Cyber Security Risks Report

8/3/2019 Cyber Security Risks Report

1/24

T 2011 Md-Y Top CYbSCuTY SS poT

Table of contents

Contributors 2Overview 2

Vulnerabilitytrends 4 Discoveryanddisclosureofnewvulnerabilities 5 Furtheranalysis:ZeroDayInitiative 7 Seeingthebigpicture:wherethevulnerabilitiesare 9 Staticanalysis 10 Dynamicanalysis 11 Manualanalysis 13

Attacktrends 14 Newvulnerabilitiesareunnecessary;attackscontinueto riseregardless 15 Cross-SiteScripting 17 SQLInjectionplaysastarringrole 18Mitigation 20 Cross-SiteRequestForgery 21 SQLInjection 21 Cross-SiteScripting 23 RemoteFileIncludes 24References 24


2/24

2

ContributorsProducingtheTopCyberSecurityRisksReportisacollaborativeeffortamongHPDVLabsandotherHPteams,suchasFortifyandtheApplicationSecurityCenter.WewouldliketosincerelythanktheOpenSourceVulnerabilityDatabase(OSVDB)forallowingprintrightstotheirdatainthisreport.For

informationonhowyoucanhelpOSVDB:https://osvdb.org/account/signup

http://osvdb.org/support

Contributor Title

MikeDausin AdvancedSecurityIntelligenceTeamLead

AdamHils ApplicationSecurityCenterProductManager

DanHolden Director,HPDVLabs

PrajaktaJagdale WebSecurityResearchGroupLead

JasonJones AdvancedSecurityIntelligenceEngineer

RohanKotian DigitalVaccineTeamLead JenniferLake ProductMarketing,HPDVLabs

MarkPainter ApplicationSecurityCenterContentStrategist

TaylorAndersonMcKinley Director,FortifyonDemand

AlenPuzic AdvancedSecurityIntelligenceEngineer

BobSchiermann SeniorTechnicalPublicationsWriter

OverviewIncreasingly,organizationsfacesecurityrisksimposeduponthembyattackersintentonachievingfame,glory,orprofit.Attackers,familiarwithcommonvulnerabilitiesinherentinmanyoftodayswebsites,

knowhowtoexploitthosevulnerabilitieswithattacksdesignedspecificallytotakeadvantageofthem.ExamplesofsuchdestructiveactivitieshaverecentlyhitthenewsinstoriesabouthacktivistgroupssuchasLulzSecandAnonymous.

TheHP2011mid-yeareditionofthebiannualTopCyberSecurityRisksReportfeaturesin-depthanalysisandattackdatafromHPDVLabs,ApplicationSecurityCenter,andFortifysecurityunitsaswellasvulnerabilitydisclosuredatagarneredfromtheOSVDB.Giventhemediaattentionpaidtotheserecentattacks,aswellasdataHPobtainedfromitspartnersandcustomers,thebulkofthisreportisfocusedonWebapplications,includingthevulnerabilitiesthatexistandtheattacksthatareexploitingthoseweaknesses.

ThisreportisintendedforIT,network,andsecurityadministratorswhoareresponsibleforsecuringthepublic-facingcommunicationwithanorganizationscustomers,partners,andemployees.TheprimaryobjectiveofthiseditionoftheTopCyberSecurityRisksReportistoclearlyarticulatetherisksandweaknessesinherentinWebapplications.Wellhighlighttheoverallvulnerabilitylandscape,including

vulnerabilitiesincommerciallyavailableandcustom-builtapplicationsthatcanleadtoattacks,aswellashowoftenthesearebeingreported.Thereportwillalsohighlighttherisingnumberofattacksthatareleveragingthevulnerabilitiesdiscussedthroughoutthepaper.
https://osvdb.org/account/signuphttp://osvdb.org/supporthttp://osvdb.org/supporthttps://osvdb.org/account/signup


3/24

Keyfindingsfromthisreportinclude:

The number of Web application vulnerabilities that are reported differs significantly from the numberthat actually exist.

TheOpenSourceVulnerabilityDatabase(OSVDB)monitorsvulnerabilitydiscoveryandreportingthroughdisclosureprograms.Datafromthefirstsixmonthsof2011showsadistinctandsignificantdecreaseinthedisclosureofnewvulnerabilities.Whilethismightseemlikegoodnews,itisactuallytheopposite.DatacollectedfromscansofactualcustomerWebapplicationdeploymentsindicatesthatthenumberofvulnerabilitiesisnotdecreasing;itisonlythenumberofreportednewvulnerabilitiesthatisdecreasing.Productionwebsitesforsomeoftheworldsleadingorganizationsarestillburstingwithvulnerabilitiesthatleavethewebsitesopentodevastatingattacks.

Web application attacks are on the rise, despite the lack of new vulnerabilities being disclosed.

HPDVLabscompiledattackdatafromitsnetworkofHPTippingPointintrusionpreventionsystems(IPS)todeterminethedangerthesevulnerabilitiesposetoInternetsecurity.InformationpulledfromthesesystemsshowsthatthenumberofattacksonWebapplicationsistentimesthenumberofvulnerabilitiesbeingreported.Thisfactleadsustobelievethatattackerseitherdontneedanynewvulnerabilitiestoachievetheirgoals,orthatthereareplentyofvulnerabilitiesincustomapplicationsthatareunknownor

untracked,increasingtheattacksurfacetoattackers.Therealityislikelyamixtureofboth.Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools.

TwoofthemostcommonWebapplicationattacktypes,Cross-SiteScripting(XSS)andSQLInjection(SQLi),arecoveredin-depthinthisreport.BasedondataobtainedfromHPTippingPointIPSdevices,thesearetwoofthemostfrequentlyusedattacktypesthoughmanytimesfordifferentreasons.XSS,whichisoftenusedforspamorphishingattempts,providesaneasywaytodistributeanattackonawidescale.Conversely,SQLicanbeusednotonlyforoverwritingadatabaseandthenredirectingvisitorstoamalicioussitesimilarinfashiontohowXSSisleveragedbutalsoformassivedatabasetheft.

Theinformationinthisreportcomesfromvarioussources,allowingHPDVLabstoobtainabroadsetofdatafromwhichtocorrelatemeaningfulfindings.Thesesourcesinclude:

AworldwidenetworkofHPTippingPointIntrusionPreventionSystems

VulnerabilityinformationfromOSVDBandtheZeroDayInitiative(ZDI)WebapplicationdatafromtheASCWebSecurityResearchGroup,theEBSWBTOProfessional

ServicesOrganization,andFortifyonDemand


4/24

4

Figure1

DisclosedvulnerabilitiesaccordingtoOSVDB,20002010

2000

Totalvulnerabilities

11K

8.8K

6.6K

4.4K

2.2K

02001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

VulnerabilitytrendsTobetterunderstandthethreatlandscape,itisimportanttostartwiththeweaknessespresentincomputinginfrastructures.Theseweaknessestypicallymanifestthemselvesasapplicationvulnerabilities,whicharethefocusofthissectionofthereport.Thevulnerabilitylandscapeisdiscussedinthefollowingthreesections:

Discovery and disclosure of new vulnerabilities:Thissectiondescribescurrenttrendsinvulnerabilityreporting,highlightingvulnerabilitiesthathavebeendisclosedincommerciallyavailablecomputing

systems,includingWebapplications.Basedonthetrendinformation,onecandiscernthevolumeandcategoryofnewlydiscoveredvulnerabilities,whichprovidesinsightintohowsuchvulnerabilitiesattractattackersattention.

Trends in vulnerability research:ThissectionhighlightsdatafromtheHPDVLabsZeroDayInitiative(ZDI)vulnerabilityresearchprogram.ItprovidesadeeperlookintothetypesofvulnerabilitiesthattheZDIresearchesanddiscoversinanefforttogetabettersenseofwhatdrivesasecurityattack.

Vulnerabilities discovered in production Web application environments:ThissectionhighlightsresultsfromscansofliveWebapplications.Datainthissectiondemonstratesthevulnerabilitiesthatarepresentinreal-worldWebapplications,includingnewvulnerabilitiesthatareunreportedaswellasthosethatwerepreviouslydisclosed,andas-yetunfixedvulnerabilities.


5/24

Figure2

VulnerabilitydisclosureaccordingtoOSVDB,20002011,brokendownbymonth

1.3K

1.04K

780


520

280

0

Discovery and disclosure of new vulnerabilities

BasedondatapulledfromOSVDB,thetotalnumberofnewvulnerabilitiesreportedforthefirsthalfof2011isabout25percentlowerthanthenumberofnewvulnerabilitiesreportedatmid-year2010andpreviousyears.AsofJune30,2011,OSVDBcataloged3,087 (Figure 1)reportedvulnerabilitiesinInternet-basedsystems,applications,andothercomputingtools,ascomparedto4,091catalogedinthecorrespondingperiodin2010.

Afterpeakingin2006,vulnerabilityreportingforcommerciallyavailableproductshasbeeninaslow

decline(Figure 2).Thereasonsforthisdeclinearevaried,butseverallikelyreasonsstandout.Softwaremakersandsystemdevelopershaveincreasedtheirsecurityawarenessandhavetakenstepstoreducevulnerabilitiespriortoreleasingtheirproducts.Thesecondreasonisareductioninthedisclosuresofdiscoveredvulnerabilities,motivatedbyadesiretoinsteadsellthevulnerabilityforprofit.Anotheristhatsomeorganizationswouldratherannouncedetailsregardingvulnerabilitiesonlyaftertheyvebeenfixed.

Despitetheoveralldeclineinnewvulnerabilitiesbeingdiscoveredandreported,itisimportanttonotethattheratioofvulnerabilitiesdiscoveredinWebapplicationsstillmakesup31percent(Figure 3)ofallvulnerabilitiesdisclosed.Itisworthnotingthatroughlyhalfofallvulnerabilitydisclosuressince2006haveinvolvedWebapplications,sothedownwardtrendforthefirsthalfof2011isyetanotherproofpointfortheoveralldropinvulnerabilitydisclosurethusfar.


6/24

6

Figure3

ComparisonofWebapplicationvulnerabilitiesversusnon-Webapplicationvulnerabilities,JanuaryJune2011

31%

69%

Web apps vulns

Other vulns

ThereasonforthehighnumberofWebapplicationvulnerabilitiesisamatterofopportunityandprofit.First,thenumberofWebapplicationsincirculationgrowssteadilyeveryday.AWebapplicationinitssimplestformtiestogetheranoperatingsystem,aWebserver,adatabase,andsometop-levelapplicationthatcustomersusetointeractwiththeback-endsystems.Manyorganizationshaveadoptedthismodelforinteractingwithcustomersthroughretailsites,onlinebankingorfinanceapplications,orevenappointmentscheduling.Inaddition,manyorganizationshaveconfidentialorsensitivedatastoredinthedatabase(s)connectedtotheseapplications,offeringanalmostlimitlessfieldofopportunityforattackers,whoviewitallasaverylucrativeproposition.

Whenvulnerabilitiesarebrokendownbycategory,someinterestingtrendsbegintoemerge.DatapresentedinFigure 4showsthatcertaintypesofvulnerabilitiesaremorefrequentlydiscoveredanddisclosed.Cross-SiteScripting(XSS)stillcomprisesthemostsignificantamountofnewWebapplicationvulnerabilitydisclosures.XSSiscommonlyusedforspam,phishing,andWebbrowserexploits.BufferOverflowandDenialofService(DoS)vulnerabilitiesroundoutthetopthree.

Buffer OverflowAbufferoverflowattackoccurswhenattackerspurposelyoverloadasystemstemporarymemory(calledabuffer)towreakhavoconavictimsmachine.Oftentimesattackersalsoincludeinstructionalcodeininformationtheyusetooverflowthememory.Thatcodecaninstructtheaffectedsystemtoaccessorchangeconfidentialdataorevensendinformationbacktotheattacker.

Denial of Service (DoS)Atypeofvulnerabilitythatallowsanattackertoexhaustcomputerresourcesonavulnerablesystemtoapointwherelegitimateusageofthatsystemisimpossible.

Distributed Denial of Service (DDos)AtypeofDoSattackthatemploysanumberofseparatecomputers,whichsimultaneouslylaunchaDenialofServiceattackagainstasingleapplicationorsystem.


7/24

Figure4

Disclosedvulnerabilitiesbrokendownbycategory,January2000June2011


3K

2.4K

1.8K

1.2K

600

0

2000

2001

2002

2004

2005

2006

2007

2008

2009

2010

2011

Cros s Si te Scri pt ing Cross Si te Request Forger y SQL I nj ect ion Buffe r Ove rfl ow Remote Fi le I ncl ude Denial of Se rvi ce

Itisinterestingtonotethatthebreakdownofpopularvulnerabilitiesbycategoryremainsfairlyconsistentoverthepastthreeyears (Figure 5),likelybecauseXSSvulnerabilitiesarerelativelyeasytofindandareveryusefultoattackers.Spammersandphishersarealwayslookingforwaystomaketheirtrademoreprofitable,andXSScontinuestobeausefulvulnerabilityforthesepurposes.

Further analysis: Zero Day Initiative

TheZeroDayInitiative(ZDI),foundedbyHPTippingPointin2005,isaprogramforrewardingsecurityresearchersforresponsiblydisclosingvulnerabilities.Theprogramisdesignedsothatresearchers

provideHPTippingPointwithexclusiveinformationaboutpreviouslyunpatchedvulnerabilitiestheyhavediscovered.HPDVLabsvalidatesthevulnerabilityandthenworkswiththeaffectedvendoruntilthevulnerabilityispatched.Atthesametime,HPDVLabsdevelopsasecuritysolutionthatprovidespreemptiveprotectionforHPscustomersevenbeforetheapplicationvendordistributesafixforthevulnerability.

From2005throughJune2011,ZDIandHPDVLabsresearchershavediscoveredandresponsiblydisclosedmorethan980vulnerabilitiesinpopularcomputingsystemsincludingWebbrowsers,mediaplayers,anddocumentreaders.

In2010,ZDIannouncedchangestoitsdisclosurepolicythatincentvendorstointroducemoretimelybugfixesintotheirproducts.Underthenewpolicy,ZDIofferstheaffectedvendorssixmonthstoissuepatches,fixes,orworkaroundsforundisclosedvulnerabilitiesreportedtothemviatheZDIprogram.If,aftersixmonths,thevendorhasnotissuedafixorclearedanexceptionwithZDI,limiteddetailofthevulnerabilitywillbedisclosedsothatthedefensivecommunityandconsumersoftheseaffected

applicationscanfindtheirownwaystomitigatetheriskassociatedwiththeseopenbugs.FurtherinformationregardingtheZDIdisclosurepolicycanbefoundhere:http://www.zerodayinitiative.com/advisories/disclosure_policy/.
http://www.zerodayinitiative.com/advisories/disclosure_policy/http://www.zerodayinitiative.com/advisories/disclosure_policy/


8/24

8

Figure5

Three-yearview:popularvulnerabilitiesbycategory

0

200

400

600

800

1000

1200

1400

1600

1800

2009 2010 2011

BO

DOS

PHP

SQLi

XSS

CSRF

(through 6/30/2011)

Inthetable(Figure 6)belowyoucanseethetop10applicationswithvulnerabilitiesdisclosedthroughtheZDIsincetheprogramwasstartedin2005.

Forthefirsthalfof2011,DVLabsandtheZDIeitherdiscoveredoracquired,anddisclosedtoaffectedvendors,231vulnerabilitiesinawiderangeofproducts.Onthenextpage(Figure 7)youcanseethetop10applicationsforwhichvulnerabilitiesweredisclosedthroughtheZDI.Whileonlyfourofthe10applicationsarerelatedtoWebbrowsers,thetotalnumberofvulnerabilitiesfromtheseapplicationsisstaggering.

Figure6

MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIfrom20052011

0 10 20 30 40 50 60 70

Apple Quicktime

Microsoft Internet Explorer

Oracle/Sun JavaMicrosoft Office

Mozilla Firefox

Apple Webkit

RealNetworks Real Player

Adobe Shockwave

HP OpenView

Adobe Reader


9/24

Figure7

MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIin2011

0 5 10 15 20 25 30

CA Total Defense

IBM Lotus (general)

Microsoft Office Tools

HP OpenView Network Node Manager

Novell iPrint

Apple WebKit

Adobe Reader

HP Data Protector

Oracle Java (general)

Adobe Shockwave

Seeing the big picture: where the vulnerabilites are

Sofar,thisreporthasfocusedprimarilyonvulnerabilitydisclosure,whichmayormaynotreflectthecompletepictureofvulnerabilitytrendsunfoldingontheInternet.Inanefforttoseeaclearerpictureofthereal-worldvulnerabilitylandscape,theHPApplicationSecurityCenterWebSecurityResearchGroup(WSRG)compiledresultsfromover2,750securityassessmentsperformedagainstavarietyofcustomer

Webapplicationsduringthefirstsixmonthsof2011.Whileitisgoodtoseeanoverallreductioninthenumberofnewvulnerabilitiesbeingreported,thathasunfortunatelyhadnoimpactonthedangersofexploitation.Theseresultshavebeendividedintothreesections:

Thefirstcorrelatesresultsfromalmost250Webapplicationsanalyzedstatically(attheline-of-codelevel)forWebapplicationvulnerabilities.

Thesecondgroupincludesresultsfromdynamicanalysis(duringtheactualrunningoftheapplication)conductedagainstover2,500uniqueWebapplications.

Finally,thethirdsetofanalysesincludesacloserinspectionofamuchsmallergroupofassessmentstoexplorethedifferentwaysinwhichWebapplicationvulnerabilitiescanbeexploited,howthatimpactstheoverallriskstandingoftheapplication,andwhatmitigationmeasuresdevelopersareemployingthatarenotworking.

EachsetofanalyseswillshedlightonthenatureandseriousnessofWebapplicationvulnerabilitiesandhowprevalenttheyare.Whatsecurityprofessionalshavesteadilywitnessedinthelastdecadeisthatattackshavemovedfromdefacementandgeneralannoyancetoone-timeattacksdesignedtostealasmuchdataaspossible,andfromtheretoperniciousongoingattacksthatattempttodistribute

malwareandstealasmuchdataforaslongaspossiblewithoutbeingdetected.ItisimperativetorealizethatitoftentakesonlyoneWebapplicationvulnerabilityforanentiresystemtobecompromised.Theenormityofthedangercannotbeoverstated.


10/24

10

Static analysis

ThefirstsetofapplicationswasstaticallyanalyzedbytheWSRGinconjunctionwiththeHPFortifyonDemandgroupandincluded236uniqueapplications.Thefirststatisticistrulystaggering:afull69%oftheapplicationstestedcontainedatleastoneSQLiflaw.Fundamentally,SQLiisanattackuponthe

Webapplication,nottheWebserverortheoperatingsystemitself.Asthenameimplies,itistheactofaddingunexpectedSQLcommandstoaquery,therebymanipulatingthedatabaseinwaysunintendedbythedatabaseadministratorordeveloper.Whentheattackissuccessful,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbyvulnerableWebapplications.IfattackerscanfindoneSQLInjectionvulnerabilityinanapplication,theresaverygoodchancetheycancompromiseitcompletely.Alotofhigh-profileattacksoverthecourseofthefirsthalfof2011werethedirectresultofSQLi.EvenLadyGagaisntimmunetoSQLi.

ThesecondmostprevalentvulnerabilitydiscoveredinthisseriesofassessmentswasCross-SiteScripting(XSS),(specifically,thereflectedvariety).Putsimply,reflectedXSSattackscomefromsomewhereelse,suchaswhenuser-suppliedinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.Usingsomesocialengineering,anattackercantrickavictim,perhapsthroughamaliciouslinkorariggedform,tosubmitinformationwhichwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.Theinjectedcodeisthenreflectedbacktotheusersbrowserwhichexecutesitbecauseitcamefromatrustedserver.64%oftheassessedapplications

containedatleastonereflectedXSSflaw.

Itssistervulnerability,persistentXSS,wasdiscoveredin42%oftheapplicationstestedinthisgroup.Persistentattacksarejustthat:insomeformtheyarestoredonthetargetserver,suchasinadatabase,orviaasubmissiontoabulletinboardorvisitorlog.Thevictimwillretrieveandexecutetheattackcodeinhisbrowserwhenarequestismadeforthestoredinformation.Whatsalsointerestingaboutthisparticularvulnerabilityisthateventhoughitwasfoundin27%feweroftheapplicationsthanSQLi,therewereactuallymoreuniqueinstancesofpersistentXSSdiscoveredthananyothervulnerabilityforwhichtheWSRGtested.TheimpactsofeachflavorofXSSarethesame.

Amoregenericvulnerability,HeaderManipulation,wasfoundin37%oftheapplications.HeaderManipulationvulnerabilitiesoccurwhendataentersaWebapplicationthroughanuntrustedsource,mostfrequentlyaWebrequest.ThedataisincludedinanHTTPresponseheadersenttoaWebuserwithoutbeingvalidated.AswithmanyWebapplicationsecurityvulnerabilities,HeaderManipulationisameanstoanend,notanendinitself.Atitsroot,thevulnerabilityisstraightforward:anattackerpassesmaliciousdatatoavulnerableapplication,andtheapplicationincludesthedatainanHTTPresponseheader.IncludingunvalidateddatainanHTTPresponseheadercanenablecache-poisoning,XSS,cross-userdefacement,pagehijacking,cookiemanipulation,oropenredirectvulnerabilities.And18%oftheapplicationsalsocontainedaspecificcookieHeaderManipulationvulnerability.

Cross-Site Scripting (XSS)

AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationtoenableanattackertoinjectmaliciousclient-sidecodeintoaWebpagewhichisviewedbyavictimsWebbrowser.VariousformsofXSSarecurrentlybeingusedtophishwebsiteusersintorevealingsensitiveinformationsuchasusernames,passwords,andcreditcarddetails.XSScangenerallybedividedintostored,reflected,andDOM-basedattacks.StoredXSSresultsinthepayloadbeingpersistedonthetargetsystemineitherthedatabaseorthefilesystem.Thevictimswillretrieveandexecutetheattackcodeintheirbrowserwhenarequestismadeforthestoredinformation.ExecutionofthereflectedXSSattacks,ontheotherhand,occurswhenuserinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.DOM-basedXSSattacksrelyonmaliciousmodificationoftheDOMenvironmentinavictimsbrowser.ItdiffersfromthestoredandreflectedXSSinthefactthatthemaliciousdataisneversenttotheserver.Viasomesocialengineering,anattackercantrickavictim,suchasthroughamaliciouslinkorriggedform,tosubmitinformationthatwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.

Command ExecutionAtypeofvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertorunoperatingsystemcommandsonthevulnerableapplicationserver.Typically,thisvulnerabilitycategoryallowsattackerstoexploitWebapplicationsthatpassuserdataasparameterstoI/OoperationsbyappendingOScommandstousersuppliedinputusingspecialcharacterssuchasapipe(|).
http://www.mirror.co.uk/celebs/news/2011/07/16/lady-gaga-website-hacked-and-fans-details-stolen-115875-23274356/http://www.mirror.co.uk/celebs/news/2011/07/16/lady-gaga-website-hacked-and-fans-details-stolen-115875-23274356/


11/24

AnotherwidespreadvulnerabilitydiscoveredduringtheWSRGanalysiswasPathManipulation.Thisoccurswhenuser-suppliedinputcancontrolorotherwiseinfluencefilenamesorpathsutilizedinfilesystemoperations,whichcanthengiveanattackerthemeanstoaccessorchangeprotectedsystemresources.63%ofthescansdetectedaPathManipulationvulnerability.

Whilenoneofthevulnerabilitiesdiscussedsofarcanbeconsideredinnocuous,oneextremelydangerousvulnerabilitywasalsodetectedinlargenumbers.CommandInjectionoccurswhenaremoteusercansupplyaspeciallycraftedvaluetoexecutearbitraryoperatingsystemcommandsonthetargetsystem.35%oftheapplicationscontainedatleastoneCommandInjectionvulnerability.

Anothersignificantvulnerabilityoccurswhendevelopersleavepasswordshardcodedintheircode.Hardcodedpasswordswerediscoveredin30%oftheapplications.Anattackerwhodiscoversahardcodedpasswordcouldobviouslygainunintendedaccesstotheapplication.Thedamageswoulddependonthefunctionalityoftheapplicationitself.

5%oftheapplicationscontainedXPathInjectionvulnerabilities.XPathInjectionisverysimilartoSQLi.Inthatscenario,SQLcommandsaremodifiedbyanattackertogainaccesstodatabasecontentsandinformation.InXPathInjection,XPathstatementsaremodifiedtogainaccesstothedatacontainedwithinanXMLdocument,whichoftenservesastheXMLdatabase.Importantly,XPathdoesnotutilizeaccesscontrolrestrictionsasSQLdoesviaprivileges,soasuccessfulXPathInjectionattackwillyieldcomplete

resultsinthatallthedatainthedocumentwillberevealed.TheXPathlanguageisalsouniform,unlikeSQL,sothatanyinstalledimplementationispotentiallyvulnerable.Intheseaspects,XPathInjectioniseasiertoexecutethanSQLiandhasgreaterresultsreturnedonaffectedsystems.

Anotherinterestingsetofdatadescribesthenumberofvulnerabilitiesfoundperapplication,andper1000linesofcode.Duringinitialscans(beforeremediationefforts),410vulnerabilitieswerefoundonaverageforeachofthe236applicationsevaluated,equatingto4.6vulnerabilitiesper1000linesofcode.Ofthethreelanguagescounted,PHPwasthemostvulnerableprogramminglanguage,with13.1vulnerabilitiesper1000lines,followedby.Netat7.7.Javawasthemostsecure,at4.1.

Dynamic analysis

ThesecondsetofdatawascollectedbytheWSRGinconjunctionwiththeHPEnterpriseBusinessSoftwareBTOProfessionalServicesorganizationandwassplitacrossthreeenterprise-levelorganizations:onefromtheenergysector,onefrombankingandfinance,andonefromproduct

manufacturinganddistributiontoseehowWebapplicationvulnerabilitiesarepresentedinreal-worldapplicationsandareencounteredacrossalltypesofbusinesses.Eachassessmentwasconductedusingdynamic(real-time)analysismethods.Thefirsttwosetsofdatawereanalyzedagainstasmall(lessthan20)numberofapplications,whilethelastsetconsistedofmorethan2,300scansandwasactuallyanalyzedinfargreaterdepththanthefirsttwo.However,allthreesetsofdatayieldedinterestingresults.Eachwastestedforaseriesofcommon,yetdangerous,Webapplicationvulnerabilities.

Cross-Site Request Forgery (CSRF)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofauthorizationonavulnerableWebapplicationtoallowanattackertoexecuteapplicationcommandsonbehalfofanotheruseroftheapplication.ThetypicalscenarioofaCross-SiteRequestForgeryattackinvolvesanattackertrickingavictimintoclickingonaspeciallycraftedlinkthatisdesignedtoperformamaliciousoperationonbehalfofthevictim.Forexample,avictimmayclickonamaliciouslinkthatforcesthevictimtotransfermoneyfromthevictimsbankaccounttoanattackersbankaccount.

Remote File IncludeAtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizedcode(typicallyPHPorASP)onavulnerableserver.RemoteFileIncludeattackstypicallyarisefromascriptinglanguagesinherentabilitytoincludecodefromexternalURLs,orarbitrarylocalfiles.Itisthisabilitythatallowstheattackertoincludeunauthorizedcodefromanexternalsource.


12/24

12

Theenergysectorapplicationscontainedanumberofvulnerabilitiesthatcouldbeutilizedtocompromisethesystem.Forexample,23%werevulnerabletoSQLi.15.3%werevulnerabletoRemoteFileInclude(RFI)vulnerabilities.53.8%werevulnerabletoReflectedXSS,whileanother23%werevulnerabletoPersistentXSS.Also,38.4%werevulnerabletoCross-SiteRequestForgery.Cross-SiteRequestForgeryreliesonabrowsertoretrieveandexecuteanattack.Itincludesalinkorscriptinapagethatconnects

toasitethattheusermayhaverecentlyused.Thescriptthenconductsseeminglyauthorized,yetmalicious,actionsontheusersbehalf.Othervulnerabilitiescouldbeexploitedtoblocktheaccessoflegitimateusers.30.76%weresusceptibletoaBufferOverflow,withanother15.3%vulnerabletoaDenial-of-Serviceattack.ItisimportanttonotethatanapplicationthatsuffersfromanyoneofthesevulnerabilitieswouldfailaPCIcomplianceaudit.

Whilenotasmanyspecificvulnerabilitiesweredetected,thebankingandfinancesectorapplicationsalsocontainedalargenumberofdisconcertingvulnerabilities.58.3%oftheapplicationswerevulnerabletoReflectedXSS,butonly8.3%containedaPersistentXSSvulnerability.16.6%werevulnerabletoCross-SiteRequestForgery.Exploitationofanyofthosevulnerabilitiescouldresultinanattackergaininglegitimateauthenticationcredentials,inadditiontootherpossibilities.Inabitofagoodanomalyforthisparticularorganization,only8.3%oftheapplicationswerefoundtocontaineitheraSQLiorRFIvulnerability.Yet,thatpositivesecuritypostureissomewhatlessenedbythefactthat21.4%oftheapplicationswerentusingSSLcookies.And50%sufferedfromDirectoryPathDisclosure

vulnerabilities,whichattackerscanutilizetoformulatemoredamagingattacks(thinkofthisasastepinreconnaissanceifyouknowwheresomethingis,itsmucheasiertoattackit).

Finally,thethirdsetofapplications(all2,345ofthem)isutilizedbyaverylargeproductmanufacturinganddistributionorganization.Althoughgreaterinnumber,theseapplicationswereactuallyassessedatahigherlevelofgranularitythantheprecedingsetsofdata.Oftheseapplications,31%werevulnerabletoXSSand15%werevulnerabletoaversionofXSSthatrequireduserinteraction,suchasclickingalinkormovingthemousepointerovertext.Another6.5%werevulnerabletoaspecificformofXSSresultingfromthewayApacheWebserversincorrectlyfilteredinputintheExpectheader.Another5.8%werevulnerableduetospecificfilteringvulnerabilitiesinMicrosoftASP.NET.

Whileonly1.9%oftheapplicationswereconfirmedtobevulnerabletoSQLi,and2.3%registeredasvulnerabletoSQLialbeitwithnodataabletobeextracted,18%werestillvulnerabletoBlindSQLi.NormalSQLiattacksdependinalargemeasureonanattackerreverse-engineeringportionsoftheoriginalSQLqueryusinginformationgainedfromerrormessages.However,applicationscanstillbe

susceptibletoBlindSQLievenifnoerrormessageisdisplayed.Theconsequencesarethesame.

OneinterestingstatisticisthatonlytwooftheseapplicationsregisteredasbeingvulnerabletoCross-SiteRequestForgery.Whencodingapplications,developerstendtomakethesamesecuritymistakesinmorethanonceplace.Inotherwords,ifanapplicationisvulnerabletoSQLi,chancesareitsvulnerableinmanylocations,notjustone.However,theoppositecanholdtrue,too.Itisapparentthatthesedevelopersutilizedanti-CSRFtokensorothereffectivecountermeasuresintheirapplications.

AnotherissuethattheWSRGexaminedwasthatofinformationleakage.Informationleakageconsistsofdirectoryprobing,errormessagesthatrevealinformationunintendedbythedeveloper,commonguesseddirectories,andotheritemsthatcouldrevealinformationbeneficialtoescalatingattackmethodology.Successfulexploitationwouldgiveanattackerunauthorizedaccesstosensitiveinformation.Themainproblemwithinformationleakageisthattheinformationgainedfromtheseattackscanbeusedtoconductfarmoredamagingattacks.

18.8%oftheapplicationscontainedlogininformationsentoverunencryptedconnection.AnyareaofaWebapplicationthatpossiblycontainssensitiveinformationoraccesstoprivilegedfunctionalitysuchasremotesiteadministrationfunctionalityshouldutilizeSSLoranotherformofencryptiontopreventlogininformationfrombeingsniffedorotherwiseinterceptedorstolen.5.6%oftheapplicationscontainedaknownfileordirectory.OneofthemostimportantaspectsofWebapplicationsecurityistorestrict


13/24

accesstoimportantfilesordirectoriestoonlythoseindividualswhoactuallyneedtoaccessthem.2.2%containedsomeformofcodedisclosurevulnerability.Anattackerwhogainsaccesstothesourcecodeofanapplicationobviouslyhasanupperhandindeterminingthebestmethodofattackingit.

Manual analysis

TheWSRGalsoconductedextensivemanualanalysisofvulnerabilitiesdiscoveredwhileconductingautomatedsecuritytestsforadifferentgroupofcommercialapplications.Theanalysisfocusedondiscoveringtrendsthathelp:

1. Determinetheimpactofvariousfactorspertainingtothevulnerabilitysource/contextonitscriticalityandexploitability

2.AssessthemitigationsputinplacebydeveloperstosecuretheirWebapplicationsagainstthemostcommonvulnerabilitycategoriesandunderstandtheirshortcomings

WhilesecuringWebapplicationsagainsteverypossiblethreatisimportant,notallvulnerabilitiesarecreatedequal,eveniftheybelongtothesamecategory.Inthecaseofproductionsystems,thediscoveryofcriticalvulnerabilitiesnecessitatesanimmediateresponse.This,inturn,entailsprioritizingthediscoveredissuesbasedontheexploitability,severity,andimpactonthesecuritypostureoftheoverallsystem.ThemanualanalysishelpedtheWSRGidentifythefollowingnumerousfactorsthatimpacta

vulnerabilitystrueriskrating.1. Accesscontrolrequirementfortheresource

Anyresourcerequiringtheusertoauthenticateaddsanextralayerofcomplexityfortheattackerindiscoveringtheissue.However,oncediscovered,asuccessfulexploitationcanprovedeadly,allowingtheattackertobypasstheaccesscontrol,escalateprivileges,andgaincontroloverprotectedandpossiblysensitivesectionsofthesystem.46%ofthevulnerabilitieswerediscoveredinprotectedresources.

2.Function/Purposeoftheresource

Obviously,thesensitivityoftheWebpagecontentanditspurposegreatlyimpactsthecriticalityofanyvulnerability.AnXSSvulnerabilityintheloginpageprovidestheattackerwithmoreleveragetoachieveacompletetakeoverofthesystemthanonethatexistsonasearchpage.Ultimately,anygivensecurityissuecanbeturnedintoadeadlyweaponagainstaWebapplication.However,themoreeffortrequiredtoexploitavulnerability,thelessattractivetheapplicationbecomestoanattacker.Inthesampleset,31%ofvulnerabilitiesweredetectedinloginscriptswhile46%weredetectedinsearchpages.

3. In-houseapplicationsvs.third-partycomponents

Duringmanualanalysis,theWSRGdiscoveredthatvulnerabilitiesweredetectedinbothcustomcodeaswellasinthatofthird-partyapplications.In62%oftheapplications,thevulnerabilitieswereconcentratedinthesectionsofapplicationsthatweredevelopedin-house.In31%oftheapplications,thedistributionwasexactlyreversed.Securityissuesinthird-partysoftwarearedefinitelymoreconcerningsincethoseallowtheattackerstocompromisemultiplesystemsbypossiblyusingthesameexploit.Issuesdetectedwithincustomcodecouldtakelongertofixsincetheywillrequireunderstandingofallthevulnerableinputusagesandthenapplyingaseparatefixforeach.

4.Complexityoftheexploitthatledtothediscoveryofthevulnerability

Attackersalwaysprefertargetingsystemsthatareeasierandfastertocompromise.Thus,any

applicationvulnerabletosimpleattackvectorswillattractmoreattackersthanonethathasatleastsomemitigatingsecuritycontrolsinplace.69%ofvulnerabilitieswerediscoveredusingplainvanillaattackvectors.


14/24

14

Despitethehigh-profilenatureofrecentWebapplicationcompromises,databreaches,andincreasedfinesfornoncompliancewithgovernmentalregulations,alargenumberofapplicationsstillremainvulnerabletothemostrudimentaryWebattacks.TheWSRGhasdeterminedthatafewrecurringissuescontributetothisproblem:

1. Mitigationsappliedwithoutaccuratelyunderstandingtheusagecontextoftheuserinput23%oftheWebapplicationsinthesamplesetactuallyemployedtheHTMLencodingtechniquetoprotectagainstXSS,15%usedablacklistingapproach,and54%hadnoprotectionmechanismsimplemented.Themitigationsfailedtoprovideanyprotectionbecausein54%oftheapplications,thereflectionsoccurredwithintheclient-sideJavaScriptcodeblocks,makingthesecuritycontrolsineffective.

2.Relianceonspecificmitigationtechniquesinsteadofaholisticapproach

Manualinspectionoftheclient-sideapplicationsourcecodeindicatedthatthefewsecuritycontrolsemployedbythedeveloperswereappliedinresponsetoindividualvulnerabilitiesdiscoveredmorethanlikelyduringautomatedscans.TherewasnoindicationofdevelopmenthavingadheredtoanyformofaSecureDevelopmentLifecycle(SDLC)processtodevelopanyofthetestedapplications.Thiswasevidentintheunbalanceddistributionofvulnerabilitiesindifferentsectionsoftheapplications.

3.LackofuniformityinimplementationofsecuritycontrolsAlso,themanualanalysisrevealedthatwhilecertainsectionsofWebpageswereprotectedagainstXSSattacks,otherswereleftopentoexploitation.Thisbehaviorcouldbeattributedtovariousfactorssuchasthemixtureofin-housecodevs.third-partyapplicationcode,divisionofapplicationdevelopmenteffortswithnouniformprocessputinplacetogovernbestpractices,areactiveapproachtosecuringapplications,andsoon.Thislackofuniformityobviouslymakesvulnerabilitypatchingextremelycomplexandchallenging.Thebestapproachistoestablishawell-definedsecuredevelopmentprocessthatisuniformlyadheredtobyallthepartiesinvolvedinthecreationoftheapplication.

AttacktrendsTheprevioussectionprovidedaviewintothevulnerabilitylandscapespecificallywhereandhowapplicationscanbecompromised.Whilevulnerabilitiesprovideasolidunderstandingofwhatexists,lookingatwhatattacksareexploitingthosevulnerabilitiesandhowoftenwillprovideadeeper

understandingofenterpriserisk.Attackdatafromthissectionisbrokenoutintothreeareas:

Frequency and number of attacks.DatainthissectionisobtainedfromanetworkofHPTippingPointIntrusionPreventionSystem(IPS)devices.Thisdataisimportantforunderstandingtheriskseverityofparticularvulnerabilities.

A deeper look at Cross-Site Scripting (XSS) attacks.XSSisoneofthemostfrequentattacksmeasuredonHPTippingPointIPSdevices.ThissectiondelvesintothedifferenttypesofXSSattacksandthespecificdangerinherentinthesevariants.

A timeline and breakdown of SQL Injection (SQLi) attacks.SQLiisthemostfrequentWebapplicationattackthatwetrack.ThissectionlooksathowSQLihasevolvedandwhyitposessuchahugeriskfortodaysenterprises.


15/24

Figure8

Totalnumberofattacksatmid-year,20092011

0

200000000

400000000

600000000

800000000

1000000000

1200000000

1400000000

2009 2010 2011

New vulnerabilities are unnecessary; attacks continue to rise regardless

Despitethefactthatthelevelofnewvulnerabilitydiscoveriesisdropping,thereisnoshortageofattacks.Whilethisistrueacrosstheboardeverysystem,everycategoryitisespeciallysignificantwhendiscussingWebapplications.Giventhelevelsofvulnerabilitiesthatarepresentinsomany

Webapplications,itsafairassessmentthatthisriseinattacksisduetoattackersleveragingexistingvulnerabilities.

First,thetrendofattacksforthefirsthalfoftheyearforthepastthreeyears(Figure 8)depictsadistinctupwardspike.

Next,comparingWebapplicationattacksatthemid-yearforthepastthreeyears(Figure 9),thereisa

distinctincreaseinattacksonWebapplicationsnearlyadoubleyear-on-yeargrowthforattacksaimedattheseapplications.

LookingatthedataanotherwaycomparingnumbersofWebapplicationattackstoallattacksinthegraph(Figure 10)onthenextpageitisinterestingtonotethattherationofWebapplicationattacksisactuallyabithigher.


16/24

16

Figure9

TotalnumberofWebapplicationattacksatmid-year,20092011

0

5000000

10000000

15000000

20000000

25000000

30000000

35000000

2009 2010 2011(through 6/30/2011)

WhenWebapplicationattacksarebrokendownbycategory,wecanseesomedefinitetrendstakingshape.LetsreferbacktothethreetypesofWebapplicationvulnerabilitiesdiscussedinanearliersection:PHP/RemoteFileInclude(PHP/RFI),SQLInjection(SQLi),andCross-SiteScripting(XSS).WhileXSSvulnerabilitiesaredisclosedmoreoften,itisSQLivulnerabilitiesthatarebeingattackedthemost(Figure 11)byasignificantmargin.

DatainFigure 12 (onpage18)showsthatWebapplicationattacksareincreasingsorapidlythatthenumberofattacksforthefirsthalfof2011arenearlyatthesamelevelsasforthefullyearsin2009and2010.AndinonecaseSQLithenumbersarehigherthaninthepreviousyear.

Figure10

Webapplicationattacksversusnon-Webapplicationattacks,JanuaryJune2011

63%

37%

All attacks

Web attacks


17/24

Figure11

Webapplicationattacksinthefirsthalf2011,brokendownbycategory

0

1000000

2000000

3000000

4000000

5000000

6000000

Jan Feb Mar Apr May Jun

PHP/RFI

SQLi

XSS

Cross-Site Scripting

Cross-SiteScripting(XSS)vulnerabilityhasbeenaroundforawhileandhasbeenwell-documentedovertheyears.Torefresh,XSSisahackingtechniquethatallowsattackerstoexploitvulnerabilitiesinWebapplicationsandinjectclient-sidescriptintothevulnerableWebpagesthatareviewedbyunsuspectingusers.Asuccessfulattackwillallowanattackertohijackusersessions,stealsensitiveinformation,ordefacewebsites.TherearetwoprimarytypesofXSSvulnerability:non-persistent(orreflected),andpersistent(orstored).

Thereflected(non-persistent)XSSisbyfarthemostcommontypeofXSSattack.Therootcauseistheimproperhandling(lackofsanitization)ofHTTPrequestdatabytheservercode,allowingmalicious

sitestoreflectmaliciouscodeandattacktheuser.ThemainattackvectorisusuallyanemailmessagecontainingamaliciousURL.WhentheuserclicksontheURL,theyaretakentothevulnerablesitewherethemaliciouscodeisexecutedandreflectedbackontheuserinordertoexecutetheattack.ItistheXSSvulnerabilityofthewebsitethatallowsthistypeofattacktohappen.TheWebbrowserexecutesthecodebecauseitbelievesthecodeoriginates,andisunaltered,fromatrustedwebsite.

Apersistent,orstored,XSSattackisafarmoredevastatingXSSvariant.ThisattackdoesnotrequireuserstoclickURLsinordertopassmaliciouscodebacktothevulnerablewebsiteandattacktheuser.Inthiscase,themaliciouscodeisabletoliveonthevulnerableserverandisservedupalongsideregularHTMLcontent.Again,thistypeofattackisadirectresultofpoorinputvalidationontheserverside,whichallowsfornon-sanitizedinputtoendupbeingdisplayedonthesite.Thistypeofattackisparticularlyriskynotonlybecauseitdoesnotrequiredirectuserinteractionbutalsobecauseithasamuchwiderscope.Withnon-persistentattacks,theonlyuserswhogetattackedaretheoneswhoreflectthemaliciouscodetothesitebyclickingtheURL.WithpersistentXSSattacks,everyvisitortothesitemaygetcompromisedasthemaliciouscodelivesontheserveritself.Also,thismaliciouscodecanbeself-

propagating,creatingatypeofclient-sideworm.


18/24

18

Figure12

Webapplicationattacks,20092011

0

5000000

10000000

15000000

20000000

25000000

30000000

2009 2010 2011

PHP

SQLi

XSS

(through 6/30/2011)

Overthelastdecade,XSShasbeenapopularpartofthesecuritythreatlandscape.AccordingtovulnerabilitiesdocumentedbySymantecin2007,XSSaccountedforroughly80%ofallthesecurityvulnerabilities.Thatpercentagehasleveledoffovertherecentyears,butXSSisstillthesecondmostpopulartypeofWebapplicationvulnerability.AccordingtotheOpenWebApplicationSecurityProject(OWASP)2010TopTen,XSSwassecondonlytoSQLi.WhatmakesXSSevenmoredangerousisthatitcouldbeleveragedbyanattackertoexploitotherWebapplicationvulnerabilitiessuchasInformationDisclosures,ContentSpoofing,andmore.

WhileorganizationshaveabetterunderstandingoftherisksposedbyXSSattacks,thesetypesofvulnerabilitiesstillmakeupahighpercentageofbugsbeingdisclosedeveryyear.SowhilemanyXSSvulnerabilitieshavealowcommonvulnerabilityscoringsystem(CVSS)score,theirprevalenceincreases

theoverallattacksurfaceofaWebapplication,whichputenterprisesatahighriskforexposureandcanbecostlytofix.

SQL Injection plays a starring role

SQLiattacksgainedmediaattentionthisyearfromthehacktivistgroupsLulzSecandAnonymous,whousedthistypeofattacktocompromisesystemsofseveralhigh-profileorganizations.Datafromtheearliergraph(Figure 12)showsthatthistypeofattackisontheriseandhasbeenextensiveforsometime.

Thechartandtimelineonthenextpage(Figure 13)demonstratehowSQLiattackshaveevolvedovertheyears.

1998RainForestPuppy(RFP)discloses/discussestheinitialideaofSQLInjectionin phrack Magazine(Volume9,Issue54)

2000SQLInjectionFAQChipAndrewsusesthefirstpublicusageoftermSQLInjectionina

paper2003TheideaofblindSQLInjectionisdisclosed/discussed

2006WebapplicationvulnerabilitydisclosureskyrocketsinpartduetoSQLInjection

2008SQLInjectionvulnerabilitydisclosurepeaks

SQL Injection (SQLi)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizeddatabasecommandsonaWebapplicationsdatabaseserver.Whensuccessfullyexploited,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbythevulnerableWebapplication.Incertaincircumstances,SQLInjectioncanbeutilizedtotakecompletecontrolofasystem.


19/24

Rain Forest Puppy (RFP)discloses/discussesthe initial idea ofSQL Injection inPhrack Magazine(volume 9, issue 54)Dec 25, 1998

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 SQL Injection timelin

SQL Injection FAQ Chip Andrews uses thefirst public usage of termSQL Injection in a paperOct 23, 2000

The idea of blind SQL Injection isdisclosed/discussed2003

Hackers have gainedaccess to a databasecontaining personalinformation on 800,000current and former UCLAstudents2006

Web applicationvulnerability disclosureskyrockets in partdue to SQL Injection2006

An estimated500,000 websitescompromised asa result ofSQL Injections2008

SQL Injectionvulnerabilitydisclosure peaks2008

The Asprox botnetleveragesSQL Injection formass drive bySQL Injection attacksto grow botnet2008

Another half a million sites hit with automated SQL Injection2010

HBGary, a technology security firm, was brokeninto by Anonymous using SQL Injection in theirCMS-driven websiteFeb 5, 2011

Expedias TripAdvisor member data stolenas a result of SQL InjectionMar 24, 2011

Barracuda Networks was compromised using anSQL Injection flaw

April 11, 2011

The Asprox botnet leverages SQL Injection formass drive by SQI Injection attacks to growbotnet Aug 5, 2011

LulzSec hacktivists are accused of usingSQL Injection to steal coupons, download keys,and passwords that were stored in plaintext onSonys website, accessing the personal informatiof a million users

June 1, 2011

Group Anonymous claims to have hacked theNATO site, using a simple SQL InjectionJune 5, 2011

Three men, responsible for the largest data security breach in U.S. historystole 130 million credit card and debit card numbers from five leadingcompanies. They took advantage of a coding error, and allegedly used aSQL Injection attack to compromise a Web application, which was used a

the starting point to help them bypass company network firewalls and gaaccess over companies networks.Aug 17, 2009

Figure13

TimelineandevolutionofSQLInjectionattacks

2008TheAsproxbotnetleveragesSQLInjectionformassdrivebySQLiattackstogrowbotnet(http://en.wikipedia.org/wiki/Asprox).FromatleastAprilthroughAugust,asweepofattacksbeganexploitingtheSQLInjectionvulnerabilitiesofMicrosoftsIISWebserverandSQLServerdatabaseserver.Theattackdoesnotrequireguessingthenameofatableorcolumn,anditcorruptsalltextcolumnsinalltablesinasinglerequest.AnHTMLstringthatreferencesamalwareJavaScriptfileis

appendedtoeachvalue.Whenthatdatabasevalueislaterdisplayedtoawebsitevisitor,thescriptattemptsseveralapproachesatgainingcontroloveravisitorssystem.ThenumberofexploitedWebpagesisestimatedat500,000.

OnAugust17,2009,theU.S.JusticeDepartmentchargedanAmericancitizen AlbertGonzalezandtwounnamedRussianswiththetheftof130millioncreditcardnumbersusingaSQLInjectionattack.InreportedlythebiggestcaseofidentitytheftinAmericanhistory,themanstolecardsfromanumberofcorporatevictimsafterresearchingtheirpaymentprocessingsystems.AmongthecompanieshitwerecreditcardprocessorHeartlandPaymentSystems,conveniencestorechain7-Eleven,andsupermarketchainHannafordBrothers.

OnFebruary5,2011,HBGary,atechnologysecurityfirm,wasbrokenintobyAnonymoususingaSQLInjectionintheirCMS-drivenwebsite.

OnApril11,2011,BarracudaNetworkswascompromisedusingaSQLInjectionflaw.Emailaddressesandusernamesofemployeeswereamongtheinformationobtained.

OnJune1,2011,hacktivistsofthegroupLulzSecwereaccusedofusingSQLitostealcouponsandtodownloadkeysandpasswordsthatwerestoredinplaintextonSonyswebsite,accessingthepersonalinformationofamillionusers.

InJune2011,GroupAnonymousclaimstohavehackedtheNATOsite,usingasimpleSQLInjection.
http://en.wikipedia.org/wiki/Asproxhttp://en.wikipedia.org/wiki/Internet_Information_Serviceshttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Albert_Gonzalezhttp://en.wikipedia.org/wiki/Heartland_Payment_Systemshttp://en.wikipedia.org/wiki/7-Elevenhttp://en.wikipedia.org/wiki/Hannaford_Brothershttp://en.wikipedia.org/wiki/HBGaryhttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/Lulzsechttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/NATOhttp://en.wikipedia.org/wiki/NATOhttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/Lulzsechttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/HBGaryhttp://en.wikipedia.org/wiki/Hannaford_Brothershttp://en.wikipedia.org/wiki/7-Elevenhttp://en.wikipedia.org/wiki/Heartland_Payment_Systemshttp://en.wikipedia.org/wiki/Albert_Gonzalezhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Internet_Information_Serviceshttp://en.wikipedia.org/wiki/Asprox


20/24

20

Figure14

Webapplicationvulnerabilitiesdisclosed,JanuaryJune2011

5%

25%

60%

10%

PHP/RFI

SQLi

XSS

CSRF

Figure15

TotalWebapplicationattacks,JanuaryJune2011

11%

68%

21%

PHP/RF

SQLi

XSS

WithSQLiattacks,itisreadilyapparentthatattackersarecontentleveragingexistingvulnerabilitiesfortheirexploits.Thegraphsabove(Figures 14 and 15)showaside-by-sidecomparisonofthemostreportedtypesofWebapplicationvulnerabilitiesversesthemostattackedWebapplicationvulnerabilities.SQLivulnerabilitiesmakeupaquarterofthenewvulnerabilitiesrerteforthefirsthalfof2011.YetSQLiattacksmakeupmorethan60percentoftheWebapplicationattacks seenintheHPTippingPointIPS.

Webapplicationsareaffectedbymultipletypesofattacks,andSQLiandXSSarejusttwothathavereceivedasignificantamountofmediaattentionoverthelastfewmonths.ThenextsectionofthispaperpresentsgeneralmitigationstrategiesforprotectingWebapplicationsanddecreasingtherisk

ofoutages,dataloss,ornetworkcompromisethatcanresult.Mitigation

Visibilityisincreasinglybecomingoneofthemostimportantaspectsofinformationsecurity,alongwithreducingtheoverallattacksurfacemadeavailabletoattackers.Tomitigateriskresponsibly,organizationsshouldtestcodeindevelopment,scanforvulnerabilitiesinQAbeforestaging,andtestapplicationsinproductiononanongoingbasis.ThefollowinginformationisintendedtohelpdeveloperscorrectcertainspecificcategoriesofcriticalWebapplicationvulnerabilities.


21/24

Cross-Site Request Forgery

ResolvingCross-SiteRequestForgeryisnotasimpletask,anditactuallymayrequirerecodingeveryformandfeatureofaWebapplication.WhilenomethodofpreventingCross-SiteRequestForgeryisperfect,usingCross-SiteRequestForgerynoncetokenseliminatesmostoftherisk.Althoughanattackermayguessavalidtoken,noncetokensareneverthelessthemosteffectivesolutionforpreventingCross-SiteRequestForgeryattacks.Ausercanbeverifiedaslegitimatebygeneratingasecret,suchasasecrethashortoken,aftertheuserlogsin.Thesecretshouldbestoredinaserver-sidesessionandthenincludedineverylinkandsensitiveform.EachsubsequentHTTPrequestshouldincludethistoken;otherwise,therequestisdeniedandthesessioninvalidated.ThetokenshouldnotbethesameasthesessionIDincaseaCross-SiteScriptingvulnerabilityexists.Initializethetokenasothersessionvariables.Itcanbevalidatedwithasimpleconditionalstatement,anditcanbelimitedtoasmalltimeframetoenhanceitseffectiveness.AttackersneedtoincludeavalidtokenwithaCross-SiteRequestForgeryattackinordertomatchtheformsubmission.Becausetheuserstokenisstoredinthesession,anyattackerwouldneedtousethesametokenasthevictim.

CAPTCHAcanalsopreventCross-SiteRequestForgeryattacks.WithCAPTCHA,auserneedstoenterawordshownindistortedtext,containedinsideanimage,beforecontinuing.Theassumptionisthatacomputercannotdeterminethewordinsidethegraphic,althoughahumancan.CAPTCHArequiresthatauserauthorizespecificactionsbeforetheWebapplicationinitiatesthem.Itisdifficulttocreatea

scriptthatautomaticallyenterstexttocontinue,butresearchisunderwayonhowtobreakCAPTCHAs,sostrongCAPTCHAsareanecessity.BuildingasecureCAPTCHAtakesmoreeffort.Inadditiontomakingsurethatcomputerscannotreadtheimages,youneedtomakesurethattheCAPTCHAcannotbebypassedatthescriptlevel.ConsiderwhetheryouusethesameCAPTCHAmultipletimes,makinganapplicationvulnerabletoareplayattack.AlsomakesuretheanswertotheCAPTCHAisnotpassedinplaintextaspartofaWebform.

SQL Injection

SQLInjectionarisesfromanattackersmanipulationofquerydatatomodifyquerylogic.ThebestmethodofpreventingSQLInjectionattacksis,therefore,toseparatethelogicofaqueryfromitsdata;thiswillpreventcommandsinsertedfromuserinputfrombeingexecuted.Thedownsideofthisapproachisthatitcanhaveanimpactonperformance,albeitslight,andthateachqueryonthesitemustbestructuredinthismethodforittobecompletelyeffective.Ifonequeryisinadvertentlybypassed,that

couldbeenoughtoleavetheapplicationvulnerabletoSQLInjection.ThefollowingcodeshowsasampleSQLstatementthatisSQLinjectable.

sSql=SELECTLocationNameFROMLocations;

sSql=sSql+WHERELocationID=+Request[LocationID];

oCmd.CommandText=sSql;

ThefollowingexampleutilizesparameterizedqueriesandissafefromSQLInjectionattacks.

sSql=SELECT*FROMLocations;

sSql=sSql+WHERELocationID=@LocationID;

oCmd.CommandText=sSql;

oCmd.Parameters.Add(@LocationID,Request[LocationID]);


22/24

22

TheapplicationwillsendtheSQLstatementtotheserverwithoutincludingtheusersinput.Instead,aparameter-@LocationID-isusedasaplaceholderforthatinput.Inthisway,userinputneverbecomespartofthecommandthatSQLexecutes.Anyinputthatanattackerinsertswillbeeffectivelynegated.Anerrorwouldstillbegenerated,butitwouldbeasimpledata-typeconversionerror,andnotsomethingthatahackercouldexploit.

ThefollowingcodesamplesshowaproductIDbeingobtainedfromanHTTPquerystringandthenusedinaSQLquery.NotehowthestringcontainingtheSELECTstatementpassedtoSqlCommandissimplyastaticstringandisnotconcatenatedfrominput.AlsonotehowtheinputparameterispassedusingaSqlParameterobject,whosename(@pid)matchesthenameusedwithintheSQLquery.

C#sample:

stringconnString=WebConfigurationManager.ConnectionStrings[myConn].ConnectionString;

using(SqlConnectionconn=newSqlConnection(connString))

{

conn.Open();

SqlCommandcmd=newSqlCommand(SELECTCount(*)FROMProductsWHEREProdID=@pid,

conn);

SqlParameterprm=newSqlParameter(@pid,SqlDbType.VarChar,50);

prm.Value=Request.QueryString[pid];

cmd.Parameters.Add(prm);

intrecCount=(int)cmd.ExecuteScalar();

}

VB.NETsample:

DimconnStringAsString=WebConfigurationManager.ConnectionStrings(myConn).ConnectionString

UsingconnAsNewSqlConnection(connString)

conn.Open()

DimcmdAsSqlCommand=NewSqlCommand(SELECTCount(*)FROMProductsWHEREProdID=@pid,conn)

DimprmAsSqlParameter=NewSqlParameter(@pid,SqlDbType.VarChar,50)

prm.Value=Request.QueryString(pid)

cmd.Parameters.Add(prm)

DimrecCountAsInteger=cmd.ExecuteScalar()

EndUsing


23/24

2

Cross-Site Scripting

Cross-SiteScriptingattackscanbeavoidedbycarefullyvalidatingallinputandproperlyencodingalloutput.Whenvalidatinguserinput,verifythatitmatchesthestrictestdefinitionpossibleofvalidinput.Forexample,ifacertainparameterissupposedtobeanumber,attempttoconvertittoanumericdatatypeinyourprogramminglanguage.

PHP:intval(0.$_GET[q]);

ASP.NET:int.TryParse(Request.QueryString[q],outval);

Thesameappliestodateandtimevalues,oranythingthatcanbeconvertedtoastrictertypebeforebeingused.Whenacceptingothertypesoftextinput,makesurethevaluematcheseitheralistofacceptablevalues(white-listing),orastrictregularexpression.White-listinginvolvescreatingalistofacceptablecharacters,asopposedtoblack-listing,whichisalistofunacceptablecharacters.Ifatanypointthevalueappearsinvalid,donotacceptit.Also,donotattempttoreturnthevaluetotheuserinanerrormessage.

Mostserver-sidescriptinglanguagesprovidebuilt-inmethodstoconvertthevalueoftheinputvariableintocorrect,non-interpretableHTML.Theseshouldbeusedtosanitizeallinputbeforeitisdisplayedtotheclient.

PHP:stringhtmlspecialchars(stringstring[,intquote_style])

ASP.NET:Server.HTMLEncode(strHTMLString)

WhenreflectingvaluesintoJavaScriptoranotherformat,makesuretouseatypeofencodingthatisappropriate.EncodingdataforHTMLisnotsufficientwhenitisreflectedinsideofascriptorstylesheet.Forexample,whenreflectingdatainaJavaScriptstring,makesuretoencodeallnon-alphanumericcharactersusinghex(\xHH)encoding.

IfyouhaveJavaScriptonyourpagethataccessesunsafeinformation(likelocation.href)andwritesittothepage(eitherwithdocument.write,orbymodifyingaDOMelement),makesurethedataisencodedforHTMLbeforewritingittothepage.JavaScriptdoesnothaveabuilt-infunctiontodothis,butmanyframeworksdo.Ifyouarelackinganavailablefunction,somethinglikethefollowingwillhandlemostcases:

s=s.replace(/&/g,&).replace(//i,").replace(//i,>).replace(//i,')

Ensurethatyouarealwaysusingtherightapproachattherighttime.Validatinguserinputshouldbedoneassoonasitisreceived.Encodingdatafordisplayshouldbedoneimmediatelybeforedisplayingit.


24/24

Get connectedwww.hp.com/go/getconnected

Get the insider view on tech trends, alerts, andHP solutions for better business outcomes

Sharewithcolleagues

Copyright2011Hewlett-PackardDevelopmentComp any,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.

Remote File Includes

Asthesayinggoes,securityisbakedin,notbrushedon.Anyapplicationunderdevelopmentshouldbedesignedwithsecurityinmindfromtheonset.ThefollowingrecommendationswillhelpyoubuildWebapplicationsthatarenotsusceptibletoparameterincludevulnerabilities.

Definewhatisallowed.EnsurethattheWebapplicationvalidatesallinputparameters(cookies,headers,querystrings,forms,hiddenfields,etc.)againstastringentdefinitionofexpectedresults.Thebestmethodofdoingthisisviawhite-listing;thisisdefinedasonlyacceptingspecificaccountnumbersorspecificaccounttypesforthoserelevantfields,oronlyacceptingintegersorlettersoftheEnglishalphabetforothers.Manydeveloperswilltrytovalidateinputbyblack-listingcharacters,orescapingthem.Basically,thisentailsrejectingknownbaddatabyplacinganescapecharacterinfrontofitsothattheitemthatfollowswillbetreatedasaliteralvalue.Thisapproachisnotaseffectiveaswhite-listingbecauseitisimpossibletoknowallformsofbaddataaheadoftime.

ChecktheresponsesfromPOSTandGETrequeststoensurewhatisbeingreturnediswhatisexpected,andisvalid.

Verifytheoriginofscriptsbeforeyoumodifyorutilizethem.

Donotimplicitlytrustanyscriptgiventoyoubyothers(whetherdownloadedfromtheWeborgiventoyoubyanacquaintance)foruseinyourowncode.

Referenceshttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://en.wikipedia.org/wiki/Cross-site_scripting

http://www.phrack.org/issues.html?id=8&issue=54

http://sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx

http://www.isti.tu-berlin.de/fileadmin/fg214/Papers/ravi-asprox.pdf

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3

http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/
http://techtimely.wordpress.com/2011/04/22/web-hacking-threats/https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttp://en.wikipedia.org/wiki/Cross-site_scriptinghttp://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://en.wikipedia.org/wiki/Cross-site_scriptinghttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/

Date post:	06-Apr-2018
Category:	Documents
Upload:	tenex
View:	224 times
Download:	0 times

Cyber Security Risks Report

Documents