the 2011 mid-year top cyber security risks report - … dausin advanced security intelligence team...

24
THE 2011 MID-YEAR TOP CYBER SECURITY RISKS REPORT Table of contents Contributors 2 Overview 2 Vulnerability trends 4 Discovery and disclosure of new vulnerabilities 5 Further analysis: Zero Day Initiative 7 Seeing the big picture: where the vulnerabilities are 9 Static analysis 10 Dynamic analysis 11 Manual analysis 13 Attack trends 14 New vulnerabilities are unnecessary; attacks continue to rise regardless 15 Cross-Site Scripting 17 SQL Injection plays a starring role 18 Mitigation 20 Cross-Site Request Forgery 21 SQL Injection 21 Cross-Site Scripting 23 Remote File Includes 24 References 24

Upload: dinhhanh

Post on 04-Apr-2018

216 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

The 2011 Mid-Year Top CYber SeCuriTY riSkS reporT

Table of contents

Contributors 2Overview 2Vulnerabilitytrends 4 Discoveryanddisclosureofnewvulnerabilities 5 Furtheranalysis:ZeroDayInitiative 7 Seeingthebigpicture:wherethevulnerabilitiesare 9 Staticanalysis 10 Dynamicanalysis 11 Manualanalysis 13Attacktrends 14 Newvulnerabilitiesareunnecessary;attackscontinueto riseregardless 15 Cross-SiteScripting 17 SQLInjectionplaysastarringrole 18Mitigation 20 Cross-SiteRequestForgery 21 SQLInjection 21 Cross-SiteScripting 23 RemoteFileIncludes 24References 24

Page 2: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

2

ContributorsProducingtheTopCyberSecurityRisksReportisacollaborativeeffortamongHPDVLabsandotherHPteams,suchasFortifyandtheApplicationSecurityCenter.WewouldliketosincerelythanktheOpenSourceVulnerabilityDatabase(OSVDB)forallowingprintrightstotheirdatainthisreport.ForinformationonhowyoucanhelpOSVDB:

https://osvdb.org/account/signup

http://osvdb.org/support

Contributor Title

MikeDausin AdvancedSecurityIntelligenceTeamLead

AdamHils ApplicationSecurityCenterProductManager

DanHolden Director,HPDVLabs

PrajaktaJagdale WebSecurityResearchGroupLead

JasonJones AdvancedSecurityIntelligenceEngineer

RohanKotian DigitalVaccineTeamLead

JenniferLake ProductMarketing,HPDVLabs

MarkPainter ApplicationSecurityCenterContentStrategist

TaylorAndersonMcKinley Director,FortifyonDemand

AlenPuzic AdvancedSecurityIntelligenceEngineer

BobSchiermann SeniorTechnicalPublicationsWriter

OverviewIncreasingly,organizationsfacesecurityrisksimposeduponthembyattackersintentonachievingfame,glory,orprofit.Attackers,familiarwithcommonvulnerabilitiesinherentinmanyoftoday’swebsites,knowhowtoexploitthosevulnerabilitieswithattacksdesignedspecificallytotakeadvantageofthem.Examplesofsuchdestructiveactivitieshaverecentlyhitthenewsinstoriesabout“hacktivist”groupssuchasLulzSecandAnonymous.

TheHP2011mid-yeareditionofthebiannualTopCyberSecurityRisksReportfeaturesin-depthanalysisandattackdatafromHPDVLabs,ApplicationSecurityCenter,andFortifysecurityunitsaswellasvulnerabilitydisclosuredatagarneredfromtheOSVDB.Giventhemediaattentionpaidtotheserecentattacks,aswellasdataHPobtainedfromitspartnersandcustomers,thebulkofthisreportisfocusedonWebapplications,includingthevulnerabilitiesthatexistandtheattacksthatareexploitingthoseweaknesses.

ThisreportisintendedforIT,network,andsecurityadministratorswhoareresponsibleforsecuringthepublic-facingcommunicationwithanorganization’scustomers,partners,andemployees.TheprimaryobjectiveofthiseditionoftheTopCyberSecurityRisksReportistoclearlyarticulatetherisksandweaknessesinherentinWebapplications.We’llhighlighttheoverallvulnerabilitylandscape,includingvulnerabilitiesincommerciallyavailableandcustom-builtapplicationsthatcanleadtoattacks,aswellashowoftenthesearebeingreported.Thereportwillalsohighlighttherisingnumberofattacksthatareleveragingthevulnerabilitiesdiscussedthroughoutthepaper.

Page 3: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

3

Keyfindingsfromthisreportinclude:

The number of Web application vulnerabilities that are reported differs significantly from the number that actually exist.

TheOpenSourceVulnerabilityDatabase(OSVDB)monitorsvulnerabilitydiscoveryandreportingthroughdisclosureprograms.Datafromthefirstsixmonthsof2011showsadistinctandsignificantdecreaseinthedisclosureofnewvulnerabilities.Whilethismightseemlikegoodnews,itisactuallytheopposite.DatacollectedfromscansofactualcustomerWebapplicationdeploymentsindicatesthatthenumberofvulnerabilitiesisnotdecreasing;itisonlythenumberofreportednewvulnerabilitiesthatisdecreasing.Productionwebsitesforsomeoftheworld’sleadingorganizationsarestillburstingwithvulnerabilitiesthatleavethewebsitesopentodevastatingattacks.

Web application attacks are on the rise, despite the lack of new vulnerabilities being disclosed.

HPDVLabscompiledattackdatafromitsnetworkofHPTippingPointintrusionpreventionsystems(IPS)todeterminethedangerthesevulnerabilitiesposetoInternetsecurity.InformationpulledfromthesesystemsshowsthatthenumberofattacksonWebapplicationsistentimesthenumberofvulnerabilitiesbeingreported.Thisfactleadsustobelievethatattackerseitherdon’tneedanynewvulnerabilitiestoachievetheirgoals,orthatthereareplentyofvulnerabilitiesincustomapplicationsthatareunknownoruntracked,increasingtheattacksurfacetoattackers.Therealityislikelyamixtureofboth.

Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools.

TwoofthemostcommonWebapplicationattacktypes,Cross-SiteScripting(XSS)andSQLInjection(SQLi),arecoveredin-depthinthisreport.BasedondataobtainedfromHPTippingPointIPSdevices,thesearetwoofthemostfrequentlyusedattacktypes—thoughmanytimesfordifferentreasons.XSS,whichisoftenusedforspamorphishingattempts,providesaneasywaytodistributeanattackonawidescale.Conversely,SQLicanbeusednotonlyforoverwritingadatabaseandthenredirectingvisitorstoamalicioussite—similarinfashiontohowXSSisleveraged—butalsoformassivedatabasetheft.

Theinformationinthisreportcomesfromvarioussources,allowingHPDVLabstoobtainabroadsetofdatafromwhichtocorrelatemeaningfulfindings.Thesesourcesinclude:•AworldwidenetworkofHPTippingPointIntrusionPreventionSystems•VulnerabilityinformationfromOSVDBandtheZeroDayInitiative(ZDI)•WebapplicationdatafromtheASCWebSecurityResearchGroup,theEBSWBTOProfessional

ServicesOrganization,andFortifyonDemand

Page 4: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

4

2000

Tota

l vul

nera

bilit

ies

11K

8.8K

6.6K

4.4K

2.2K

02001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Figure1

DisclosedvulnerabilitiesaccordingtoOSVDB,2000–2011

VulnerabilitytrendsTobetterunderstandthethreatlandscape,itisimportanttostartwiththeweaknessespresentincomputinginfrastructures.Theseweaknessestypicallymanifestthemselvesasapplicationvulnerabilities,whicharethefocusofthissectionofthereport.Thevulnerabilitylandscapeisdiscussedinthefollowingthreesections:•Discovery and disclosure of new vulnerabilities:Thissectiondescribescurrenttrendsinvulnerability

reporting,highlightingvulnerabilitiesthathavebeendisclosedincommerciallyavailablecomputingsystems,includingWebapplications.Basedonthetrendinformation,onecandiscernthevolumeandcategoryofnewlydiscoveredvulnerabilities,whichprovidesinsightintohowsuchvulnerabilitiesattractattackers’attention.

•Trends in vulnerability research:ThissectionhighlightsdatafromtheHPDVLabs’ZeroDayInitiative(ZDI)vulnerabilityresearchprogram.ItprovidesadeeperlookintothetypesofvulnerabilitiesthattheZDIresearchesanddiscoversinanefforttogetabettersenseofwhatdrivesasecurityattack.

•Vulnerabilities discovered in production Web application environments:ThissectionhighlightsresultsfromscansofliveWebapplications.Datainthissectiondemonstratesthevulnerabilitiesthatarepresentinreal-worldWebapplications,includingnewvulnerabilitiesthatareunreportedaswellasthosethatwerepreviouslydisclosed,andas-yetunfixedvulnerabilities.

Page 5: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

5

1.3K

1.04K

780

Tota

l vul

nera

bilit

ies

520

280

0

Figure2

VulnerabilitydisclosureaccordingtoOSVDB,2000–2011,brokendownbymonth

Discovery and disclosure of new vulnerabilities BasedondatapulledfromOSVDB,thetotalnumberofnewvulnerabilitiesreportedforthefirsthalfof2011isabout25percentlowerthanthenumberofnewvulnerabilitiesreportedatmid-year2010andpreviousyears.AsofJune30,2011,OSVDBcataloged3,087(Figure 1)reportedvulnerabilitiesinInternet-basedsystems,applications,andothercomputingtools,ascomparedto4,091catalogedinthecorrespondingperiodin2010.

Afterpeakingin2006,vulnerabilityreporting—forcommerciallyavailableproducts—hasbeeninaslowdecline(Figure 2).Thereasonsforthisdeclinearevaried,butseverallikelyreasonsstandout.Softwaremakersandsystemdevelopershaveincreasedtheirsecurityawarenessandhavetakenstepstoreducevulnerabilitiespriortoreleasingtheirproducts.Thesecondreasonisareductioninthedisclosuresofdiscoveredvulnerabilities,motivatedbyadesiretoinsteadsellthevulnerabilityforprofit.Anotheristhatsomeorganizationswouldratherannouncedetailsregardingvulnerabilitiesonlyafterthey’vebeenfixed.

Despitetheoveralldeclineinnewvulnerabilitiesbeingdiscoveredandreported,itisimportanttonotethattheratioofvulnerabilitiesdiscoveredinWebapplicationsstillmakesup31percent(Figure 3)ofallvulnerabilitiesdisclosed.Itisworthnotingthatroughlyhalfofallvulnerabilitydisclosuressince2006haveinvolvedWebapplications,sothedownwardtrendforthefirsthalfof2011isyetanotherproofpointfortheoveralldropinvulnerabilitydisclosurethusfar.

Page 6: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

6

31%

69%

Web apps vulns

Other vulns

Figure3

ComparisonofWebapplicationvulnerabilitiesversusnon-Webapplicationvulnerabilities,January–June2011

ThereasonforthehighnumberofWebapplicationvulnerabilitiesisamatterofopportunityandprofit.First,thenumberofWebapplicationsincirculationgrowssteadilyeveryday.AWebapplicationinitssimplestformtiestogetheranoperatingsystem,aWebserver,adatabase,andsometop-levelapplicationthatcustomersusetointeractwiththeback-endsystems.Manyorganizationshaveadoptedthismodelforinteractingwithcustomersthroughretailsites,onlinebankingorfinanceapplications,orevenappointmentscheduling.Inaddition,manyorganizationshaveconfidentialorsensitivedatastoredinthedatabase(s)connectedtotheseapplications,offeringanalmostlimitlessfieldofopportunityforattackers,whoviewitallasaverylucrativeproposition.

Whenvulnerabilitiesarebrokendownbycategory,someinterestingtrendsbegintoemerge.DatapresentedinFigure 4showsthatcertaintypesofvulnerabilitiesaremorefrequentlydiscoveredanddisclosed.Cross-SiteScripting(XSS)stillcomprisesthemostsignificantamountofnewWebapplicationvulnerabilitydisclosures.XSSiscommonlyusedforspam,phishing,andWebbrowserexploits.BufferOverflowandDenialofService(DoS)vulnerabilitiesroundoutthetopthree.

Buffer OverflowAbufferoverflowattackoccurswhenattackerspurposelyoverloadasystems’temporarymemory(calledabuffer)towreakhavoconavictim’smachine.Oftentimesattackersalsoincludeinstructionalcodeininformationtheyusetooverflowthememory.Thatcodecaninstructtheaffectedsystemtoaccessorchangeconfidentialdataorevensendinformationbacktotheattacker.

Denial of Service (DoS)Atypeofvulnerabilitythatallowsanattackertoexhaustcomputerresourcesonavulnerablesystemtoapointwherelegitimateusageofthatsystemisimpossible.

Distributed Denial of Service (DDos)AtypeofDoSattackthatemploysanumberofseparatecomputers,whichsimultaneouslylaunchaDenialofServiceattackagainstasingleapplicationorsystem.

Page 7: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

7

Tota

l vul

nera

bilit

ies

3K

2.4K

1.8K

1.2K

600

0

2000

2001

2002

2004

2005

2006

2007

2008

2009

2010

2011

Cross Site Scripting Cross Site Request Forgery SQL Injection Buffer Overflow Remote File Include Denial of Service

Figure4

Disclosedvulnerabilitiesbrokendownbycategory,January2000–June2011

Itisinterestingtonotethatthebreakdownofpopularvulnerabilitiesbycategoryremainsfairlyconsistentoverthepastthreeyears(Figure 5),likelybecauseXSSvulnerabilitiesarerelativelyeasytofindandareveryusefultoattackers.Spammersandphishersarealwayslookingforwaystomaketheirtrademoreprofitable,andXSScontinuestobeausefulvulnerabilityforthesepurposes.

Further analysis: Zero Day Initiative TheZeroDayInitiative(ZDI),foundedbyHPTippingPointin2005,isaprogramforrewardingsecurityresearchersforresponsiblydisclosingvulnerabilities.TheprogramisdesignedsothatresearchersprovideHPTippingPointwithexclusiveinformationaboutpreviouslyunpatchedvulnerabilitiestheyhavediscovered.HPDVLabsvalidatesthevulnerabilityandthenworkswiththeaffectedvendoruntilthevulnerabilityispatched.Atthesametime,HPDVLabsdevelopsasecuritysolutionthatprovidespreemptiveprotectionforHP’scustomersevenbeforetheapplicationvendordistributesafixforthevulnerability.

From2005throughJune2011,ZDIandHPDVLabsresearchershavediscoveredandresponsiblydisclosedmorethan980vulnerabilitiesinpopularcomputingsystemsincludingWebbrowsers,mediaplayers,anddocumentreaders.

In2010,ZDIannouncedchangestoitsdisclosurepolicythatincentvendorstointroducemoretimelybugfixesintotheirproducts.Underthenewpolicy,ZDIofferstheaffectedvendorssixmonthstoissuepatches,fixes,orworkaroundsforundisclosedvulnerabilitiesreportedtothemviatheZDIprogram.If,aftersixmonths,thevendorhasnotissuedafixorclearedanexceptionwithZDI,limiteddetailofthevulnerabilitywillbedisclosedsothatthedefensivecommunityandconsumersoftheseaffectedapplicationscanfindtheirownwaystomitigatetheriskassociatedwiththeseopenbugs.FurtherinformationregardingtheZDIdisclosurepolicycanbefoundhere:http://www.zerodayinitiative.com/advisories/disclosure_policy/.

Page 8: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

8

0200400600800

10001200140016001800

2009 2010 2011

BO

DOS

PHP

SQLi

XSS

CSRF

(through 6/30/2011)

Figure5

Three-yearview:popularvulnerabilitiesbycategory

Inthetable(Figure 6)belowyoucanseethetop10applicationswithvulnerabilitiesdisclosedthroughtheZDIsincetheprogramwasstartedin2005.

Forthefirsthalfof2011,DVLabsandtheZDIeitherdiscoveredoracquired,anddisclosedtoaffectedvendors,231vulnerabilitiesinawiderangeofproducts.Onthenextpage(Figure 7)youcanseethetop10applicationsforwhichvulnerabilitiesweredisclosedthroughtheZDI.Whileonlyfourofthe10applicationsarerelatedtoWebbrowsers,thetotalnumberofvulnerabilitiesfromtheseapplicationsisstaggering.

0 10 20 30 40 50 60 70

Apple QuicktimeMicrosoft Internet Explorer

Oracle/Sun JavaMicrosoft OfficeMozilla FirefoxApple Webkit

RealNetworks Real PlayerAdobe Shockwave

HP OpenViewAdobe Reader

Figure6

MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIfrom2005–2011

Page 9: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

9

0 5 10 15 20 25 30

CA Total Defense

IBM Lotus (general)

Microsoft Office Tools

HP OpenView Network Node Manager

Novell iPrint

Apple WebKit

Adobe Reader

HP Data Protector

Oracle Java (general)

Adobe Shockwave

Figure7

MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIin2011

Seeing the big picture: where the vulnerabilites areSofar,thisreporthasfocusedprimarilyonvulnerabilitydisclosure,whichmayormaynotreflectthecompletepictureofvulnerabilitytrendsunfoldingontheInternet.Inanefforttoseeaclearerpictureofthereal-worldvulnerabilitylandscape,theHPApplicationSecurityCenterWebSecurityResearchGroup(WSRG)compiledresultsfromover2,750securityassessmentsperformedagainstavarietyofcustomerWebapplicationsduringthefirstsixmonthsof2011.Whileitisgoodtoseeanoverallreductioninthenumberofnewvulnerabilitiesbeingreported,thathasunfortunatelyhadnoimpactonthedangersofexploitation.Theseresultshavebeendividedintothreesections:

•Thefirstcorrelatesresultsfromalmost250Webapplicationsanalyzedstatically(attheline-of-codelevel)forWebapplicationvulnerabilities.

•Thesecondgroupincludesresultsfromdynamicanalysis(duringtheactualrunningoftheapplication)conductedagainstover2,500uniqueWebapplications.

•Finally,thethirdsetofanalysesincludesacloserinspectionofamuchsmallergroupofassessmentstoexplorethedifferentwaysinwhichWebapplicationvulnerabilitiescanbeexploited,howthatimpactstheoverallriskstandingoftheapplication,andwhatmitigationmeasuresdevelopersareemployingthatarenotworking.

Eachsetofanalyseswillshedlightonthenature—andseriousness—ofWebapplicationvulnerabilitiesandhowprevalenttheyare.Whatsecurityprofessionalshavesteadilywitnessedinthelastdecadeisthatattackshavemovedfromdefacementandgeneralannoyancetoone-timeattacksdesignedtostealasmuchdataaspossible,andfromtheretoperniciousongoingattacksthatattempttodistributemalwareandstealasmuchdataforaslongaspossiblewithoutbeingdetected.ItisimperativetorealizethatitoftentakesonlyoneWebapplicationvulnerabilityforanentiresystemtobecompromised.Theenormityofthedangercannotbeoverstated.

Page 10: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

10

Static analysisThefirstsetofapplicationswasstaticallyanalyzedbytheWSRGinconjunctionwiththeHPFortifyonDemandgroupandincluded236uniqueapplications.Thefirststatisticistrulystaggering:afull69%oftheapplicationstestedcontainedatleastoneSQLiflaw.Fundamentally,SQLiisanattackupontheWebapplication,nottheWebserverortheoperatingsystemitself.Asthenameimplies,itistheactofaddingunexpectedSQLcommandstoaquery,therebymanipulatingthedatabaseinwaysunintendedbythedatabaseadministratorordeveloper.Whentheattackissuccessful,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbyvulnerableWebapplications.IfattackerscanfindoneSQLInjectionvulnerabilityinanapplication,there’saverygoodchancetheycancompromiseitcompletely.Alotofhigh-profileattacksoverthecourseofthefirsthalfof2011werethedirectresultofSQLi.EvenLadyGagaisn’timmunetoSQLi.

ThesecondmostprevalentvulnerabilitydiscoveredinthisseriesofassessmentswasCross-SiteScripting(XSS),(specifically,thereflectedvariety).Putsimply,reflectedXSSattackscomefromsomewhereelse,suchaswhenuser-suppliedinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.Usingsomesocialengineering,anattackercantrickavictim,perhapsthroughamaliciouslinkora“rigged”form,tosubmitinformationwhichwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.Theinjectedcodeisthenreflectedbacktotheuser’sbrowserwhichexecutesitbecauseitcamefromatrustedserver.64%oftheassessedapplicationscontainedatleastonereflectedXSSflaw.

Itssistervulnerability,persistentXSS,wasdiscoveredin42%oftheapplicationstestedinthisgroup.Persistentattacksarejustthat:insomeformtheyarestoredonthetargetserver,suchasinadatabase,orviaasubmissiontoabulletinboardorvisitorlog.Thevictimwillretrieveandexecutetheattackcodeinhisbrowserwhenarequestismadeforthestoredinformation.What’salsointerestingaboutthisparticularvulnerabilityisthateventhoughitwasfoundin27%feweroftheapplicationsthanSQLi,therewereactuallymoreuniqueinstancesofpersistentXSSdiscoveredthananyothervulnerabilityforwhichtheWSRGtested.TheimpactsofeachflavorofXSSarethesame.

Amoregenericvulnerability,HeaderManipulation,wasfoundin37%oftheapplications.HeaderManipulationvulnerabilitiesoccurwhendataentersaWebapplicationthroughanuntrustedsource,mostfrequentlyaWebrequest.ThedataisincludedinanHTTPresponseheadersenttoaWebuserwithoutbeingvalidated.AswithmanyWebapplicationsecurityvulnerabilities,HeaderManipulationisameanstoanend,notanendinitself.Atitsroot,thevulnerabilityisstraightforward:anattackerpassesmaliciousdatatoavulnerableapplication,andtheapplicationincludesthedatainanHTTPresponseheader.IncludingunvalidateddatainanHTTPresponseheadercanenablecache-poisoning,XSS,cross-userdefacement,pagehijacking,cookiemanipulation,oropenredirectvulnerabilities.And18%oftheapplicationsalsocontainedaspecificcookieHeaderManipulationvulnerability.

Cross-Site Scripting (XSS)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationtoenableanattackertoinjectmaliciousclient-sidecodeintoaWebpagewhichisviewedbyavictim’sWebbrowser.VariousformsofXSSarecurrentlybeingusedtophishwebsiteusersintorevealingsensitiveinformationsuchasusernames,passwords,andcreditcarddetails.XSScangenerallybedividedintostored,reflected,andDOM-basedattacks.StoredXSSresultsinthepayloadbeingpersistedonthetargetsystemineitherthedatabaseorthefilesystem.Thevictimswillretrieveandexecutetheattackcodeintheirbrowserwhenarequestismadeforthestoredinformation.ExecutionofthereflectedXSSattacks,ontheotherhand,occurswhenuserinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.DOM-basedXSSattacksrelyonmaliciousmodificationoftheDOMenvironmentinavictim’sbrowser.ItdiffersfromthestoredandreflectedXSSinthefactthatthemaliciousdataisneversenttotheserver.Viasomesocialengineering,anattackercantrickavictim,suchasthroughamaliciouslinkor“rigged”form,tosubmitinformationthatwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.

Command ExecutionAtypeofvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertorunoperatingsystemcommandsonthevulnerableapplicationserver.Typically,thisvulnerabilitycategoryallowsattackerstoexploitWebapplicationsthatpassuserdataasparameterstoI/OoperationsbyappendingOScommandstousersuppliedinputusingspecialcharacterssuchasapipe(|).

Page 11: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

11

AnotherwidespreadvulnerabilitydiscoveredduringtheWSRGanalysiswasPathManipulation.Thisoccurswhenuser-suppliedinputcancontrolorotherwiseinfluencefilenamesorpathsutilizedinfilesystemoperations,whichcanthengiveanattackerthemeanstoaccessorchangeprotectedsystemresources.63%ofthescansdetectedaPathManipulationvulnerability.

Whilenoneofthevulnerabilitiesdiscussedsofarcanbeconsideredinnocuous,oneextremelydangerousvulnerabilitywasalsodetectedinlargenumbers.CommandInjectionoccurswhenaremoteusercansupplyaspeciallycraftedvaluetoexecutearbitraryoperatingsystemcommandsonthetargetsystem.35%oftheapplicationscontainedatleastoneCommandInjectionvulnerability.

Anothersignificantvulnerabilityoccurswhendevelopersleavepasswordshardcodedintheircode.Hardcodedpasswordswerediscoveredin30%oftheapplications.Anattackerwhodiscoversahardcodedpasswordcouldobviouslygainunintendedaccesstotheapplication.Thedamageswoulddependonthefunctionalityoftheapplicationitself.

5%oftheapplicationscontainedXPathInjectionvulnerabilities.XPathInjectionisverysimilartoSQLi.Inthatscenario,SQLcommandsaremodifiedbyanattackertogainaccesstodatabasecontentsandinformation.InXPathInjection,XPathstatementsaremodifiedtogainaccesstothedatacontainedwithinanXMLdocument,whichoftenservesasthe“XMLdatabase.”Importantly,XPathdoesnotutilizeaccesscontrolrestrictionsasSQLdoesviaprivileges,soasuccessfulXPathInjectionattackwillyieldcompleteresultsinthatallthedatainthedocumentwillberevealed.TheXPathlanguageisalsouniform,unlikeSQL,sothatanyinstalledimplementationispotentiallyvulnerable.Intheseaspects,XPathInjectioniseasiertoexecutethanSQLiandhasgreaterresultsreturnedonaffectedsystems.

Anotherinterestingsetofdatadescribesthenumberofvulnerabilitiesfoundperapplication,andper1000linesofcode.Duringinitialscans(beforeremediationefforts),410vulnerabilitieswerefoundonaverageforeachofthe236applicationsevaluated,equatingto4.6vulnerabilitiesper1000linesofcode.Ofthethreelanguagescounted,PHPwasthemostvulnerableprogramminglanguage,with13.1vulnerabilitiesper1000lines,followedby.Netat7.7.Javawasthemostsecure,at4.1.

Dynamic analysisThesecondsetofdatawascollectedbytheWSRGinconjunctionwiththeHPEnterpriseBusinessSoftwareBTOProfessionalServicesorganizationandwassplitacrossthreeenterprise-levelorganizations:onefromtheenergysector,onefrombankingandfinance,andonefromproductmanufacturinganddistributiontoseehowWebapplicationvulnerabilitiesarepresentedinreal-worldapplicationsandareencounteredacrossalltypesofbusinesses.Eachassessmentwasconductedusingdynamic(real-time)analysismethods.Thefirsttwosetsofdatawereanalyzedagainstasmall(lessthan20)numberofapplications,whilethelastsetconsistedofmorethan2,300scansandwasactuallyanalyzed infargreaterdepththanthefirsttwo.However,allthreesetsofdatayieldedinterestingresults.Eachwastestedforaseriesofcommon,yetdangerous,Webapplicationvulnerabilities.

Cross-Site Request Forgery (CSRF)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofauthorizationonavulnerableWebapplicationtoallowanattackertoexecuteapplicationcommandsonbehalfofanotheruseroftheapplication.ThetypicalscenarioofaCross-SiteRequestForgeryattackinvolvesanattackertrickingavictimintoclickingonaspeciallycraftedlinkthatisdesignedtoperformamaliciousoperationonbehalfofthevictim.Forexample,avictimmayclickonamaliciouslinkthatforcesthevictimtotransfermoneyfromthevictim’sbankaccounttoanattacker’sbankaccount.

Remote File IncludeAtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizedcode(typicallyPHPorASP)onavulnerableserver.RemoteFileIncludeattackstypicallyarisefromascriptinglanguage’sinherentabilitytoincludecodefromexternalURLs,orarbitrarylocalfiles.Itisthisabilitythatallowstheattackertoincludeunauthorizedcodefromanexternalsource.

Page 12: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

12

Theenergysectorapplicationscontainedanumberofvulnerabilitiesthatcouldbeutilizedtocompromisethesystem.Forexample,23%werevulnerabletoSQLi.15.3%werevulnerabletoRemoteFileInclude(RFI)vulnerabilities.53.8%werevulnerabletoReflectedXSS,whileanother23%werevulnerabletoPersistentXSS.Also,38.4%werevulnerabletoCross-SiteRequestForgery.Cross-SiteRequestForgeryreliesonabrowsertoretrieveandexecuteanattack.Itincludesalinkorscriptinapagethatconnectstoasitethattheusermayhaverecentlyused.Thescriptthenconductsseeminglyauthorized,yetmalicious,actionsontheuser’sbehalf.Othervulnerabilitiescouldbeexploitedtoblocktheaccessoflegitimateusers.30.76%weresusceptibletoaBufferOverflow,withanother15.3%vulnerabletoaDenial-of-Serviceattack.ItisimportanttonotethatanapplicationthatsuffersfromanyoneofthesevulnerabilitieswouldfailaPCIcomplianceaudit.

Whilenotasmanyspecificvulnerabilitiesweredetected,thebankingandfinancesectorapplicationsalsocontainedalargenumberofdisconcertingvulnerabilities.58.3%oftheapplicationswerevulnerabletoReflectedXSS,butonly8.3%containedaPersistentXSSvulnerability.16.6%werevulnerabletoCross-SiteRequestForgery.Exploitationofanyofthosevulnerabilitiescouldresultinanattackergaininglegitimateauthenticationcredentials,inadditiontootherpossibilities.Inabitofagoodanomalyforthisparticularorganization,only8.3%oftheapplicationswerefoundtocontaineitheraSQLiorRFIvulnerability.Yet,thatpositivesecuritypostureissomewhatlessenedbythefactthat21.4%oftheapplicationsweren’tusingSSLcookies.And50%sufferedfromDirectoryPathDisclosurevulnerabilities,whichattackerscanutilizetoformulatemoredamagingattacks(thinkofthisasastepinreconnaissance—if youknowwheresomethingis,it’smucheasiertoattackit).

Finally,thethirdsetofapplications(all2,345ofthem)isutilizedbyaverylargeproductmanufacturinganddistributionorganization.Althoughgreaterinnumber,theseapplicationswereactuallyassessedatahigherlevelofgranularitythantheprecedingsetsofdata.Oftheseapplications,31%werevulnerabletoXSSand15%werevulnerabletoaversionofXSSthatrequireduserinteraction,suchasclickingalinkormovingthemousepointerovertext.Another6.5%werevulnerabletoaspecificformofXSSresultingfromthewayApacheWebserversincorrectlyfilteredinputinthe“Expect”header.Another5.8%werevulnerableduetospecificfilteringvulnerabilitiesinMicrosoft®ASP.NET.

Whileonly1.9%oftheapplicationswereconfirmedtobevulnerabletoSQLi,and2.3%registeredasvulnerabletoSQLialbeitwithnodataabletobeextracted,18%werestillvulnerabletoBlindSQLi.NormalSQLiattacksdependinalargemeasureonanattackerreverse-engineeringportionsoftheoriginalSQLqueryusinginformationgainedfromerrormessages.However,applicationscanstillbesusceptibletoBlindSQLievenifnoerrormessageisdisplayed.Theconsequencesarethesame.

OneinterestingstatisticisthatonlytwooftheseapplicationsregisteredasbeingvulnerabletoCross-SiteRequestForgery.Whencodingapplications,developerstendtomakethesamesecuritymistakesinmorethanonceplace.Inotherwords,ifanapplicationisvulnerabletoSQLi,chancesareit’svulnerableinmanylocations,notjustone.However,theoppositecanholdtrue,too.Itisapparentthatthesedevelopersutilizedanti-CSRFtokensorothereffectivecountermeasuresintheirapplications.

AnotherissuethattheWSRGexaminedwasthatofinformationleakage.Informationleakageconsistsofdirectoryprobing,errormessagesthatrevealinformationunintendedbythedeveloper,common“guessed”directories,andotheritemsthatcouldrevealinformationbeneficialtoescalatingattackmethodology.Successfulexploitationwouldgiveanattackerunauthorizedaccesstosensitiveinformation.Themainproblemwithinformationleakageisthattheinformationgainedfromtheseattackscanbeusedtoconductfarmoredamagingattacks.

18.8%oftheapplicationscontainedlogininformationsentoverunencryptedconnection.AnyareaofaWebapplicationthatpossiblycontainssensitiveinformationoraccesstoprivilegedfunctionalitysuchasremotesiteadministrationfunctionalityshouldutilizeSSLoranotherformofencryptiontopreventlogininformationfrombeingsniffedorotherwiseinterceptedorstolen.5.6%oftheapplicationscontainedaknownfileordirectory.OneofthemostimportantaspectsofWebapplicationsecurityistorestrict

Page 13: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

13

accesstoimportantfilesordirectoriestoonlythoseindividualswhoactuallyneedtoaccessthem.2.2%containedsomeformofcodedisclosurevulnerability.Anattackerwhogainsaccesstothesourcecodeofanapplicationobviouslyhasanupperhandindeterminingthebestmethodofattackingit.

Manual analysisTheWSRGalsoconductedextensivemanualanalysisofvulnerabilitiesdiscoveredwhileconductingautomatedsecuritytestsforadifferentgroupofcommercialapplications.Theanalysisfocusedondiscoveringtrendsthathelp:

1. Determinetheimpactofvariousfactorspertainingtothevulnerabilitysource/contextonitscriticalityandexploitability

2.AssessthemitigationsputinplacebydeveloperstosecuretheirWebapplicationsagainstthemostcommonvulnerabilitycategoriesandunderstandtheirshortcomings

WhilesecuringWebapplicationsagainsteverypossiblethreatisimportant,notallvulnerabilitiesarecreatedequal,eveniftheybelongtothesamecategory.Inthecaseofproductionsystems,thediscoveryofcriticalvulnerabilitiesnecessitatesanimmediateresponse.This,inturn,entailsprioritizingthediscoveredissuesbasedontheexploitability,severity,andimpactonthesecuritypostureoftheoverallsystem.ThemanualanalysishelpedtheWSRGidentifythefollowingnumerousfactorsthatimpactavulnerability’strueriskrating.

1. AccesscontrolrequirementfortheresourceAnyresourcerequiringtheusertoauthenticateaddsanextralayerofcomplexityfortheattackerindiscoveringtheissue.However,oncediscovered,asuccessfulexploitationcanprovedeadly,allowingtheattackertobypasstheaccesscontrol,escalateprivileges,andgaincontroloverprotectedandpossiblysensitivesectionsofthesystem.46%ofthevulnerabilitieswerediscoveredinprotectedresources.

2. Function/PurposeoftheresourceObviously,thesensitivityoftheWebpagecontentanditspurposegreatlyimpactsthecriticalityofanyvulnerability.AnXSSvulnerabilityintheloginpageprovidestheattackerwithmoreleveragetoachieveacompletetakeoverofthesystemthanonethatexistsonasearchpage.Ultimately,anygivensecurityissuecanbeturnedintoadeadlyweaponagainstaWebapplication.However,themoreeffortrequiredtoexploitavulnerability,thelessattractivetheapplicationbecomestoanattacker.Inthesampleset,31%ofvulnerabilitiesweredetectedinloginscriptswhile46%weredetectedinsearchpages.

3. In-houseapplicationsvs.third-partycomponentsDuringmanualanalysis,theWSRGdiscoveredthatvulnerabilitiesweredetectedinbothcustomcodeaswellasinthatofthird-partyapplications.In62%oftheapplications,thevulnerabilitieswereconcentratedinthesectionsofapplicationsthatweredevelopedin-house.In31%oftheapplications,thedistributionwasexactlyreversed.Securityissuesinthird-partysoftwarearedefinitelymoreconcerningsincethoseallowtheattackerstocompromisemultiplesystemsbypossiblyusingthesameexploit.Issuesdetectedwithincustomcodecouldtakelongertofixsincetheywillrequireunderstandingofallthevulnerableinputusagesandthenapplyingaseparatefixforeach.

4.ComplexityoftheexploitthatledtothediscoveryofthevulnerabilityAttackersalwaysprefertargetingsystemsthatareeasierandfastertocompromise.Thus,anyapplicationvulnerabletosimpleattackvectorswillattractmoreattackersthanonethathasatleastsomemitigatingsecuritycontrolsinplace.69%ofvulnerabilitieswerediscoveredusing“plainvanilla”attackvectors.

Page 14: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

14

Despitethehigh-profilenatureofrecentWebapplicationcompromises,databreaches,andincreasedfinesfornoncompliancewithgovernmentalregulations,alargenumberofapplicationsstillremainvulnerabletothemostrudimentaryWebattacks.TheWSRGhasdeterminedthatafewrecurringissuescontributetothisproblem:

1. Mitigationsappliedwithoutaccuratelyunderstandingtheusagecontextoftheuserinput23%oftheWebapplicationsinthesamplesetactuallyemployedtheHTMLencodingtechniquetoprotectagainstXSS,15%usedablacklistingapproach,and54%hadnoprotectionmechanismsimplemented.Themitigationsfailedtoprovideanyprotectionbecausein54%oftheapplications,thereflectionsoccurredwithintheclient-sideJavaScriptcodeblocks,makingthesecuritycontrolsineffective.

2.RelianceonspecificmitigationtechniquesinsteadofaholisticapproachManualinspectionoftheclient-sideapplicationsourcecodeindicatedthatthefewsecuritycontrolsemployedbythedeveloperswereappliedinresponsetoindividualvulnerabilitiesdiscoveredmorethanlikelyduringautomatedscans.TherewasnoindicationofdevelopmenthavingadheredtoanyformofaSecureDevelopmentLifecycle(SDLC)processtodevelopanyofthetestedapplications.Thiswasevidentintheunbalanceddistributionofvulnerabilitiesindifferentsectionsoftheapplications.

3. LackofuniformityinimplementationofsecuritycontrolsAlso,themanualanalysisrevealedthatwhilecertainsectionsofWebpageswereprotectedagainstXSSattacks,otherswereleftopentoexploitation.Thisbehaviorcouldbeattributedtovariousfactorssuchasthemixtureofin-housecodevs.third-partyapplicationcode,divisionofapplicationdevelopmenteffortswithnouniformprocessputinplacetogovernbestpractices,areactiveapproachtosecuringapplications,andsoon.Thislackofuniformityobviouslymakesvulnerabilitypatchingextremelycomplexandchallenging.Thebestapproachistoestablishawell-definedsecuredevelopmentprocessthatisuniformlyadheredtobyallthepartiesinvolvedinthecreationoftheapplication.

AttacktrendsTheprevioussectionprovidedaviewintothevulnerabilitylandscape—specificallywhereandhowapplicationscanbecompromised.Whilevulnerabilitiesprovideasolidunderstandingofwhatexists,lookingatwhatattacksareexploitingthosevulnerabilitiesandhowoftenwillprovideadeeperunderstandingofenterpriserisk.Attackdatafromthissectionisbrokenoutintothreeareas:

• Frequency and number of attacks.DatainthissectionisobtainedfromanetworkofHPTippingPointIntrusionPreventionSystem(IPS)devices.Thisdataisimportantforunderstandingtheriskseverityofparticularvulnerabilities.

• A deeper look at Cross-Site Scripting (XSS) attacks.XSSisoneofthemostfrequentattacksmeasuredonHPTippingPointIPSdevices.ThissectiondelvesintothedifferenttypesofXSSattacksandthespecificdangerinherentinthesevariants.

• A timeline and breakdown of SQL Injection (SQLi) attacks.SQLiisthemostfrequentWebapplicationattackthatwetrack.ThissectionlooksathowSQLihasevolvedandwhyitposessuchahugeriskfortoday’senterprises.

Page 15: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

15

0

200000000

400000000

600000000

800000000

1000000000

1200000000

1400000000

2009 2010 2011

Figure8

Totalnumberofattacksatmid-year,2009–2011

New vulnerabilities are unnecessary; attacks continue to rise regardlessDespitethefactthatthelevelofnewvulnerabilitydiscoveriesisdropping,thereisnoshortageofattacks.Whilethisistrueacrosstheboard—everysystem,everycategory—itisespeciallysignificantwhendiscussingWebapplications.GiventhelevelsofvulnerabilitiesthatarepresentinsomanyWebapplications,it’safairassessmentthatthisriseinattacksisduetoattackersleveragingexistingvulnerabilities.

First,thetrendofattacksforthefirsthalfoftheyearforthepastthreeyears(Figure 8)depictsadistinctupwardspike.

Next,comparingWebapplicationattacksatthemid-yearforthepastthreeyears(Figure 9),thereisadistinctincreaseinattacksonWebapplications—nearlyadoubleyear-on-yeargrowthforattacksaimedattheseapplications.

Lookingatthedataanotherway—comparingnumbersofWebapplicationattackstoallattacksinthegraph(Figure 10)onthenextpage—itisinterestingtonotethattherationofWebapplicationattacksisactuallyabithigher.

Page 16: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

16

0

5000000

10000000

15000000

20000000

25000000

30000000

35000000

2009 2010 2011(through 6/30/2011)

Figure9

TotalnumberofWebapplicationattacksatmid-year,2009–2011

WhenWebapplicationattacksarebrokendownbycategory,wecanseesomedefinitetrendstakingshape.Let’sreferbacktothethreetypesofWebapplicationvulnerabilitiesdiscussedinanearliersection:PHP/RemoteFileInclude(PHP/RFI),SQLInjection(SQLi),andCross-SiteScripting(XSS).WhileXSSvulnerabilitiesaredisclosedmoreoften,itisSQLivulnerabilitiesthatarebeingattackedthemost(Figure 11)—byasignificantmargin.

DatainFigure 12 (onpage18)showsthatWebapplicationattacksareincreasingsorapidlythatthenumberofattacksforthefirsthalfof2011arenearlyatthesamelevelsasforthefullyearsin2009and2010.Andinonecase—SQLi—thenumbersarehigherthaninthepreviousyear.

63%

37%All attacks

Web attacks

Figure10

Webapplicationattacksversusnon-Webapplicationattacks,January–June2011

Page 17: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

17

0

1000000

2000000

3000000

4000000

5000000

6000000

Jan Feb Mar Apr May Jun

PHP/RFI

SQLi

XSS

Figure11

Webapplicationattacksinthefirsthalf2011,brokendownbycategory

Cross-Site ScriptingCross-SiteScripting(XSS)vulnerabilityhasbeenaroundforawhileandhasbeenwell-documentedovertheyears.Torefresh,XSSisahackingtechniquethatallowsattackerstoexploitvulnerabilitiesinWebapplicationsandinjectclient-sidescriptintothevulnerableWebpagesthatareviewedbyunsuspectingusers.Asuccessfulattackwillallowanattackertohijackusersessions,stealsensitiveinformation,ordefacewebsites.TherearetwoprimarytypesofXSSvulnerability:non-persistent(orreflected),andpersistent(orstored).

Thereflected(non-persistent)XSSisbyfarthemostcommontypeofXSSattack.Therootcauseistheimproperhandling(lackofsanitization)ofHTTPrequestdatabytheservercode,allowingmalicioussitesto“reflect”maliciouscodeandattacktheuser.ThemainattackvectorisusuallyanemailmessagecontainingamaliciousURL.WhentheuserclicksontheURL,theyaretakentothevulnerablesitewherethemaliciouscodeisexecutedandreflectedbackontheuserinordertoexecutetheattack.ItistheXSSvulnerabilityofthewebsitethatallowsthistypeofattacktohappen.TheWebbrowserexecutesthecodebecauseitbelievesthecodeoriginates,andisunaltered,fromatrustedwebsite.

Apersistent,orstored,XSSattackisafarmoredevastatingXSSvariant.ThisattackdoesnotrequireuserstoclickURLsinordertopassmaliciouscodebacktothevulnerablewebsiteandattacktheuser.Inthiscase,themaliciouscodeisabletoliveonthevulnerableserverandisservedupalongsideregularHTMLcontent.Again,thistypeofattackisadirectresultofpoorinputvalidationontheserverside,whichallowsfornon-sanitizedinputtoendupbeingdisplayedonthesite.Thistypeofattackisparticularlyriskynotonlybecauseitdoesnotrequiredirectuserinteractionbutalsobecauseithasamuchwiderscope.Withnon-persistentattacks,theonlyuserswhogetattackedaretheoneswhoreflectthemaliciouscodetothesitebyclickingtheURL.WithpersistentXSSattacks,everyvisitortothesitemaygetcompromisedasthemaliciouscodelivesontheserveritself.Also,thismaliciouscodecanbeself-propagating,creatingatypeofclient-sideworm.

Page 18: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

18

0

5000000

10000000

15000000

20000000

25000000

30000000

2009 2010 2011

PHP

SQLi

XSS

(through 6/30/2011)

Figure12

Webapplicationattacks,2009–2011

Overthelastdecade,XSShasbeenapopularpartofthesecuritythreatlandscape.AccordingtovulnerabilitiesdocumentedbySymantecin2007,XSSaccountedforroughly80%ofallthesecurityvulnerabilities.Thatpercentagehasleveledoffovertherecentyears,butXSSisstillthesecondmostpopulartypeofWebapplicationvulnerability.AccordingtotheOpenWebApplicationSecurityProject(OWASP)2010TopTen,XSSwassecondonlytoSQLi.WhatmakesXSSevenmoredangerousisthatitcouldbeleveragedbyanattackertoexploitotherWebapplicationvulnerabilitiessuchasInformationDisclosures,ContentSpoofing,andmore.

WhileorganizationshaveabetterunderstandingoftherisksposedbyXSSattacks,thesetypesofvulnerabilitiesstillmakeupahighpercentageofbugsbeingdisclosedeveryyear.SowhilemanyXSSvulnerabilitieshavealowcommonvulnerabilityscoringsystem(CVSS)score,theirprevalenceincreasestheoverallattacksurfaceofaWebapplication,whichputenterprisesatahighriskforexposureandcanbecostlytofix.

SQL Injection plays a starring roleSQLiattacksgainedmediaattentionthisyearfromthehacktivistgroupsLulzSecandAnonymous,whousedthistypeofattacktocompromisesystemsofseveralhigh-profileorganizations.Datafromtheearliergraph(Figure 12)showsthatthistypeofattackisontheriseandhasbeenextensiveforsometime.

Thechartandtimelineonthenextpage(Figure 13)demonstratehowSQLiattackshaveevolvedovertheyears.

•1998—RainForestPuppy(RFP)discloses/discussestheinitialideaofSQLInjectioninphrack Magazine (Volume9,Issue54)

•2000—SQLInjectionFAQ—ChipAndrews—usesthefirstpublicusageofterm“SQLInjection”inapaper

•2003—TheideaofblindSQLInjectionisdisclosed/discussed•2006—WebapplicationvulnerabilitydisclosureskyrocketsinpartduetoSQLInjection•2008—SQLInjectionvulnerabilitydisclosurepeaks

SQL Injection (SQLi)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizeddatabasecommandsonaWebapplicationsdatabaseserver.Whensuccessfullyexploited,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbythevulnerableWebapplication.Incertaincircumstances,SQLInjectioncanbeutilizedtotakecompletecontrolofasystem.

Page 19: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

19

Rain Forest Puppy (RFP) discloses/discusses the initial idea of SQL Injection in Phrack Magazine (volume 9, issue 54)Dec 25, 1998

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 SQL Injection timeline

SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paperOct 23, 2000

The idea of blind SQL Injection is disclosed/discussed 2003

Hackers have gained access to a database containing personal information on 800,000 current and former UCLA students 2006

Web application vulnerability disclosure skyrockets in partdue to SQL Injection2006

An estimated 500,000 websites compromised as a result of SQL Injections 2008

SQL Injection vulnerability disclosure peaks2008

The Asprox botnet leverages SQL Injection for mass drive by SQL Injection attacks to grow botnet 2008

Another half a million sites hit with automated SQL Injection 2010

HBGary, a technology security firm, was broken into by Anonymous using SQL Injection in their CMS-driven website Feb 5, 2011

Expedia’s TripAdvisor member data stolen as a result of SQL InjectionMar 24, 2011

Barracuda Networks was compromised using an SQL Injection flawApril 11, 2011

The Asprox botnet leverages SQL Injection for mass drive by SQI Injection attacks to grow botnet Aug 5, 2011

LulzSec hacktivists are accused of using SQL Injection to steal coupons, download keys, and passwords that were stored in plaintext on Sony’s website, accessing the personal information of a million users June 1, 2011

Group Anonymous claims to have hacked the NATO site, using a “simple SQL Injection”June 5, 2011

Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit card and debit card numbers from five leading companies. They took advantage of a coding error, and allegedly used a SQL Injection attack to compromise a Web application, which was used as the starting point to help them bypass company network firewalls and gain access over companies’ networks. Aug 17, 2009

Figure13

TimelineandevolutionofSQLInjectionattacks

•2008—TheAsproxbotnetleveragesSQLInjectionformassdrivebySQLiattackstogrowbotnet(http://en.wikipedia.org/wiki/Asprox).FromatleastAprilthroughAugust,asweepofattacksbeganexploitingtheSQLInjectionvulnerabilitiesofMicrosoft’sIISWebserverandSQLServerdatabaseserver.Theattackdoesnotrequireguessingthenameofatableorcolumn,anditcorruptsalltextcolumnsinalltablesinasinglerequest.AnHTMLstringthatreferencesamalwareJavaScriptfileisappendedtoeachvalue.Whenthatdatabasevalueislaterdisplayedtoawebsitevisitor,thescriptattemptsseveralapproachesatgainingcontroloveravisitor’ssystem.ThenumberofexploitedWebpagesisestimatedat500,000.

•OnAugust17,2009,theU.S.JusticeDepartmentchargedanAmericancitizenAlbertGonzalezandtwounnamedRussianswiththetheftof130millioncreditcardnumbersusingaSQLInjectionattack.Inreportedly“thebiggestcaseofidentitytheftinAmericanhistory,”themanstolecardsfromanumberofcorporatevictimsafterresearchingtheirpaymentprocessingsystems.AmongthecompanieshitwerecreditcardprocessorHeartlandPaymentSystems,conveniencestorechain7-Eleven,andsupermarketchainHannafordBrothers.

•OnFebruary5,2011,HBGary,atechnologysecurityfirm,wasbrokenintobyAnonymoususingaSQLInjectionintheirCMS-drivenwebsite.

•OnApril11,2011,BarracudaNetworkswascompromisedusingaSQLInjectionflaw.Emailaddressesandusernamesofemployeeswereamongtheinformationobtained.

•OnJune1,2011,“hacktivists”ofthegroupLulzSecwereaccusedofusingSQLitostealcouponsandtodownloadkeysandpasswordsthatwerestoredinplaintextonSony’swebsite,accessingthepersonalinformationofamillionusers.

•InJune2011,GroupAnonymousclaimstohavehackedtheNATOsite,usinga“simpleSQLInjection.”

Page 20: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

20

5%

25%

60%

10%

PHP/RFI

SQLi

XSS

CSRF

Figure14

Webapplicationvulnerabilitiesdisclosed,January–June2011

11%

68%

21%

PHP/RFI

SQLi

XSS

Figure15

TotalWebapplicationattacks,January–June2011

WithSQLiattacks,itisreadilyapparentthatattackersarecontentleveragingexistingvulnerabilitiesfortheirexploits.Thegraphsabove(Figures 14 and 15)showaside-by-sidecomparisonofthemostreportedtypesofWebapplicationvulnerabilitiesversesthemostattackedWebapplicationvulnerabilities.SQLivulnerabilitiesmakeupaquarterofthenewvulnerabilitiesreportedforthefirsthalfof2011.YetSQLiattacksmakeupmorethan60percentoftheWebapplicationattacksseenintheHPTippingPointIPS.

Webapplicationsareaffectedbymultipletypesofattacks,andSQLiandXSSarejusttwothathavereceivedasignificantamountofmediaattentionoverthelastfewmonths.ThenextsectionofthispaperpresentsgeneralmitigationstrategiesforprotectingWebapplicationsanddecreasingtheriskofoutages,dataloss,ornetworkcompromisethatcanresult.

MitigationVisibilityisincreasinglybecomingoneofthemostimportantaspectsofinformationsecurity,alongwithreducingtheoverallattacksurfacemadeavailabletoattackers.Tomitigateriskresponsibly,organizationsshouldtestcodeindevelopment,scanforvulnerabilitiesinQAbeforestaging,andtestapplicationsinproductiononanongoingbasis.ThefollowinginformationisintendedtohelpdeveloperscorrectcertainspecificcategoriesofcriticalWebapplicationvulnerabilities.

Page 21: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

21

Cross-Site Request ForgeryResolvingCross-SiteRequestForgeryisnotasimpletask,anditactuallymayrequirerecodingeveryformandfeatureofaWebapplication.WhilenomethodofpreventingCross-SiteRequestForgeryisperfect,usingCross-SiteRequestForgerynoncetokenseliminatesmostoftherisk.Althoughanattackermayguessavalidtoken,noncetokensareneverthelessthemosteffectivesolutionforpreventingCross-SiteRequestForgeryattacks.Ausercanbeverifiedaslegitimatebygeneratinga“secret,”suchasasecrethashortoken,aftertheuserlogsin.“Thesecret”shouldbestoredinaserver-sidesessionandthenincludedineverylinkandsensitiveform.EachsubsequentHTTPrequestshouldincludethistoken;otherwise,therequestisdeniedandthesessioninvalidated.ThetokenshouldnotbethesameasthesessionIDincaseaCross-SiteScriptingvulnerabilityexists.Initializethetokenasothersessionvariables.Itcanbevalidatedwithasimpleconditionalstatement,anditcanbelimitedtoasmalltimeframetoenhanceitseffectiveness.AttackersneedtoincludeavalidtokenwithaCross-SiteRequestForgeryattackinordertomatchtheformsubmission.Becausetheuser’stokenisstoredinthesession,anyattackerwouldneedtousethesametokenasthevictim.

CAPTCHAcanalsopreventCross-SiteRequestForgeryattacks.WithCAPTCHA,auserneedstoenterawordshownindistortedtext,containedinsideanimage,beforecontinuing.Theassumptionisthatacomputercannotdeterminethewordinsidethegraphic,althoughahumancan.CAPTCHArequiresthatauserauthorizespecificactionsbeforetheWebapplicationinitiatesthem.Itisdifficulttocreateascriptthatautomaticallyenterstexttocontinue,butresearchisunderwayonhowtobreakCAPTCHAs,sostrongCAPTCHAsareanecessity.BuildingasecureCAPTCHAtakesmoreeffort.Inadditiontomakingsurethatcomputerscannotreadtheimages,youneedtomakesurethattheCAPTCHAcannotbebypassedatthescriptlevel.ConsiderwhetheryouusethesameCAPTCHAmultipletimes,makinganapplicationvulnerabletoareplayattack.AlsomakesuretheanswertotheCAPTCHAisnotpassedinplaintextaspartofaWebform.

SQL InjectionSQLInjectionarisesfromanattacker’smanipulationofquerydatatomodifyquerylogic.ThebestmethodofpreventingSQLInjectionattacksis,therefore,toseparatethelogicofaqueryfromitsdata;thiswillpreventcommandsinsertedfromuserinputfrombeingexecuted.Thedownsideofthisapproachisthatitcanhaveanimpactonperformance,albeitslight,andthateachqueryonthesitemustbestructuredinthismethodforittobecompletelyeffective.Ifonequeryisinadvertentlybypassed,thatcouldbeenoughtoleavetheapplicationvulnerabletoSQLInjection.ThefollowingcodeshowsasampleSQLstatementthatisSQLinjectable.

sSql=“SELECTLocationNameFROMLocations“;

sSql=sSql+“WHERELocationID=“+Request[“LocationID”];

oCmd.CommandText=sSql;

ThefollowingexampleutilizesparameterizedqueriesandissafefromSQLInjectionattacks.

sSql=“SELECT*FROMLocations“;

sSql=sSql+“WHERELocationID=@LocationID”;

oCmd.CommandText=sSql;

oCmd.Parameters.Add(“@LocationID”,Request[“LocationID”]);

Page 22: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

22

TheapplicationwillsendtheSQLstatementtotheserverwithoutincludingtheuser’sinput.Instead,aparameter-@LocationID-isusedasaplaceholderforthatinput.Inthisway,userinputneverbecomespartofthecommandthatSQLexecutes.Anyinputthatanattackerinsertswillbeeffectivelynegated.Anerrorwouldstillbegenerated,butitwouldbeasimpledata-typeconversionerror,andnotsomethingthatahackercouldexploit.

ThefollowingcodesamplesshowaproductIDbeingobtainedfromanHTTPquerystringandthenusedinaSQLquery.Notehowthestringcontainingthe“SELECT”statementpassedtoSqlCommandissimplyastaticstringandisnotconcatenatedfrominput.AlsonotehowtheinputparameterispassedusingaSqlParameterobject,whosename(“@pid”)matchesthenameusedwithintheSQLquery.

C#sample:

stringconnString=WebConfigurationManager.ConnectionStrings[“myConn”].ConnectionString;

using(SqlConnectionconn=newSqlConnection(connString))

{

conn.Open();

SqlCommandcmd=newSqlCommand(“SELECTCount(*)FROMProductsWHEREProdID=@pid”,conn);

SqlParameterprm=newSqlParameter(“@pid”,SqlDbType.VarChar,50);

prm.Value=Request.QueryString[“pid”];

cmd.Parameters.Add(prm);

intrecCount=(int)cmd.ExecuteScalar();

}

VB.NETsample:

DimconnStringAsString=WebConfigurationManager.ConnectionStrings(“myConn”).ConnectionString

UsingconnAsNewSqlConnection(connString)

conn.Open()

DimcmdAsSqlCommand=NewSqlCommand(“SELECTCount(*)FROMProductsWHEREProdID=@pid”,conn)

DimprmAsSqlParameter=NewSqlParameter(“@pid”,SqlDbType.VarChar,50)

prm.Value=Request.QueryString(“pid”)

cmd.Parameters.Add(prm)

DimrecCountAsInteger=cmd.ExecuteScalar()

EndUsing

Page 23: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

23

Cross-Site ScriptingCross-SiteScriptingattackscanbeavoidedbycarefullyvalidatingallinputandproperlyencodingalloutput.Whenvalidatinguserinput,verifythatitmatchesthestrictestdefinitionpossibleofvalidinput.Forexample,ifacertainparameterissupposedtobeanumber,attempttoconvertittoanumericdatatypeinyourprogramminglanguage.

PHP:intval(“0”.$_GET[‘q’]);

ASP.NET:int.TryParse(Request.QueryString[“q”],outval);

Thesameappliestodateandtimevalues,oranythingthatcanbeconvertedtoastrictertypebeforebeingused.Whenacceptingothertypesoftextinput,makesurethevaluematcheseitheralistofacceptablevalues(white-listing),orastrictregularexpression.White-listinginvolvescreatingalistofacceptablecharacters,asopposedtoblack-listing,whichisalistofunacceptablecharacters.Ifatanypointthevalueappearsinvalid,donotacceptit.Also,donotattempttoreturnthevaluetotheuserinanerrormessage.

Mostserver-sidescriptinglanguagesprovidebuilt-inmethodstoconvertthevalueoftheinputvariableintocorrect,non-interpretableHTML.Theseshouldbeusedtosanitizeallinputbeforeitisdisplayedtotheclient.

PHP:stringhtmlspecialchars(stringstring[,intquote_style])

ASP.NET:Server.HTMLEncode(strHTMLString)

WhenreflectingvaluesintoJavaScriptoranotherformat,makesuretouseatypeofencodingthatisappropriate.EncodingdataforHTMLisnotsufficientwhenitisreflectedinsideofascriptorstylesheet.Forexample,whenreflectingdatainaJavaScriptstring,makesuretoencodeallnon-alphanumericcharactersusinghex(\xHH)encoding.

IfyouhaveJavaScriptonyourpagethataccessesunsafeinformation(likelocation.href)andwritesittothepage(eitherwithdocument.write,orbymodifyingaDOMelement),makesurethedataisencodedforHTMLbeforewritingittothepage.JavaScriptdoesnothaveabuilt-infunctiontodothis,butmanyframeworksdo.Ifyouarelackinganavailablefunction,somethinglikethefollowingwillhandlemostcases:

s=s.replace(/&/g,’&amp;’).replace(/”/i,’&quot;’).replace(/</i,’&lt;’).replace(/>/i,’&gt;’).replace

(/’/i,’&apos;’)

Ensurethatyouarealwaysusingtherightapproachattherighttime.Validatinguserinputshouldbedoneassoonasitisreceived.Encodingdatafordisplayshouldbedoneimmediatelybeforedisplayingit.

Page 24: The 2011 Mid-Year Top Cyber Security Risks Report - … Dausin Advanced Security Intelligence Team Lead ... Bob Schiermann Senior Technical Publications Writer ... The 2011 Mid-Year

Get connectedwww.hp.com/go/getconnected

Get the insider view on tech trends, alerts, and HP solutions for better business outcomes

Sharewithcolleagues

©Copyright2011Hewlett-PackardDevelopmentCompany,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.

JavaisaregisteredtrademarkofOracleand/oritsaffiliates.MicrosoftisaU.S.registeredtrademarkofMicrosoftCorporation.

4AA3-7045ENW,CreatedSeptember2011

Remote File IncludesAsthesayinggoes,securityisbakedin,notbrushedon.Anyapplicationunderdevelopmentshouldbedesignedwithsecurityinmindfromtheonset.ThefollowingrecommendationswillhelpyoubuildWebapplicationsthatarenotsusceptibletoparameterincludevulnerabilities.

•Definewhatisallowed.EnsurethattheWebapplicationvalidatesallinputparameters(cookies,headers,querystrings,forms,hiddenfields,etc.)againstastringentdefinitionofexpectedresults.Thebestmethodofdoingthisisvia“white-listing”;thisisdefinedasonlyacceptingspecificaccountnumbersorspecificaccounttypesforthoserelevantfields,oronlyacceptingintegersorlettersoftheEnglishalphabetforothers.Manydeveloperswilltrytovalidateinputby“black-listing”characters,or“escaping”them.Basically,thisentailsrejectingknownbaddatabyplacingan“escape”characterinfrontofitsothattheitemthatfollowswillbetreatedasaliteralvalue.Thisapproachisnotaseffectiveaswhite-listingbecauseitisimpossibletoknowallformsofbaddataaheadoftime.

•ChecktheresponsesfromPOSTandGETrequeststoensurewhatisbeingreturnediswhatisexpected,andisvalid.

•Verifytheoriginofscriptsbeforeyoumodifyorutilizethem.•Donotimplicitlytrustanyscriptgiventoyoubyothers(whetherdownloadedfromtheWeborgiven

toyoubyanacquaintance)foruseinyourowncode.

Referenceshttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://en.wikipedia.org/wiki/Cross-site_scripting

http://www.phrack.org/issues.html?id=8&issue=54

http://sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx

http://www.isti.tu-berlin.de/fileadmin/fg214/Papers/ravi-asprox.pdf

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3

http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/