the 2011 mid-year top cyber security risks report - … dausin advanced security intelligence team...
TRANSCRIPT
The 2011 Mid-Year Top CYber SeCuriTY riSkS reporT
Table of contents
Contributors 2Overview 2Vulnerabilitytrends 4 Discoveryanddisclosureofnewvulnerabilities 5 Furtheranalysis:ZeroDayInitiative 7 Seeingthebigpicture:wherethevulnerabilitiesare 9 Staticanalysis 10 Dynamicanalysis 11 Manualanalysis 13Attacktrends 14 Newvulnerabilitiesareunnecessary;attackscontinueto riseregardless 15 Cross-SiteScripting 17 SQLInjectionplaysastarringrole 18Mitigation 20 Cross-SiteRequestForgery 21 SQLInjection 21 Cross-SiteScripting 23 RemoteFileIncludes 24References 24
2
ContributorsProducingtheTopCyberSecurityRisksReportisacollaborativeeffortamongHPDVLabsandotherHPteams,suchasFortifyandtheApplicationSecurityCenter.WewouldliketosincerelythanktheOpenSourceVulnerabilityDatabase(OSVDB)forallowingprintrightstotheirdatainthisreport.ForinformationonhowyoucanhelpOSVDB:
https://osvdb.org/account/signup
http://osvdb.org/support
Contributor Title
MikeDausin AdvancedSecurityIntelligenceTeamLead
AdamHils ApplicationSecurityCenterProductManager
DanHolden Director,HPDVLabs
PrajaktaJagdale WebSecurityResearchGroupLead
JasonJones AdvancedSecurityIntelligenceEngineer
RohanKotian DigitalVaccineTeamLead
JenniferLake ProductMarketing,HPDVLabs
MarkPainter ApplicationSecurityCenterContentStrategist
TaylorAndersonMcKinley Director,FortifyonDemand
AlenPuzic AdvancedSecurityIntelligenceEngineer
BobSchiermann SeniorTechnicalPublicationsWriter
OverviewIncreasingly,organizationsfacesecurityrisksimposeduponthembyattackersintentonachievingfame,glory,orprofit.Attackers,familiarwithcommonvulnerabilitiesinherentinmanyoftoday’swebsites,knowhowtoexploitthosevulnerabilitieswithattacksdesignedspecificallytotakeadvantageofthem.Examplesofsuchdestructiveactivitieshaverecentlyhitthenewsinstoriesabout“hacktivist”groupssuchasLulzSecandAnonymous.
TheHP2011mid-yeareditionofthebiannualTopCyberSecurityRisksReportfeaturesin-depthanalysisandattackdatafromHPDVLabs,ApplicationSecurityCenter,andFortifysecurityunitsaswellasvulnerabilitydisclosuredatagarneredfromtheOSVDB.Giventhemediaattentionpaidtotheserecentattacks,aswellasdataHPobtainedfromitspartnersandcustomers,thebulkofthisreportisfocusedonWebapplications,includingthevulnerabilitiesthatexistandtheattacksthatareexploitingthoseweaknesses.
ThisreportisintendedforIT,network,andsecurityadministratorswhoareresponsibleforsecuringthepublic-facingcommunicationwithanorganization’scustomers,partners,andemployees.TheprimaryobjectiveofthiseditionoftheTopCyberSecurityRisksReportistoclearlyarticulatetherisksandweaknessesinherentinWebapplications.We’llhighlighttheoverallvulnerabilitylandscape,includingvulnerabilitiesincommerciallyavailableandcustom-builtapplicationsthatcanleadtoattacks,aswellashowoftenthesearebeingreported.Thereportwillalsohighlighttherisingnumberofattacksthatareleveragingthevulnerabilitiesdiscussedthroughoutthepaper.
3
Keyfindingsfromthisreportinclude:
The number of Web application vulnerabilities that are reported differs significantly from the number that actually exist.
TheOpenSourceVulnerabilityDatabase(OSVDB)monitorsvulnerabilitydiscoveryandreportingthroughdisclosureprograms.Datafromthefirstsixmonthsof2011showsadistinctandsignificantdecreaseinthedisclosureofnewvulnerabilities.Whilethismightseemlikegoodnews,itisactuallytheopposite.DatacollectedfromscansofactualcustomerWebapplicationdeploymentsindicatesthatthenumberofvulnerabilitiesisnotdecreasing;itisonlythenumberofreportednewvulnerabilitiesthatisdecreasing.Productionwebsitesforsomeoftheworld’sleadingorganizationsarestillburstingwithvulnerabilitiesthatleavethewebsitesopentodevastatingattacks.
Web application attacks are on the rise, despite the lack of new vulnerabilities being disclosed.
HPDVLabscompiledattackdatafromitsnetworkofHPTippingPointintrusionpreventionsystems(IPS)todeterminethedangerthesevulnerabilitiesposetoInternetsecurity.InformationpulledfromthesesystemsshowsthatthenumberofattacksonWebapplicationsistentimesthenumberofvulnerabilitiesbeingreported.Thisfactleadsustobelievethatattackerseitherdon’tneedanynewvulnerabilitiestoachievetheirgoals,orthatthereareplentyofvulnerabilitiesincustomapplicationsthatareunknownoruntracked,increasingtheattacksurfacetoattackers.Therealityislikelyamixtureofboth.
Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools.
TwoofthemostcommonWebapplicationattacktypes,Cross-SiteScripting(XSS)andSQLInjection(SQLi),arecoveredin-depthinthisreport.BasedondataobtainedfromHPTippingPointIPSdevices,thesearetwoofthemostfrequentlyusedattacktypes—thoughmanytimesfordifferentreasons.XSS,whichisoftenusedforspamorphishingattempts,providesaneasywaytodistributeanattackonawidescale.Conversely,SQLicanbeusednotonlyforoverwritingadatabaseandthenredirectingvisitorstoamalicioussite—similarinfashiontohowXSSisleveraged—butalsoformassivedatabasetheft.
Theinformationinthisreportcomesfromvarioussources,allowingHPDVLabstoobtainabroadsetofdatafromwhichtocorrelatemeaningfulfindings.Thesesourcesinclude:•AworldwidenetworkofHPTippingPointIntrusionPreventionSystems•VulnerabilityinformationfromOSVDBandtheZeroDayInitiative(ZDI)•WebapplicationdatafromtheASCWebSecurityResearchGroup,theEBSWBTOProfessional
ServicesOrganization,andFortifyonDemand
4
2000
Tota
l vul
nera
bilit
ies
11K
8.8K
6.6K
4.4K
2.2K
02001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
Figure1
DisclosedvulnerabilitiesaccordingtoOSVDB,2000–2011
VulnerabilitytrendsTobetterunderstandthethreatlandscape,itisimportanttostartwiththeweaknessespresentincomputinginfrastructures.Theseweaknessestypicallymanifestthemselvesasapplicationvulnerabilities,whicharethefocusofthissectionofthereport.Thevulnerabilitylandscapeisdiscussedinthefollowingthreesections:•Discovery and disclosure of new vulnerabilities:Thissectiondescribescurrenttrendsinvulnerability
reporting,highlightingvulnerabilitiesthathavebeendisclosedincommerciallyavailablecomputingsystems,includingWebapplications.Basedonthetrendinformation,onecandiscernthevolumeandcategoryofnewlydiscoveredvulnerabilities,whichprovidesinsightintohowsuchvulnerabilitiesattractattackers’attention.
•Trends in vulnerability research:ThissectionhighlightsdatafromtheHPDVLabs’ZeroDayInitiative(ZDI)vulnerabilityresearchprogram.ItprovidesadeeperlookintothetypesofvulnerabilitiesthattheZDIresearchesanddiscoversinanefforttogetabettersenseofwhatdrivesasecurityattack.
•Vulnerabilities discovered in production Web application environments:ThissectionhighlightsresultsfromscansofliveWebapplications.Datainthissectiondemonstratesthevulnerabilitiesthatarepresentinreal-worldWebapplications,includingnewvulnerabilitiesthatareunreportedaswellasthosethatwerepreviouslydisclosed,andas-yetunfixedvulnerabilities.
5
1.3K
1.04K
780
Tota
l vul
nera
bilit
ies
520
280
0
Figure2
VulnerabilitydisclosureaccordingtoOSVDB,2000–2011,brokendownbymonth
Discovery and disclosure of new vulnerabilities BasedondatapulledfromOSVDB,thetotalnumberofnewvulnerabilitiesreportedforthefirsthalfof2011isabout25percentlowerthanthenumberofnewvulnerabilitiesreportedatmid-year2010andpreviousyears.AsofJune30,2011,OSVDBcataloged3,087(Figure 1)reportedvulnerabilitiesinInternet-basedsystems,applications,andothercomputingtools,ascomparedto4,091catalogedinthecorrespondingperiodin2010.
Afterpeakingin2006,vulnerabilityreporting—forcommerciallyavailableproducts—hasbeeninaslowdecline(Figure 2).Thereasonsforthisdeclinearevaried,butseverallikelyreasonsstandout.Softwaremakersandsystemdevelopershaveincreasedtheirsecurityawarenessandhavetakenstepstoreducevulnerabilitiespriortoreleasingtheirproducts.Thesecondreasonisareductioninthedisclosuresofdiscoveredvulnerabilities,motivatedbyadesiretoinsteadsellthevulnerabilityforprofit.Anotheristhatsomeorganizationswouldratherannouncedetailsregardingvulnerabilitiesonlyafterthey’vebeenfixed.
Despitetheoveralldeclineinnewvulnerabilitiesbeingdiscoveredandreported,itisimportanttonotethattheratioofvulnerabilitiesdiscoveredinWebapplicationsstillmakesup31percent(Figure 3)ofallvulnerabilitiesdisclosed.Itisworthnotingthatroughlyhalfofallvulnerabilitydisclosuressince2006haveinvolvedWebapplications,sothedownwardtrendforthefirsthalfof2011isyetanotherproofpointfortheoveralldropinvulnerabilitydisclosurethusfar.
6
31%
69%
Web apps vulns
Other vulns
Figure3
ComparisonofWebapplicationvulnerabilitiesversusnon-Webapplicationvulnerabilities,January–June2011
ThereasonforthehighnumberofWebapplicationvulnerabilitiesisamatterofopportunityandprofit.First,thenumberofWebapplicationsincirculationgrowssteadilyeveryday.AWebapplicationinitssimplestformtiestogetheranoperatingsystem,aWebserver,adatabase,andsometop-levelapplicationthatcustomersusetointeractwiththeback-endsystems.Manyorganizationshaveadoptedthismodelforinteractingwithcustomersthroughretailsites,onlinebankingorfinanceapplications,orevenappointmentscheduling.Inaddition,manyorganizationshaveconfidentialorsensitivedatastoredinthedatabase(s)connectedtotheseapplications,offeringanalmostlimitlessfieldofopportunityforattackers,whoviewitallasaverylucrativeproposition.
Whenvulnerabilitiesarebrokendownbycategory,someinterestingtrendsbegintoemerge.DatapresentedinFigure 4showsthatcertaintypesofvulnerabilitiesaremorefrequentlydiscoveredanddisclosed.Cross-SiteScripting(XSS)stillcomprisesthemostsignificantamountofnewWebapplicationvulnerabilitydisclosures.XSSiscommonlyusedforspam,phishing,andWebbrowserexploits.BufferOverflowandDenialofService(DoS)vulnerabilitiesroundoutthetopthree.
Buffer OverflowAbufferoverflowattackoccurswhenattackerspurposelyoverloadasystems’temporarymemory(calledabuffer)towreakhavoconavictim’smachine.Oftentimesattackersalsoincludeinstructionalcodeininformationtheyusetooverflowthememory.Thatcodecaninstructtheaffectedsystemtoaccessorchangeconfidentialdataorevensendinformationbacktotheattacker.
Denial of Service (DoS)Atypeofvulnerabilitythatallowsanattackertoexhaustcomputerresourcesonavulnerablesystemtoapointwherelegitimateusageofthatsystemisimpossible.
Distributed Denial of Service (DDos)AtypeofDoSattackthatemploysanumberofseparatecomputers,whichsimultaneouslylaunchaDenialofServiceattackagainstasingleapplicationorsystem.
7
Tota
l vul
nera
bilit
ies
3K
2.4K
1.8K
1.2K
600
0
2000
2001
2002
2004
2005
2006
2007
2008
2009
2010
2011
Cross Site Scripting Cross Site Request Forgery SQL Injection Buffer Overflow Remote File Include Denial of Service
Figure4
Disclosedvulnerabilitiesbrokendownbycategory,January2000–June2011
Itisinterestingtonotethatthebreakdownofpopularvulnerabilitiesbycategoryremainsfairlyconsistentoverthepastthreeyears(Figure 5),likelybecauseXSSvulnerabilitiesarerelativelyeasytofindandareveryusefultoattackers.Spammersandphishersarealwayslookingforwaystomaketheirtrademoreprofitable,andXSScontinuestobeausefulvulnerabilityforthesepurposes.
Further analysis: Zero Day Initiative TheZeroDayInitiative(ZDI),foundedbyHPTippingPointin2005,isaprogramforrewardingsecurityresearchersforresponsiblydisclosingvulnerabilities.TheprogramisdesignedsothatresearchersprovideHPTippingPointwithexclusiveinformationaboutpreviouslyunpatchedvulnerabilitiestheyhavediscovered.HPDVLabsvalidatesthevulnerabilityandthenworkswiththeaffectedvendoruntilthevulnerabilityispatched.Atthesametime,HPDVLabsdevelopsasecuritysolutionthatprovidespreemptiveprotectionforHP’scustomersevenbeforetheapplicationvendordistributesafixforthevulnerability.
From2005throughJune2011,ZDIandHPDVLabsresearchershavediscoveredandresponsiblydisclosedmorethan980vulnerabilitiesinpopularcomputingsystemsincludingWebbrowsers,mediaplayers,anddocumentreaders.
In2010,ZDIannouncedchangestoitsdisclosurepolicythatincentvendorstointroducemoretimelybugfixesintotheirproducts.Underthenewpolicy,ZDIofferstheaffectedvendorssixmonthstoissuepatches,fixes,orworkaroundsforundisclosedvulnerabilitiesreportedtothemviatheZDIprogram.If,aftersixmonths,thevendorhasnotissuedafixorclearedanexceptionwithZDI,limiteddetailofthevulnerabilitywillbedisclosedsothatthedefensivecommunityandconsumersoftheseaffectedapplicationscanfindtheirownwaystomitigatetheriskassociatedwiththeseopenbugs.FurtherinformationregardingtheZDIdisclosurepolicycanbefoundhere:http://www.zerodayinitiative.com/advisories/disclosure_policy/.
8
0200400600800
10001200140016001800
2009 2010 2011
BO
DOS
PHP
SQLi
XSS
CSRF
(through 6/30/2011)
Figure5
Three-yearview:popularvulnerabilitiesbycategory
Inthetable(Figure 6)belowyoucanseethetop10applicationswithvulnerabilitiesdisclosedthroughtheZDIsincetheprogramwasstartedin2005.
Forthefirsthalfof2011,DVLabsandtheZDIeitherdiscoveredoracquired,anddisclosedtoaffectedvendors,231vulnerabilitiesinawiderangeofproducts.Onthenextpage(Figure 7)youcanseethetop10applicationsforwhichvulnerabilitiesweredisclosedthroughtheZDI.Whileonlyfourofthe10applicationsarerelatedtoWebbrowsers,thetotalnumberofvulnerabilitiesfromtheseapplicationsisstaggering.
0 10 20 30 40 50 60 70
Apple QuicktimeMicrosoft Internet Explorer
Oracle/Sun JavaMicrosoft OfficeMozilla FirefoxApple Webkit
RealNetworks Real PlayerAdobe Shockwave
HP OpenViewAdobe Reader
Figure6
MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIfrom2005–2011
9
0 5 10 15 20 25 30
CA Total Defense
IBM Lotus (general)
Microsoft Office Tools
HP OpenView Network Node Manager
Novell iPrint
Apple WebKit
Adobe Reader
HP Data Protector
Oracle Java (general)
Adobe Shockwave
Figure7
MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIin2011
Seeing the big picture: where the vulnerabilites areSofar,thisreporthasfocusedprimarilyonvulnerabilitydisclosure,whichmayormaynotreflectthecompletepictureofvulnerabilitytrendsunfoldingontheInternet.Inanefforttoseeaclearerpictureofthereal-worldvulnerabilitylandscape,theHPApplicationSecurityCenterWebSecurityResearchGroup(WSRG)compiledresultsfromover2,750securityassessmentsperformedagainstavarietyofcustomerWebapplicationsduringthefirstsixmonthsof2011.Whileitisgoodtoseeanoverallreductioninthenumberofnewvulnerabilitiesbeingreported,thathasunfortunatelyhadnoimpactonthedangersofexploitation.Theseresultshavebeendividedintothreesections:
•Thefirstcorrelatesresultsfromalmost250Webapplicationsanalyzedstatically(attheline-of-codelevel)forWebapplicationvulnerabilities.
•Thesecondgroupincludesresultsfromdynamicanalysis(duringtheactualrunningoftheapplication)conductedagainstover2,500uniqueWebapplications.
•Finally,thethirdsetofanalysesincludesacloserinspectionofamuchsmallergroupofassessmentstoexplorethedifferentwaysinwhichWebapplicationvulnerabilitiescanbeexploited,howthatimpactstheoverallriskstandingoftheapplication,andwhatmitigationmeasuresdevelopersareemployingthatarenotworking.
Eachsetofanalyseswillshedlightonthenature—andseriousness—ofWebapplicationvulnerabilitiesandhowprevalenttheyare.Whatsecurityprofessionalshavesteadilywitnessedinthelastdecadeisthatattackshavemovedfromdefacementandgeneralannoyancetoone-timeattacksdesignedtostealasmuchdataaspossible,andfromtheretoperniciousongoingattacksthatattempttodistributemalwareandstealasmuchdataforaslongaspossiblewithoutbeingdetected.ItisimperativetorealizethatitoftentakesonlyoneWebapplicationvulnerabilityforanentiresystemtobecompromised.Theenormityofthedangercannotbeoverstated.
10
Static analysisThefirstsetofapplicationswasstaticallyanalyzedbytheWSRGinconjunctionwiththeHPFortifyonDemandgroupandincluded236uniqueapplications.Thefirststatisticistrulystaggering:afull69%oftheapplicationstestedcontainedatleastoneSQLiflaw.Fundamentally,SQLiisanattackupontheWebapplication,nottheWebserverortheoperatingsystemitself.Asthenameimplies,itistheactofaddingunexpectedSQLcommandstoaquery,therebymanipulatingthedatabaseinwaysunintendedbythedatabaseadministratorordeveloper.Whentheattackissuccessful,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbyvulnerableWebapplications.IfattackerscanfindoneSQLInjectionvulnerabilityinanapplication,there’saverygoodchancetheycancompromiseitcompletely.Alotofhigh-profileattacksoverthecourseofthefirsthalfof2011werethedirectresultofSQLi.EvenLadyGagaisn’timmunetoSQLi.
ThesecondmostprevalentvulnerabilitydiscoveredinthisseriesofassessmentswasCross-SiteScripting(XSS),(specifically,thereflectedvariety).Putsimply,reflectedXSSattackscomefromsomewhereelse,suchaswhenuser-suppliedinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.Usingsomesocialengineering,anattackercantrickavictim,perhapsthroughamaliciouslinkora“rigged”form,tosubmitinformationwhichwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.Theinjectedcodeisthenreflectedbacktotheuser’sbrowserwhichexecutesitbecauseitcamefromatrustedserver.64%oftheassessedapplicationscontainedatleastonereflectedXSSflaw.
Itssistervulnerability,persistentXSS,wasdiscoveredin42%oftheapplicationstestedinthisgroup.Persistentattacksarejustthat:insomeformtheyarestoredonthetargetserver,suchasinadatabase,orviaasubmissiontoabulletinboardorvisitorlog.Thevictimwillretrieveandexecutetheattackcodeinhisbrowserwhenarequestismadeforthestoredinformation.What’salsointerestingaboutthisparticularvulnerabilityisthateventhoughitwasfoundin27%feweroftheapplicationsthanSQLi,therewereactuallymoreuniqueinstancesofpersistentXSSdiscoveredthananyothervulnerabilityforwhichtheWSRGtested.TheimpactsofeachflavorofXSSarethesame.
Amoregenericvulnerability,HeaderManipulation,wasfoundin37%oftheapplications.HeaderManipulationvulnerabilitiesoccurwhendataentersaWebapplicationthroughanuntrustedsource,mostfrequentlyaWebrequest.ThedataisincludedinanHTTPresponseheadersenttoaWebuserwithoutbeingvalidated.AswithmanyWebapplicationsecurityvulnerabilities,HeaderManipulationisameanstoanend,notanendinitself.Atitsroot,thevulnerabilityisstraightforward:anattackerpassesmaliciousdatatoavulnerableapplication,andtheapplicationincludesthedatainanHTTPresponseheader.IncludingunvalidateddatainanHTTPresponseheadercanenablecache-poisoning,XSS,cross-userdefacement,pagehijacking,cookiemanipulation,oropenredirectvulnerabilities.And18%oftheapplicationsalsocontainedaspecificcookieHeaderManipulationvulnerability.
Cross-Site Scripting (XSS)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationtoenableanattackertoinjectmaliciousclient-sidecodeintoaWebpagewhichisviewedbyavictim’sWebbrowser.VariousformsofXSSarecurrentlybeingusedtophishwebsiteusersintorevealingsensitiveinformationsuchasusernames,passwords,andcreditcarddetails.XSScangenerallybedividedintostored,reflected,andDOM-basedattacks.StoredXSSresultsinthepayloadbeingpersistedonthetargetsystemineitherthedatabaseorthefilesystem.Thevictimswillretrieveandexecutetheattackcodeintheirbrowserwhenarequestismadeforthestoredinformation.ExecutionofthereflectedXSSattacks,ontheotherhand,occurswhenuserinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.DOM-basedXSSattacksrelyonmaliciousmodificationoftheDOMenvironmentinavictim’sbrowser.ItdiffersfromthestoredandreflectedXSSinthefactthatthemaliciousdataisneversenttotheserver.Viasomesocialengineering,anattackercantrickavictim,suchasthroughamaliciouslinkor“rigged”form,tosubmitinformationthatwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.
Command ExecutionAtypeofvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertorunoperatingsystemcommandsonthevulnerableapplicationserver.Typically,thisvulnerabilitycategoryallowsattackerstoexploitWebapplicationsthatpassuserdataasparameterstoI/OoperationsbyappendingOScommandstousersuppliedinputusingspecialcharacterssuchasapipe(|).
11
AnotherwidespreadvulnerabilitydiscoveredduringtheWSRGanalysiswasPathManipulation.Thisoccurswhenuser-suppliedinputcancontrolorotherwiseinfluencefilenamesorpathsutilizedinfilesystemoperations,whichcanthengiveanattackerthemeanstoaccessorchangeprotectedsystemresources.63%ofthescansdetectedaPathManipulationvulnerability.
Whilenoneofthevulnerabilitiesdiscussedsofarcanbeconsideredinnocuous,oneextremelydangerousvulnerabilitywasalsodetectedinlargenumbers.CommandInjectionoccurswhenaremoteusercansupplyaspeciallycraftedvaluetoexecutearbitraryoperatingsystemcommandsonthetargetsystem.35%oftheapplicationscontainedatleastoneCommandInjectionvulnerability.
Anothersignificantvulnerabilityoccurswhendevelopersleavepasswordshardcodedintheircode.Hardcodedpasswordswerediscoveredin30%oftheapplications.Anattackerwhodiscoversahardcodedpasswordcouldobviouslygainunintendedaccesstotheapplication.Thedamageswoulddependonthefunctionalityoftheapplicationitself.
5%oftheapplicationscontainedXPathInjectionvulnerabilities.XPathInjectionisverysimilartoSQLi.Inthatscenario,SQLcommandsaremodifiedbyanattackertogainaccesstodatabasecontentsandinformation.InXPathInjection,XPathstatementsaremodifiedtogainaccesstothedatacontainedwithinanXMLdocument,whichoftenservesasthe“XMLdatabase.”Importantly,XPathdoesnotutilizeaccesscontrolrestrictionsasSQLdoesviaprivileges,soasuccessfulXPathInjectionattackwillyieldcompleteresultsinthatallthedatainthedocumentwillberevealed.TheXPathlanguageisalsouniform,unlikeSQL,sothatanyinstalledimplementationispotentiallyvulnerable.Intheseaspects,XPathInjectioniseasiertoexecutethanSQLiandhasgreaterresultsreturnedonaffectedsystems.
Anotherinterestingsetofdatadescribesthenumberofvulnerabilitiesfoundperapplication,andper1000linesofcode.Duringinitialscans(beforeremediationefforts),410vulnerabilitieswerefoundonaverageforeachofthe236applicationsevaluated,equatingto4.6vulnerabilitiesper1000linesofcode.Ofthethreelanguagescounted,PHPwasthemostvulnerableprogramminglanguage,with13.1vulnerabilitiesper1000lines,followedby.Netat7.7.Javawasthemostsecure,at4.1.
Dynamic analysisThesecondsetofdatawascollectedbytheWSRGinconjunctionwiththeHPEnterpriseBusinessSoftwareBTOProfessionalServicesorganizationandwassplitacrossthreeenterprise-levelorganizations:onefromtheenergysector,onefrombankingandfinance,andonefromproductmanufacturinganddistributiontoseehowWebapplicationvulnerabilitiesarepresentedinreal-worldapplicationsandareencounteredacrossalltypesofbusinesses.Eachassessmentwasconductedusingdynamic(real-time)analysismethods.Thefirsttwosetsofdatawereanalyzedagainstasmall(lessthan20)numberofapplications,whilethelastsetconsistedofmorethan2,300scansandwasactuallyanalyzed infargreaterdepththanthefirsttwo.However,allthreesetsofdatayieldedinterestingresults.Eachwastestedforaseriesofcommon,yetdangerous,Webapplicationvulnerabilities.
Cross-Site Request Forgery (CSRF)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofauthorizationonavulnerableWebapplicationtoallowanattackertoexecuteapplicationcommandsonbehalfofanotheruseroftheapplication.ThetypicalscenarioofaCross-SiteRequestForgeryattackinvolvesanattackertrickingavictimintoclickingonaspeciallycraftedlinkthatisdesignedtoperformamaliciousoperationonbehalfofthevictim.Forexample,avictimmayclickonamaliciouslinkthatforcesthevictimtotransfermoneyfromthevictim’sbankaccounttoanattacker’sbankaccount.
Remote File IncludeAtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizedcode(typicallyPHPorASP)onavulnerableserver.RemoteFileIncludeattackstypicallyarisefromascriptinglanguage’sinherentabilitytoincludecodefromexternalURLs,orarbitrarylocalfiles.Itisthisabilitythatallowstheattackertoincludeunauthorizedcodefromanexternalsource.
12
Theenergysectorapplicationscontainedanumberofvulnerabilitiesthatcouldbeutilizedtocompromisethesystem.Forexample,23%werevulnerabletoSQLi.15.3%werevulnerabletoRemoteFileInclude(RFI)vulnerabilities.53.8%werevulnerabletoReflectedXSS,whileanother23%werevulnerabletoPersistentXSS.Also,38.4%werevulnerabletoCross-SiteRequestForgery.Cross-SiteRequestForgeryreliesonabrowsertoretrieveandexecuteanattack.Itincludesalinkorscriptinapagethatconnectstoasitethattheusermayhaverecentlyused.Thescriptthenconductsseeminglyauthorized,yetmalicious,actionsontheuser’sbehalf.Othervulnerabilitiescouldbeexploitedtoblocktheaccessoflegitimateusers.30.76%weresusceptibletoaBufferOverflow,withanother15.3%vulnerabletoaDenial-of-Serviceattack.ItisimportanttonotethatanapplicationthatsuffersfromanyoneofthesevulnerabilitieswouldfailaPCIcomplianceaudit.
Whilenotasmanyspecificvulnerabilitiesweredetected,thebankingandfinancesectorapplicationsalsocontainedalargenumberofdisconcertingvulnerabilities.58.3%oftheapplicationswerevulnerabletoReflectedXSS,butonly8.3%containedaPersistentXSSvulnerability.16.6%werevulnerabletoCross-SiteRequestForgery.Exploitationofanyofthosevulnerabilitiescouldresultinanattackergaininglegitimateauthenticationcredentials,inadditiontootherpossibilities.Inabitofagoodanomalyforthisparticularorganization,only8.3%oftheapplicationswerefoundtocontaineitheraSQLiorRFIvulnerability.Yet,thatpositivesecuritypostureissomewhatlessenedbythefactthat21.4%oftheapplicationsweren’tusingSSLcookies.And50%sufferedfromDirectoryPathDisclosurevulnerabilities,whichattackerscanutilizetoformulatemoredamagingattacks(thinkofthisasastepinreconnaissance—if youknowwheresomethingis,it’smucheasiertoattackit).
Finally,thethirdsetofapplications(all2,345ofthem)isutilizedbyaverylargeproductmanufacturinganddistributionorganization.Althoughgreaterinnumber,theseapplicationswereactuallyassessedatahigherlevelofgranularitythantheprecedingsetsofdata.Oftheseapplications,31%werevulnerabletoXSSand15%werevulnerabletoaversionofXSSthatrequireduserinteraction,suchasclickingalinkormovingthemousepointerovertext.Another6.5%werevulnerabletoaspecificformofXSSresultingfromthewayApacheWebserversincorrectlyfilteredinputinthe“Expect”header.Another5.8%werevulnerableduetospecificfilteringvulnerabilitiesinMicrosoft®ASP.NET.
Whileonly1.9%oftheapplicationswereconfirmedtobevulnerabletoSQLi,and2.3%registeredasvulnerabletoSQLialbeitwithnodataabletobeextracted,18%werestillvulnerabletoBlindSQLi.NormalSQLiattacksdependinalargemeasureonanattackerreverse-engineeringportionsoftheoriginalSQLqueryusinginformationgainedfromerrormessages.However,applicationscanstillbesusceptibletoBlindSQLievenifnoerrormessageisdisplayed.Theconsequencesarethesame.
OneinterestingstatisticisthatonlytwooftheseapplicationsregisteredasbeingvulnerabletoCross-SiteRequestForgery.Whencodingapplications,developerstendtomakethesamesecuritymistakesinmorethanonceplace.Inotherwords,ifanapplicationisvulnerabletoSQLi,chancesareit’svulnerableinmanylocations,notjustone.However,theoppositecanholdtrue,too.Itisapparentthatthesedevelopersutilizedanti-CSRFtokensorothereffectivecountermeasuresintheirapplications.
AnotherissuethattheWSRGexaminedwasthatofinformationleakage.Informationleakageconsistsofdirectoryprobing,errormessagesthatrevealinformationunintendedbythedeveloper,common“guessed”directories,andotheritemsthatcouldrevealinformationbeneficialtoescalatingattackmethodology.Successfulexploitationwouldgiveanattackerunauthorizedaccesstosensitiveinformation.Themainproblemwithinformationleakageisthattheinformationgainedfromtheseattackscanbeusedtoconductfarmoredamagingattacks.
18.8%oftheapplicationscontainedlogininformationsentoverunencryptedconnection.AnyareaofaWebapplicationthatpossiblycontainssensitiveinformationoraccesstoprivilegedfunctionalitysuchasremotesiteadministrationfunctionalityshouldutilizeSSLoranotherformofencryptiontopreventlogininformationfrombeingsniffedorotherwiseinterceptedorstolen.5.6%oftheapplicationscontainedaknownfileordirectory.OneofthemostimportantaspectsofWebapplicationsecurityistorestrict
13
accesstoimportantfilesordirectoriestoonlythoseindividualswhoactuallyneedtoaccessthem.2.2%containedsomeformofcodedisclosurevulnerability.Anattackerwhogainsaccesstothesourcecodeofanapplicationobviouslyhasanupperhandindeterminingthebestmethodofattackingit.
Manual analysisTheWSRGalsoconductedextensivemanualanalysisofvulnerabilitiesdiscoveredwhileconductingautomatedsecuritytestsforadifferentgroupofcommercialapplications.Theanalysisfocusedondiscoveringtrendsthathelp:
1. Determinetheimpactofvariousfactorspertainingtothevulnerabilitysource/contextonitscriticalityandexploitability
2.AssessthemitigationsputinplacebydeveloperstosecuretheirWebapplicationsagainstthemostcommonvulnerabilitycategoriesandunderstandtheirshortcomings
WhilesecuringWebapplicationsagainsteverypossiblethreatisimportant,notallvulnerabilitiesarecreatedequal,eveniftheybelongtothesamecategory.Inthecaseofproductionsystems,thediscoveryofcriticalvulnerabilitiesnecessitatesanimmediateresponse.This,inturn,entailsprioritizingthediscoveredissuesbasedontheexploitability,severity,andimpactonthesecuritypostureoftheoverallsystem.ThemanualanalysishelpedtheWSRGidentifythefollowingnumerousfactorsthatimpactavulnerability’strueriskrating.
1. AccesscontrolrequirementfortheresourceAnyresourcerequiringtheusertoauthenticateaddsanextralayerofcomplexityfortheattackerindiscoveringtheissue.However,oncediscovered,asuccessfulexploitationcanprovedeadly,allowingtheattackertobypasstheaccesscontrol,escalateprivileges,andgaincontroloverprotectedandpossiblysensitivesectionsofthesystem.46%ofthevulnerabilitieswerediscoveredinprotectedresources.
2. Function/PurposeoftheresourceObviously,thesensitivityoftheWebpagecontentanditspurposegreatlyimpactsthecriticalityofanyvulnerability.AnXSSvulnerabilityintheloginpageprovidestheattackerwithmoreleveragetoachieveacompletetakeoverofthesystemthanonethatexistsonasearchpage.Ultimately,anygivensecurityissuecanbeturnedintoadeadlyweaponagainstaWebapplication.However,themoreeffortrequiredtoexploitavulnerability,thelessattractivetheapplicationbecomestoanattacker.Inthesampleset,31%ofvulnerabilitiesweredetectedinloginscriptswhile46%weredetectedinsearchpages.
3. In-houseapplicationsvs.third-partycomponentsDuringmanualanalysis,theWSRGdiscoveredthatvulnerabilitiesweredetectedinbothcustomcodeaswellasinthatofthird-partyapplications.In62%oftheapplications,thevulnerabilitieswereconcentratedinthesectionsofapplicationsthatweredevelopedin-house.In31%oftheapplications,thedistributionwasexactlyreversed.Securityissuesinthird-partysoftwarearedefinitelymoreconcerningsincethoseallowtheattackerstocompromisemultiplesystemsbypossiblyusingthesameexploit.Issuesdetectedwithincustomcodecouldtakelongertofixsincetheywillrequireunderstandingofallthevulnerableinputusagesandthenapplyingaseparatefixforeach.
4.ComplexityoftheexploitthatledtothediscoveryofthevulnerabilityAttackersalwaysprefertargetingsystemsthatareeasierandfastertocompromise.Thus,anyapplicationvulnerabletosimpleattackvectorswillattractmoreattackersthanonethathasatleastsomemitigatingsecuritycontrolsinplace.69%ofvulnerabilitieswerediscoveredusing“plainvanilla”attackvectors.
14
Despitethehigh-profilenatureofrecentWebapplicationcompromises,databreaches,andincreasedfinesfornoncompliancewithgovernmentalregulations,alargenumberofapplicationsstillremainvulnerabletothemostrudimentaryWebattacks.TheWSRGhasdeterminedthatafewrecurringissuescontributetothisproblem:
1. Mitigationsappliedwithoutaccuratelyunderstandingtheusagecontextoftheuserinput23%oftheWebapplicationsinthesamplesetactuallyemployedtheHTMLencodingtechniquetoprotectagainstXSS,15%usedablacklistingapproach,and54%hadnoprotectionmechanismsimplemented.Themitigationsfailedtoprovideanyprotectionbecausein54%oftheapplications,thereflectionsoccurredwithintheclient-sideJavaScriptcodeblocks,makingthesecuritycontrolsineffective.
2.RelianceonspecificmitigationtechniquesinsteadofaholisticapproachManualinspectionoftheclient-sideapplicationsourcecodeindicatedthatthefewsecuritycontrolsemployedbythedeveloperswereappliedinresponsetoindividualvulnerabilitiesdiscoveredmorethanlikelyduringautomatedscans.TherewasnoindicationofdevelopmenthavingadheredtoanyformofaSecureDevelopmentLifecycle(SDLC)processtodevelopanyofthetestedapplications.Thiswasevidentintheunbalanceddistributionofvulnerabilitiesindifferentsectionsoftheapplications.
3. LackofuniformityinimplementationofsecuritycontrolsAlso,themanualanalysisrevealedthatwhilecertainsectionsofWebpageswereprotectedagainstXSSattacks,otherswereleftopentoexploitation.Thisbehaviorcouldbeattributedtovariousfactorssuchasthemixtureofin-housecodevs.third-partyapplicationcode,divisionofapplicationdevelopmenteffortswithnouniformprocessputinplacetogovernbestpractices,areactiveapproachtosecuringapplications,andsoon.Thislackofuniformityobviouslymakesvulnerabilitypatchingextremelycomplexandchallenging.Thebestapproachistoestablishawell-definedsecuredevelopmentprocessthatisuniformlyadheredtobyallthepartiesinvolvedinthecreationoftheapplication.
AttacktrendsTheprevioussectionprovidedaviewintothevulnerabilitylandscape—specificallywhereandhowapplicationscanbecompromised.Whilevulnerabilitiesprovideasolidunderstandingofwhatexists,lookingatwhatattacksareexploitingthosevulnerabilitiesandhowoftenwillprovideadeeperunderstandingofenterpriserisk.Attackdatafromthissectionisbrokenoutintothreeareas:
• Frequency and number of attacks.DatainthissectionisobtainedfromanetworkofHPTippingPointIntrusionPreventionSystem(IPS)devices.Thisdataisimportantforunderstandingtheriskseverityofparticularvulnerabilities.
• A deeper look at Cross-Site Scripting (XSS) attacks.XSSisoneofthemostfrequentattacksmeasuredonHPTippingPointIPSdevices.ThissectiondelvesintothedifferenttypesofXSSattacksandthespecificdangerinherentinthesevariants.
• A timeline and breakdown of SQL Injection (SQLi) attacks.SQLiisthemostfrequentWebapplicationattackthatwetrack.ThissectionlooksathowSQLihasevolvedandwhyitposessuchahugeriskfortoday’senterprises.
15
0
200000000
400000000
600000000
800000000
1000000000
1200000000
1400000000
2009 2010 2011
Figure8
Totalnumberofattacksatmid-year,2009–2011
New vulnerabilities are unnecessary; attacks continue to rise regardlessDespitethefactthatthelevelofnewvulnerabilitydiscoveriesisdropping,thereisnoshortageofattacks.Whilethisistrueacrosstheboard—everysystem,everycategory—itisespeciallysignificantwhendiscussingWebapplications.GiventhelevelsofvulnerabilitiesthatarepresentinsomanyWebapplications,it’safairassessmentthatthisriseinattacksisduetoattackersleveragingexistingvulnerabilities.
First,thetrendofattacksforthefirsthalfoftheyearforthepastthreeyears(Figure 8)depictsadistinctupwardspike.
Next,comparingWebapplicationattacksatthemid-yearforthepastthreeyears(Figure 9),thereisadistinctincreaseinattacksonWebapplications—nearlyadoubleyear-on-yeargrowthforattacksaimedattheseapplications.
Lookingatthedataanotherway—comparingnumbersofWebapplicationattackstoallattacksinthegraph(Figure 10)onthenextpage—itisinterestingtonotethattherationofWebapplicationattacksisactuallyabithigher.
16
0
5000000
10000000
15000000
20000000
25000000
30000000
35000000
2009 2010 2011(through 6/30/2011)
Figure9
TotalnumberofWebapplicationattacksatmid-year,2009–2011
WhenWebapplicationattacksarebrokendownbycategory,wecanseesomedefinitetrendstakingshape.Let’sreferbacktothethreetypesofWebapplicationvulnerabilitiesdiscussedinanearliersection:PHP/RemoteFileInclude(PHP/RFI),SQLInjection(SQLi),andCross-SiteScripting(XSS).WhileXSSvulnerabilitiesaredisclosedmoreoften,itisSQLivulnerabilitiesthatarebeingattackedthemost(Figure 11)—byasignificantmargin.
DatainFigure 12 (onpage18)showsthatWebapplicationattacksareincreasingsorapidlythatthenumberofattacksforthefirsthalfof2011arenearlyatthesamelevelsasforthefullyearsin2009and2010.Andinonecase—SQLi—thenumbersarehigherthaninthepreviousyear.
63%
37%All attacks
Web attacks
Figure10
Webapplicationattacksversusnon-Webapplicationattacks,January–June2011
17
0
1000000
2000000
3000000
4000000
5000000
6000000
Jan Feb Mar Apr May Jun
PHP/RFI
SQLi
XSS
Figure11
Webapplicationattacksinthefirsthalf2011,brokendownbycategory
Cross-Site ScriptingCross-SiteScripting(XSS)vulnerabilityhasbeenaroundforawhileandhasbeenwell-documentedovertheyears.Torefresh,XSSisahackingtechniquethatallowsattackerstoexploitvulnerabilitiesinWebapplicationsandinjectclient-sidescriptintothevulnerableWebpagesthatareviewedbyunsuspectingusers.Asuccessfulattackwillallowanattackertohijackusersessions,stealsensitiveinformation,ordefacewebsites.TherearetwoprimarytypesofXSSvulnerability:non-persistent(orreflected),andpersistent(orstored).
Thereflected(non-persistent)XSSisbyfarthemostcommontypeofXSSattack.Therootcauseistheimproperhandling(lackofsanitization)ofHTTPrequestdatabytheservercode,allowingmalicioussitesto“reflect”maliciouscodeandattacktheuser.ThemainattackvectorisusuallyanemailmessagecontainingamaliciousURL.WhentheuserclicksontheURL,theyaretakentothevulnerablesitewherethemaliciouscodeisexecutedandreflectedbackontheuserinordertoexecutetheattack.ItistheXSSvulnerabilityofthewebsitethatallowsthistypeofattacktohappen.TheWebbrowserexecutesthecodebecauseitbelievesthecodeoriginates,andisunaltered,fromatrustedwebsite.
Apersistent,orstored,XSSattackisafarmoredevastatingXSSvariant.ThisattackdoesnotrequireuserstoclickURLsinordertopassmaliciouscodebacktothevulnerablewebsiteandattacktheuser.Inthiscase,themaliciouscodeisabletoliveonthevulnerableserverandisservedupalongsideregularHTMLcontent.Again,thistypeofattackisadirectresultofpoorinputvalidationontheserverside,whichallowsfornon-sanitizedinputtoendupbeingdisplayedonthesite.Thistypeofattackisparticularlyriskynotonlybecauseitdoesnotrequiredirectuserinteractionbutalsobecauseithasamuchwiderscope.Withnon-persistentattacks,theonlyuserswhogetattackedaretheoneswhoreflectthemaliciouscodetothesitebyclickingtheURL.WithpersistentXSSattacks,everyvisitortothesitemaygetcompromisedasthemaliciouscodelivesontheserveritself.Also,thismaliciouscodecanbeself-propagating,creatingatypeofclient-sideworm.
18
0
5000000
10000000
15000000
20000000
25000000
30000000
2009 2010 2011
PHP
SQLi
XSS
(through 6/30/2011)
Figure12
Webapplicationattacks,2009–2011
Overthelastdecade,XSShasbeenapopularpartofthesecuritythreatlandscape.AccordingtovulnerabilitiesdocumentedbySymantecin2007,XSSaccountedforroughly80%ofallthesecurityvulnerabilities.Thatpercentagehasleveledoffovertherecentyears,butXSSisstillthesecondmostpopulartypeofWebapplicationvulnerability.AccordingtotheOpenWebApplicationSecurityProject(OWASP)2010TopTen,XSSwassecondonlytoSQLi.WhatmakesXSSevenmoredangerousisthatitcouldbeleveragedbyanattackertoexploitotherWebapplicationvulnerabilitiessuchasInformationDisclosures,ContentSpoofing,andmore.
WhileorganizationshaveabetterunderstandingoftherisksposedbyXSSattacks,thesetypesofvulnerabilitiesstillmakeupahighpercentageofbugsbeingdisclosedeveryyear.SowhilemanyXSSvulnerabilitieshavealowcommonvulnerabilityscoringsystem(CVSS)score,theirprevalenceincreasestheoverallattacksurfaceofaWebapplication,whichputenterprisesatahighriskforexposureandcanbecostlytofix.
SQL Injection plays a starring roleSQLiattacksgainedmediaattentionthisyearfromthehacktivistgroupsLulzSecandAnonymous,whousedthistypeofattacktocompromisesystemsofseveralhigh-profileorganizations.Datafromtheearliergraph(Figure 12)showsthatthistypeofattackisontheriseandhasbeenextensiveforsometime.
Thechartandtimelineonthenextpage(Figure 13)demonstratehowSQLiattackshaveevolvedovertheyears.
•1998—RainForestPuppy(RFP)discloses/discussestheinitialideaofSQLInjectioninphrack Magazine (Volume9,Issue54)
•2000—SQLInjectionFAQ—ChipAndrews—usesthefirstpublicusageofterm“SQLInjection”inapaper
•2003—TheideaofblindSQLInjectionisdisclosed/discussed•2006—WebapplicationvulnerabilitydisclosureskyrocketsinpartduetoSQLInjection•2008—SQLInjectionvulnerabilitydisclosurepeaks
SQL Injection (SQLi)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizeddatabasecommandsonaWebapplicationsdatabaseserver.Whensuccessfullyexploited,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbythevulnerableWebapplication.Incertaincircumstances,SQLInjectioncanbeutilizedtotakecompletecontrolofasystem.
19
Rain Forest Puppy (RFP) discloses/discusses the initial idea of SQL Injection in Phrack Magazine (volume 9, issue 54)Dec 25, 1998
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 SQL Injection timeline
SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paperOct 23, 2000
The idea of blind SQL Injection is disclosed/discussed 2003
Hackers have gained access to a database containing personal information on 800,000 current and former UCLA students 2006
Web application vulnerability disclosure skyrockets in partdue to SQL Injection2006
An estimated 500,000 websites compromised as a result of SQL Injections 2008
SQL Injection vulnerability disclosure peaks2008
The Asprox botnet leverages SQL Injection for mass drive by SQL Injection attacks to grow botnet 2008
Another half a million sites hit with automated SQL Injection 2010
HBGary, a technology security firm, was broken into by Anonymous using SQL Injection in their CMS-driven website Feb 5, 2011
Expedia’s TripAdvisor member data stolen as a result of SQL InjectionMar 24, 2011
Barracuda Networks was compromised using an SQL Injection flawApril 11, 2011
The Asprox botnet leverages SQL Injection for mass drive by SQI Injection attacks to grow botnet Aug 5, 2011
LulzSec hacktivists are accused of using SQL Injection to steal coupons, download keys, and passwords that were stored in plaintext on Sony’s website, accessing the personal information of a million users June 1, 2011
Group Anonymous claims to have hacked the NATO site, using a “simple SQL Injection”June 5, 2011
Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit card and debit card numbers from five leading companies. They took advantage of a coding error, and allegedly used a SQL Injection attack to compromise a Web application, which was used as the starting point to help them bypass company network firewalls and gain access over companies’ networks. Aug 17, 2009
Figure13
TimelineandevolutionofSQLInjectionattacks
•2008—TheAsproxbotnetleveragesSQLInjectionformassdrivebySQLiattackstogrowbotnet(http://en.wikipedia.org/wiki/Asprox).FromatleastAprilthroughAugust,asweepofattacksbeganexploitingtheSQLInjectionvulnerabilitiesofMicrosoft’sIISWebserverandSQLServerdatabaseserver.Theattackdoesnotrequireguessingthenameofatableorcolumn,anditcorruptsalltextcolumnsinalltablesinasinglerequest.AnHTMLstringthatreferencesamalwareJavaScriptfileisappendedtoeachvalue.Whenthatdatabasevalueislaterdisplayedtoawebsitevisitor,thescriptattemptsseveralapproachesatgainingcontroloveravisitor’ssystem.ThenumberofexploitedWebpagesisestimatedat500,000.
•OnAugust17,2009,theU.S.JusticeDepartmentchargedanAmericancitizenAlbertGonzalezandtwounnamedRussianswiththetheftof130millioncreditcardnumbersusingaSQLInjectionattack.Inreportedly“thebiggestcaseofidentitytheftinAmericanhistory,”themanstolecardsfromanumberofcorporatevictimsafterresearchingtheirpaymentprocessingsystems.AmongthecompanieshitwerecreditcardprocessorHeartlandPaymentSystems,conveniencestorechain7-Eleven,andsupermarketchainHannafordBrothers.
•OnFebruary5,2011,HBGary,atechnologysecurityfirm,wasbrokenintobyAnonymoususingaSQLInjectionintheirCMS-drivenwebsite.
•OnApril11,2011,BarracudaNetworkswascompromisedusingaSQLInjectionflaw.Emailaddressesandusernamesofemployeeswereamongtheinformationobtained.
•OnJune1,2011,“hacktivists”ofthegroupLulzSecwereaccusedofusingSQLitostealcouponsandtodownloadkeysandpasswordsthatwerestoredinplaintextonSony’swebsite,accessingthepersonalinformationofamillionusers.
•InJune2011,GroupAnonymousclaimstohavehackedtheNATOsite,usinga“simpleSQLInjection.”
20
5%
25%
60%
10%
PHP/RFI
SQLi
XSS
CSRF
Figure14
Webapplicationvulnerabilitiesdisclosed,January–June2011
11%
68%
21%
PHP/RFI
SQLi
XSS
Figure15
TotalWebapplicationattacks,January–June2011
WithSQLiattacks,itisreadilyapparentthatattackersarecontentleveragingexistingvulnerabilitiesfortheirexploits.Thegraphsabove(Figures 14 and 15)showaside-by-sidecomparisonofthemostreportedtypesofWebapplicationvulnerabilitiesversesthemostattackedWebapplicationvulnerabilities.SQLivulnerabilitiesmakeupaquarterofthenewvulnerabilitiesreportedforthefirsthalfof2011.YetSQLiattacksmakeupmorethan60percentoftheWebapplicationattacksseenintheHPTippingPointIPS.
Webapplicationsareaffectedbymultipletypesofattacks,andSQLiandXSSarejusttwothathavereceivedasignificantamountofmediaattentionoverthelastfewmonths.ThenextsectionofthispaperpresentsgeneralmitigationstrategiesforprotectingWebapplicationsanddecreasingtheriskofoutages,dataloss,ornetworkcompromisethatcanresult.
MitigationVisibilityisincreasinglybecomingoneofthemostimportantaspectsofinformationsecurity,alongwithreducingtheoverallattacksurfacemadeavailabletoattackers.Tomitigateriskresponsibly,organizationsshouldtestcodeindevelopment,scanforvulnerabilitiesinQAbeforestaging,andtestapplicationsinproductiononanongoingbasis.ThefollowinginformationisintendedtohelpdeveloperscorrectcertainspecificcategoriesofcriticalWebapplicationvulnerabilities.
21
Cross-Site Request ForgeryResolvingCross-SiteRequestForgeryisnotasimpletask,anditactuallymayrequirerecodingeveryformandfeatureofaWebapplication.WhilenomethodofpreventingCross-SiteRequestForgeryisperfect,usingCross-SiteRequestForgerynoncetokenseliminatesmostoftherisk.Althoughanattackermayguessavalidtoken,noncetokensareneverthelessthemosteffectivesolutionforpreventingCross-SiteRequestForgeryattacks.Ausercanbeverifiedaslegitimatebygeneratinga“secret,”suchasasecrethashortoken,aftertheuserlogsin.“Thesecret”shouldbestoredinaserver-sidesessionandthenincludedineverylinkandsensitiveform.EachsubsequentHTTPrequestshouldincludethistoken;otherwise,therequestisdeniedandthesessioninvalidated.ThetokenshouldnotbethesameasthesessionIDincaseaCross-SiteScriptingvulnerabilityexists.Initializethetokenasothersessionvariables.Itcanbevalidatedwithasimpleconditionalstatement,anditcanbelimitedtoasmalltimeframetoenhanceitseffectiveness.AttackersneedtoincludeavalidtokenwithaCross-SiteRequestForgeryattackinordertomatchtheformsubmission.Becausetheuser’stokenisstoredinthesession,anyattackerwouldneedtousethesametokenasthevictim.
CAPTCHAcanalsopreventCross-SiteRequestForgeryattacks.WithCAPTCHA,auserneedstoenterawordshownindistortedtext,containedinsideanimage,beforecontinuing.Theassumptionisthatacomputercannotdeterminethewordinsidethegraphic,althoughahumancan.CAPTCHArequiresthatauserauthorizespecificactionsbeforetheWebapplicationinitiatesthem.Itisdifficulttocreateascriptthatautomaticallyenterstexttocontinue,butresearchisunderwayonhowtobreakCAPTCHAs,sostrongCAPTCHAsareanecessity.BuildingasecureCAPTCHAtakesmoreeffort.Inadditiontomakingsurethatcomputerscannotreadtheimages,youneedtomakesurethattheCAPTCHAcannotbebypassedatthescriptlevel.ConsiderwhetheryouusethesameCAPTCHAmultipletimes,makinganapplicationvulnerabletoareplayattack.AlsomakesuretheanswertotheCAPTCHAisnotpassedinplaintextaspartofaWebform.
SQL InjectionSQLInjectionarisesfromanattacker’smanipulationofquerydatatomodifyquerylogic.ThebestmethodofpreventingSQLInjectionattacksis,therefore,toseparatethelogicofaqueryfromitsdata;thiswillpreventcommandsinsertedfromuserinputfrombeingexecuted.Thedownsideofthisapproachisthatitcanhaveanimpactonperformance,albeitslight,andthateachqueryonthesitemustbestructuredinthismethodforittobecompletelyeffective.Ifonequeryisinadvertentlybypassed,thatcouldbeenoughtoleavetheapplicationvulnerabletoSQLInjection.ThefollowingcodeshowsasampleSQLstatementthatisSQLinjectable.
sSql=“SELECTLocationNameFROMLocations“;
sSql=sSql+“WHERELocationID=“+Request[“LocationID”];
oCmd.CommandText=sSql;
ThefollowingexampleutilizesparameterizedqueriesandissafefromSQLInjectionattacks.
sSql=“SELECT*FROMLocations“;
sSql=sSql+“WHERELocationID=@LocationID”;
oCmd.CommandText=sSql;
oCmd.Parameters.Add(“@LocationID”,Request[“LocationID”]);
22
TheapplicationwillsendtheSQLstatementtotheserverwithoutincludingtheuser’sinput.Instead,aparameter-@LocationID-isusedasaplaceholderforthatinput.Inthisway,userinputneverbecomespartofthecommandthatSQLexecutes.Anyinputthatanattackerinsertswillbeeffectivelynegated.Anerrorwouldstillbegenerated,butitwouldbeasimpledata-typeconversionerror,andnotsomethingthatahackercouldexploit.
ThefollowingcodesamplesshowaproductIDbeingobtainedfromanHTTPquerystringandthenusedinaSQLquery.Notehowthestringcontainingthe“SELECT”statementpassedtoSqlCommandissimplyastaticstringandisnotconcatenatedfrominput.AlsonotehowtheinputparameterispassedusingaSqlParameterobject,whosename(“@pid”)matchesthenameusedwithintheSQLquery.
C#sample:
stringconnString=WebConfigurationManager.ConnectionStrings[“myConn”].ConnectionString;
using(SqlConnectionconn=newSqlConnection(connString))
{
conn.Open();
SqlCommandcmd=newSqlCommand(“SELECTCount(*)FROMProductsWHEREProdID=@pid”,conn);
SqlParameterprm=newSqlParameter(“@pid”,SqlDbType.VarChar,50);
prm.Value=Request.QueryString[“pid”];
cmd.Parameters.Add(prm);
intrecCount=(int)cmd.ExecuteScalar();
}
VB.NETsample:
DimconnStringAsString=WebConfigurationManager.ConnectionStrings(“myConn”).ConnectionString
UsingconnAsNewSqlConnection(connString)
conn.Open()
DimcmdAsSqlCommand=NewSqlCommand(“SELECTCount(*)FROMProductsWHEREProdID=@pid”,conn)
DimprmAsSqlParameter=NewSqlParameter(“@pid”,SqlDbType.VarChar,50)
prm.Value=Request.QueryString(“pid”)
cmd.Parameters.Add(prm)
DimrecCountAsInteger=cmd.ExecuteScalar()
EndUsing
23
Cross-Site ScriptingCross-SiteScriptingattackscanbeavoidedbycarefullyvalidatingallinputandproperlyencodingalloutput.Whenvalidatinguserinput,verifythatitmatchesthestrictestdefinitionpossibleofvalidinput.Forexample,ifacertainparameterissupposedtobeanumber,attempttoconvertittoanumericdatatypeinyourprogramminglanguage.
PHP:intval(“0”.$_GET[‘q’]);
ASP.NET:int.TryParse(Request.QueryString[“q”],outval);
Thesameappliestodateandtimevalues,oranythingthatcanbeconvertedtoastrictertypebeforebeingused.Whenacceptingothertypesoftextinput,makesurethevaluematcheseitheralistofacceptablevalues(white-listing),orastrictregularexpression.White-listinginvolvescreatingalistofacceptablecharacters,asopposedtoblack-listing,whichisalistofunacceptablecharacters.Ifatanypointthevalueappearsinvalid,donotacceptit.Also,donotattempttoreturnthevaluetotheuserinanerrormessage.
Mostserver-sidescriptinglanguagesprovidebuilt-inmethodstoconvertthevalueoftheinputvariableintocorrect,non-interpretableHTML.Theseshouldbeusedtosanitizeallinputbeforeitisdisplayedtotheclient.
PHP:stringhtmlspecialchars(stringstring[,intquote_style])
ASP.NET:Server.HTMLEncode(strHTMLString)
WhenreflectingvaluesintoJavaScriptoranotherformat,makesuretouseatypeofencodingthatisappropriate.EncodingdataforHTMLisnotsufficientwhenitisreflectedinsideofascriptorstylesheet.Forexample,whenreflectingdatainaJavaScriptstring,makesuretoencodeallnon-alphanumericcharactersusinghex(\xHH)encoding.
IfyouhaveJavaScriptonyourpagethataccessesunsafeinformation(likelocation.href)andwritesittothepage(eitherwithdocument.write,orbymodifyingaDOMelement),makesurethedataisencodedforHTMLbeforewritingittothepage.JavaScriptdoesnothaveabuilt-infunctiontodothis,butmanyframeworksdo.Ifyouarelackinganavailablefunction,somethinglikethefollowingwillhandlemostcases:
s=s.replace(/&/g,’&’).replace(/”/i,’"’).replace(/</i,’<’).replace(/>/i,’>’).replace
(/’/i,’'’)
Ensurethatyouarealwaysusingtherightapproachattherighttime.Validatinguserinputshouldbedoneassoonasitisreceived.Encodingdatafordisplayshouldbedoneimmediatelybeforedisplayingit.
Get connectedwww.hp.com/go/getconnected
Get the insider view on tech trends, alerts, and HP solutions for better business outcomes
Sharewithcolleagues
©Copyright2011Hewlett-PackardDevelopmentCompany,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.
JavaisaregisteredtrademarkofOracleand/oritsaffiliates.MicrosoftisaU.S.registeredtrademarkofMicrosoftCorporation.
4AA3-7045ENW,CreatedSeptember2011
Remote File IncludesAsthesayinggoes,securityisbakedin,notbrushedon.Anyapplicationunderdevelopmentshouldbedesignedwithsecurityinmindfromtheonset.ThefollowingrecommendationswillhelpyoubuildWebapplicationsthatarenotsusceptibletoparameterincludevulnerabilities.
•Definewhatisallowed.EnsurethattheWebapplicationvalidatesallinputparameters(cookies,headers,querystrings,forms,hiddenfields,etc.)againstastringentdefinitionofexpectedresults.Thebestmethodofdoingthisisvia“white-listing”;thisisdefinedasonlyacceptingspecificaccountnumbersorspecificaccounttypesforthoserelevantfields,oronlyacceptingintegersorlettersoftheEnglishalphabetforothers.Manydeveloperswilltrytovalidateinputby“black-listing”characters,or“escaping”them.Basically,thisentailsrejectingknownbaddatabyplacingan“escape”characterinfrontofitsothattheitemthatfollowswillbetreatedasaliteralvalue.Thisapproachisnotaseffectiveaswhite-listingbecauseitisimpossibletoknowallformsofbaddataaheadoftime.
•ChecktheresponsesfromPOSTandGETrequeststoensurewhatisbeingreturnediswhatisexpected,andisvalid.
•Verifytheoriginofscriptsbeforeyoumodifyorutilizethem.•Donotimplicitlytrustanyscriptgiventoyoubyothers(whetherdownloadedfromtheWeborgiven
toyoubyanacquaintance)foruseinyourowncode.
Referenceshttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.phrack.org/issues.html?id=8&issue=54
http://sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx
http://www.isti.tu-berlin.de/fileadmin/fg214/Papers/ravi-asprox.pdf
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3
http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/