,creatingatypeofclient-sideworm.

18

0

5000000

10000000

15000000

20000000

25000000

30000000

2009 2010 2011

PHP

SQLi

XSS

(through 6/30/2011)

Figure12

Webapplicationattacks,2009–2011

Overthelastdecade,XSShasbeenapopularpartofthesecuritythreatlandscape.AccordingtovulnerabilitiesdocumentedbySymantecin2007,XSSaccountedforroughly80%ofallthesecurityvulnerabilities.Thatpercentagehasleveledoffovertherecentyears,butXSSisstillthesecondmostpopulartypeofWebapplicationvulnerability.AccordingtotheOpenWebApplicationSecurityProject(OWASP)2010TopTen,XSSwassecondonlytoSQLi.WhatmakesXSSevenmoredangerousisthatitcouldbeleveragedbyanattackertoexploitotherWebapplicationvulnerabilitiessuchasInformationDisclosures,ContentSpoofing,andmore.

WhileorganizationshaveabetterunderstandingoftherisksposedbyXSSattacks,thesetypesofvulnerabilitiesstillmakeupahighpercentageofbugsbeingdisclosedeveryyear.SowhilemanyXSSvulnerabilitieshavealowcommonvulnerabilityscoringsystem(CVSS)score,theirprevalenceincreasestheoverallattacksurfaceofaWebapplication,whichputenterprisesatahighriskforexposureandcanbecostlytofix.

SQL Injection plays a starring roleSQLiattacksgainedmediaattentionthisyearfromthehacktivistgroupsLulzSecandAnonymous,whousedthistypeofattacktocompromisesystemsofseveralhigh-profileorganizations.Datafromtheearliergraph(Figure 12)showsthatthistypeofattackisontheriseandhasbeenextensiveforsometime.

Thechartandtimelineonthenextpage(Figure 13)demonstratehowSQLiattackshaveevolvedovertheyears.

•1998—RainForestPuppy(RFP)discloses/discussestheinitialideaofSQLInjectioninphrack Magazine (Volume9,Issue54)

•2000—SQLInjectionFAQ—ChipAndrews—usesthefirstpublicusageofterm“SQLInjection”inapaper

•2003—TheideaofblindSQLInjectionisdisclosed/discussed•2006—WebapplicationvulnerabilitydisclosureskyrocketsinpartduetoSQLInjection•2008—SQLInjectionvulnerabilitydisclosurepeaks

SQL Injection (SQLi)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizeddatabasecommandsonaWebapplicationsdatabaseserver.Whensuccessfullyexploited,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbythevulnerableWebapplication.Incertaincircumstances,SQLInjectioncanbeutilizedtotakecompletecontrolofasystem.

19

Rain Forest Puppy (RFP) discloses/discusses the initial idea of SQL Injection in Phrack Magazine (volume 9, issue 54)Dec 25, 1998

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 SQL Injection timeline

SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paperOct 23, 2000

The idea of blind SQL Injection is disclosed/discussed 2003

Hackers have gained access to a database containing personal information on 800,000 current and former UCLA students 2006

Web application vulnerability disclosure skyrockets in partdue to SQL Injection2006

An estimated 500,000 websites compromised as a result of SQL Injections 2008

SQL Injection vulnerability disclosure peaks2008

The Asprox botnet leverages SQL Injection for mass drive by SQL Injection attacks to grow botnet 2008

Another half a million sites hit with automated SQL Injection 2010

HBGary, a technology security firm, was broken into by Anonymous using SQL Injection in their CMS-driven website Feb 5, 2011

Expedia’s TripAdvisor member data stolen as a result of SQL InjectionMar 24, 2011

Barracuda Networks was compromised using an SQL Injection flawApril 11, 2011

The Asprox botnet leverages SQL Injection for mass drive by SQI Injection attacks to grow botnet Aug 5, 2011

LulzSec hacktivists are accused of using SQL Injection to steal coupons, download keys, and passwords that were stored in plaintext on Sony’s website, accessing the personal information of a million users June 1, 2011

Group Anonymous claims to have hacked the NATO site, using a “simple SQL Injection”June 5, 2011

Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit card and debit card numbers from five leading companies. They took advantage of a coding error, and allegedly used a SQL Injection attack to compromise a Web application, which was used as the starting point to help them bypass company network firewalls and gain access over companies’ networks. Aug 17, 2009

Figure13

TimelineandevolutionofSQLInjectionattacks

•2008—TheAsproxbotnetleveragesSQLInjectionformassdrivebySQLiattackstogrowbotnet(http://en.wikipedia.org/wiki/Asprox).FromatleastAprilthroughAugust,asweepofattacksbeganexploitingtheSQLInjectionvulnerabilitiesofMicrosoft’sIISWebserverandSQLServerdatabaseserver.Theattackdoesnotrequireguessingthenameofatableorcolumn,anditcorruptsalltextcolumnsinalltablesinasinglerequest.AnHTMLstringthatreferencesamalwareJavaScriptfileisappendedtoeachvalue.Whenthatdatabasevalueislaterdisplayedtoawebsitevisitor,thescriptattemptsseveralapproachesatgainingcontroloveravisitor’ssystem.ThenumberofexploitedWebpagesisestimatedat500,000.

•OnAugust17,2009,theU.S.JusticeDepartmentchargedanAmericancitizenAlbertGonzalezandtwounnamedRussianswiththetheftof130millioncreditcardnumbersusingaSQLInjectionattack.Inreportedly“thebiggestcaseofidentitytheftinAmericanhistory,”themanstolecardsfromanumberofcorporatevictimsafterresearchingtheirpaymentprocessingsystems.AmongthecompanieshitwerecreditcardprocessorHeartlandPaymentSystems,conveniencestorechain7-Eleven,andsupermarketchainHannafordBrothers.

•OnFebruary5,2011,HBGary,atechnologysecurityfirm,wasbrokenintobyAnonymoususingaSQLInjectionintheirCMS-drivenwebsite.

•OnApril11,2011,BarracudaNetworkswascompromisedusingaSQLInjectionflaw.Emailaddressesandusernamesofemployeeswereamongtheinformationobtained.

•OnJune1,2011,“hacktivists”ofthegroupLulzSecwereaccusedofusingSQLitostealcouponsandtodownloadkeysandpasswordsthatwerestoredinplaintextonSony’swebsite,accessingthepersonalinformationofamillionusers.

•InJune2011,GroupAnonymousclaimstohavehackedtheNATOsite,usinga“simpleSQLInjection.”

20

5%

25%

60%

10%

PHP/RFI

SQLi

XSS

CSRF

Figure14

Webapplicationvulnerabilitiesdisclosed,January–June2011

11%

68%

21%

PHP/RFI

SQLi

XSS

Figure15

TotalWebapplicationattacks,January–June2011

WithSQLiattacks,itisreadilyapparentthatattackersarecontentleveragingexistingvulnerabilitiesfortheirexploits.Thegraphsabove(Figures 14 and 15)showaside-by-sidecomparisonofthemostreportedtypesofWebapplicationvulnerabilitiesversesthemostattackedWebapplicationvulnerabilities.SQLivulnerabilitiesmakeupaquarterofthenewvulnerabilitiesreportedforthefirsthalfof2011.YetSQLiattacksmakeupmorethan60percentoftheWebapplicationattacksseenintheHPTippingPointIPS.

Webapplicationsareaffectedbymultipletypesofattacks,andSQLiandXSSarejusttwothathavereceivedasignificantamountofmediaattentionoverthelastfewmonths.ThenextsectionofthispaperpresentsgeneralmitigationstrategiesforprotectingWebapplicationsanddecreasingtheriskofoutages,dataloss,ornetworkcompromisethatcanresult.

MitigationVisibilityisincreasinglybecomingoneofthemostimportantaspectsofinformationsecurity,alongwithreducingtheoverallattacksurfacemadeavailabletoattackers.Tomitigateriskresponsibly,organizationsshouldtestcodeindevelopment,scanforvulnerabilitiesinQAbeforestaging,andtestapplicationsinproductiononanongoingbasis.ThefollowinginformationisintendedtohelpdeveloperscorrectcertainspecificcategoriesofcriticalWebapplicationvulnerabilities.

21

Cross-Site Request ForgeryResolvingCross-SiteRequestForgeryisnotasimpletask,anditactuallymayrequirerecodingeveryformandfeatureofaWebapplication.WhilenomethodofpreventingCross-SiteRequestForgeryisperfect,usingCross-SiteRequestForgerynoncetokenseliminatesmostoftherisk.Althoughanattackermayguessavalidtoken,noncetokensareneverthelessthemosteffectivesolutionforpreventingCross-SiteRequestForgeryattacks.Ausercanbeverifiedaslegitimatebygeneratinga“secret,”suchasasecrethashortoken,aftertheuserlogsin.“Thesecret”shouldbestoredinaserver-sidesessionandthenincludedineverylinkandsensitiveform.EachsubsequentHTTPrequestshouldincludethistoken;otherwise,therequestisdeniedandthesessioninvalidated.ThetokenshouldnotbethesameasthesessionIDincaseaCross-SiteScriptingvulnerabilityexists.Initializethetokenasothersessionvariables.Itcanbevalidatedwithasimpleconditionalstatement,anditcanbelimitedtoasmalltimeframetoenhanceitseffectiveness.AttackersneedtoincludeavalidtokenwithaCross-SiteRequestForgeryattackinordertomatchtheformsubmission.Becausetheuser’stokenisstoredinthesession,anyattackerwouldneedtousethesametokenasthevictim.

CAPTCHAcanalsopreventCross-SiteRequestForgeryattacks.WithCAPTCHA,auserneedstoenterawordshownindistortedtext,containedinsideanimage,beforecontinuing.Theassumptionisthatacomputercannotdeterminethewordinsidethegraphic,althoughahumancan.CAPTCHArequiresthatauserauthorizespecificactionsbeforetheWebapplicationinitiatesthem.Itisdifficulttocreateascriptthatautomaticallyenterstexttocontinue,butresearchisunderwayonhowtobreakCAPTCHAs,sostrongCAPTCHAsareanecessity.BuildingasecureCAPTCHAtakesmoreeffort.Inadditiontomakingsurethatcomputerscannotreadtheimages,youneedtomakesurethattheCAPTCHAcannotbebypassedatthescriptlevel.ConsiderwhetheryouusethesameCAPTCHAmultipletimes,makinganapplicationvulnerabletoareplayattack.AlsomakesuretheanswertotheCAPTCHAisnotpassedinplaintextaspartofaWebform.

SQL InjectionSQLInjectionarisesfromanattacker’smanipulationofquerydatatomodifyquerylogic.ThebestmethodofpreventingSQLInjectionattacksis,therefore,toseparatethelogicofaqueryfromitsdata;thiswillpreventcommandsinsertedfromuserinputfrombeingexecuted.Thedownsideofthisapproachisthatitcanhaveanimpactonperformance,albeitslight,andthateachqueryonthesitemustbestructuredinthismethodforittobecompletelyeffective.Ifonequeryisinadvertentlybypassed,thatcouldbeenoughtoleavetheapplicationvulnerabletoSQLInjection.ThefollowingcodeshowsasampleSQLstatementthatisSQLinjectable.

sSql=“SELECTLocationNameFROMLocations“;

sSql=sSql+“WHERELocationID=“+Request[“LocationID”];

oCmd.CommandText=sSql;

ThefollowingexampleutilizesparameterizedqueriesandissafefromSQLInjectionattacks.

sSql=“SELECT*FROMLocations“;

sSql=sSql+“WHERELocationID=@LocationID”;

oCmd.CommandText=sSql;

oCmd.Parameters.Add(“@LocationID”,Request[“LocationID”]);

22

TheapplicationwillsendtheSQLstatementtotheserverwithoutincludingtheuser’sinput.Instead,aparameter-@LocationID-isusedasaplaceholderforthatinput.Inthisway,userinputneverbecomespartofthecommandthatSQLexecutes.Anyinputthatanattackerinsertswillbeeffectivelynegated.Anerrorwouldstillbegenerated,butitwouldbeasimpledata-typeconversionerror,andnotsomethingthatahackercouldexploit.

ThefollowingcodesamplesshowaproductIDbeingobtainedfromanHTTPquerystringandthenusedinaSQLquery.Notehowthestringcontainingthe“SELECT”statementpassedtoSqlCommandissimplyastaticstringandisnotconcatenatedfrominput.AlsonotehowtheinputparameterispassedusingaSqlParameterobject,whosename(“@pid”)matchesthenameusedwithintheSQLquery.

C#sample:

stringconnString=WebConfigurationManager.ConnectionStrings[“myConn”].ConnectionString;

using(SqlConnectionconn=newSqlConnection(connString))

{

conn.Open();

SqlCommandcmd=newSqlCommand(“SELECTCount(*)FROMProductsWHEREProdID=@pid”,conn);

SqlParameterprm=newSqlParameter(“@pid”,SqlDbType.VarChar,50);

prm.Value=Request.QueryString[“pid”];

cmd.Parameters.Add(prm);

intrecCount=(int)cmd.ExecuteScalar();

}

VB.NETsample:

DimconnStringAsString=WebConfigurationManager.ConnectionStrings(“myConn”).ConnectionString

UsingconnAsNewSqlConnection(connString)

conn.Open()

DimcmdAsSqlCommand=NewSqlCommand(“SELECTCount(*)FROMProductsWHEREProdID=@pid”,conn)

DimprmAsSqlParameter=NewSqlParameter(“@pid”,SqlDbType.VarChar,50)

prm.Value=Request.QueryString(“pid”)

cmd.Parameters.Add(prm)

DimrecCountAsInteger=cmd.ExecuteScalar()

EndUsing

23

Cross-Site ScriptingCross-SiteScriptingattackscanbeavoidedbycarefullyvalidatingallinputandproperlyencodingalloutput.Whenvalidatinguserinput,verifythatitmatchesthestrictestdefinitionpossibleofvalidinput.Forexample,ifacertainparameterissupposedtobeanumber,attempttoconvertittoanumericdatatypeinyourprogramminglanguage.

PHP:intval(“0”.$_GET[‘q’]);

ASP.NET:int.TryParse(Request.QueryString[“q”],outval);

Thesameappliestodateandtimevalues,oranythingthatcanbeconvertedtoastrictertypebeforebeingused.Whenacceptingothertypesoftextinput,makesurethevaluematcheseitheralistofacceptablevalues(white-listing),orastrictregularexpression.White-listinginvolvescreatingalistofacceptablecharacters,asopposedtoblack-listing,whichisalistofunacceptablecharacters.Ifatanypointthevalueappearsinvalid,donotacceptit.Also,donotattempttoreturnthevaluetotheuserinanerrormessage.

Mostserver-sidescriptinglanguagesprovidebuilt-inmethodstoconvertthevalueoftheinputvariableintocorrect,non-interpretableHTML.Theseshouldbeusedtosanitizeallinputbeforeitisdisplayedtotheclient.

PHP:stringhtmlspecialchars(stringstring[,intquote_style])

ASP.NET:Server.HTMLEncode(strHTMLString)

WhenreflectingvaluesintoJavaScriptoranotherformat,makesuretouseatypeofencodingthatisappropriate.EncodingdataforHTMLisnotsufficientwhenitisreflectedinsideofascriptorstylesheet.Forexample,whenreflectingdatainaJavaScriptstring,makesuretoencodeallnon-alphanumericcharactersusinghex(\xHH)encoding.

IfyouhaveJavaScriptonyourpagethataccessesunsafeinformation(likelocation.href)andwritesittothepage(eitherwithdocument.write,orbymodifyingaDOMelement),makesurethedataisencodedforHTMLbeforewritingittothepage.JavaScriptdoesnothaveabuilt-infunctiontodothis,butmanyframeworksdo.Ifyouarelackinganavailablefunction,somethinglikethefollowingwillhandlemostcases:

s=s.replace(/&/g,’&amp;’).replace(/”/i,’&quot;’).replace(/</i,’&lt;’).replace(/>/i,’&gt;’).replace

(/’/i,’&apos;’)

Ensurethatyouarealwaysusingtherightapproachattherighttime.Validatinguserinputshouldbedoneassoonasitisreceived.Encodingdatafordisplayshouldbedoneimmediatelybeforedisplayingit.

Get connectedwww.hp.com/go/getconnected

Get the insider view on tech trends, alerts, and HP solutions for better business outcomes

Sharewithcolleagues

©Copyright2011Hewlett-PackardDevelopmentCompany,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.

JavaisaregisteredtrademarkofOracleand/oritsaffiliates.MicrosoftisaU.S.registeredtrademarkofMicrosoftCorporation.

4AA3-7045ENW,CreatedSeptember2011

Remote File IncludesAsthesayinggoes,securityisbakedin,notbrushedon.Anyapplicationunderdevelopmentshouldbedesignedwithsecurityinmindfromtheonset.ThefollowingrecommendationswillhelpyoubuildWebapplicationsthatarenotsusceptibletoparameterincludevulnerabilities.

•Definewhatisallowed.EnsurethattheWebapplicationvalidatesallinputparameters(cookies,headers,querystrings,forms,hiddenfields,etc.)againstastringentdefinitionofexpectedresults.Thebestmethodofdoingthisisvia“white-listing”;thisisdefinedasonlyacceptingspecificaccountnumbersorspecificaccounttypesforthoserelevantfields,oronlyacceptingintegersorlettersoftheEnglishalphabetforothers.Manydeveloperswilltrytovalidateinputby“black-listing”characters,or“escaping”them.Basically,thisentailsrejectingknownbaddatabyplacingan“escape”characterinfrontofitsothattheitemthatfollowswillbetreatedasaliteralvalue.Thisapproachisnotaseffectiveaswhite-listingbecauseitisimpossibletoknowallformsofbaddataaheadoftime.

•ChecktheresponsesfromPOSTandGETrequeststoensurewhatisbeingreturnediswhatisexpected,andisvalid.

•Verifytheoriginofscriptsbeforeyoumodifyorutilizethem.•Donotimplicitlytrustanyscriptgiventoyoubyothers(whetherdownloadedfromtheWeborgiven

toyoubyanacquaintance)foruseinyourowncode.

Referenceshttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://en.wikipedia.org/wiki/Cross-site_scripting

http://www.phrack.org/issues.html?id=8&issue=54

http://sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx

http://www.isti.tu-berlin.de/fileadmin/fg214/Papers/ravi-asprox.pdf

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3

http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/