Web Hacking Incidents Revealed:Trends, Stats and How to Defend
Ryan BarnettSenior Security Researcher
SpiderLabs Research
Copyright Trustwave 2010 Confidential
Ryan Barnett - Background
Trustwave• Senior Security Researcher
−Web application firewall research/development−Virtual patching for web applications
• Member of the SpiderLabs Research Team−Web application firewall signature lead
• ModSecurity Community Manager−Interface with the community on public mail-list−Steer the internal development of ModSecurity
Author• “Preventing Web Attacks with Apache”
Copyright Trustwave 2010 Confidential
Ryan Barnett – Community Projects
Open Web Application Security Project (OWASP)• Speaker/Instructor• Project Leader, ModSecurity Core Rule Set• Project Contributor, OWASP Top 10• Project Contributor, AppSensor
Web Application Security Consortium (WASC)• Board Member• Project Leader, Web Hacking Incident Database• Project Leader, Distributed Open Proxy Honeypots• Project Contributor, Web Application Firewall Evaluation Criteria• Project Contributor, Threat Classification
The SANS Institute• Courseware Developer/Instructor• Project Contributor, CWE/SANS Top 25 Worst Programming Errors
Copyright Trustwave 2010 Confidential
Session Outline
The Challenge of Risk Analysis for Web Applications• Risk Rating Methodology• How to quantify risk?
WASC Web Hacking Incident Database (WHID)• What is it?• Goals• Recent Project Changes and Updates
2010 Semiannual Report (July – December)• Incidents By Attacked Entity Field• Incidents By Outcome• Incidents By Attack Methods• Incidents By Application Weakness• Comparing the OWASP Top 10 vs. the WHID Top 10
Incidents of InterestConclusion
The Challenge of Risk Analysis for Web Application Security
Copyright Trustwave 2010 Confidential
OWASP Risk Rating Methodology
#Step 1: Identifying a Risk
#Step 2: Factors for Estimating Likelihood
#Step 3: Factors for Estimating Impact
#Step 4: Determining Severity of the Risk
#Step 5: Deciding What to Fix
#Step 6: Customizing Your Risk Rating Model
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Copyright Trustwave 2010 Confidential
OWASP Risk Rating Methodology
The Challenge of Risk Analysis for Web Applications:Analyzing Public Incidents
Copyright Trustwave 2010 Confidential
Risk Rating Problem
Instead of being concerned about what CAN happen (theoretical scenarios), perhaps we should first be dealing with what IS happening (analysis of real-world web compromises)…
Copyright Trustwave 2010 Confidential
Publicly Quantifying Web Incidents is Challenging
Incidents are not detected• ~156 day lapse between
compromise and detection*• Vast majority of cases the merchant
did not identify the intrusion – a 3rd party did based on fraud detection (card brands and banks)*
• Logging Issues - poor logging and/or no one reviewing them for signs of compromise
https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf
Copyright Trustwave 2010 Confidential
Copyright Trustwave 2010 Confidential
Publicly Quantifying Web Incidents is Challenging
Victims hide breaches• Defacement (visible) and information leakage
(regulated) are publicized more than other breaches
• Example - Banks are not forced to disclose when individual customer funds are stolen
Web Hacking Incident Database (WHID)
Copyright Trustwave 2010 Confidential
WASC Web Hacking Incident Database (WHID)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Copyright Trustwave 2010 Confidential
Tracking Public Web Compromises
Copyright Trustwave 2010 Confidential
WHID Goals
• Raise awareness of real-world, web application security incidents
• Provide data for the following Risk Rating steps: • #Step 2: Factors for Estimating Likelihood
−What application weaknesses are actively being targeted?
• #Step 3: Factors for Estimating Impact−What outcome are you worried about?
• #Step 5: Deciding What to Fix−Prioritized listing of remediation issues
• #Step 6: Customizing Your Risk Rating Model−Customized view based on your vertical-market
Copyright Trustwave 2010 Confidential
WHID Data
• Data Samples (statistically insignificant)• Focus on % rather than raw numbers
• Inclusion Criteria• Only publicly disclosed, web related incidents
• Incidents of interest • Defacements of “High Profile” sites are included
• Ensure quality and correctness of incidents• Severely limits the number of incidents that get in
Copyright Trustwave 2010 Confidential
WHID Data: Community Submittal Form
• Community incident submission leverages crowdsourcing
• Project team validation ensures quality
http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident
Copyright Trustwave 2010 Confidential
WHID Database Content
~222 incidents for 2010Incidents since 1999Each incident is classified
• Attack type• Application Weakness• Outcome• Country of organization
attacked• Industry segment of
organization attacked• Country of origin of the
attack (if known)• Vulnerable Software
Additional information:• A unique identifier: WHID
200x-yy• Dates of occurrence and
reporting• Description• Internet references
Copyright Trustwave 2010 Confidential
Real-Time Statistics
http://projects.webappsec.org/Web-Hacking-Incident-Database
• Browse real-time data• Drill down in to incident details• Pivot on key variables (year/vertical market)
Copyright Trustwave 2010 Confidential
Real-time, Searchable DB
WHID data is available year-round
Useful for application developers and researchers
Search by
• Attack method
• Outcome
• Source geography
• and many more…
http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase
Copyright Trustwave 2010 Confidential
Geographic Views
Copyright Trustwave 2010 Confidential
Monitoring WHID Updates
http://projects.webappsec.org/Web-Hacking-Incident-Database#RSSFeed
@wascwhid
WHID 2010 Biannual Status Report:July-December
Copyright Trustwave 2010 Confidential
What Vertical Markets are Attacked Most Often?
Copyright Trustwave 2010 Confidential
What are the Goals for Web Hacking?
Copyright Trustwave 2010 Confidential
What Attack Methods do Hackers Use?
Copyright Trustwave 2010 Confidential
Which Application Weaknesses are Exploited?
#Step 5: Deciding What to FixPrioritized listing of remediation issues
Copyright Trustwave 2010 Confidential
OWASP vs. WHID Top 10OWASP Top 10 WHID Top 10
1 Injection Insufficient Anti-Automation (Brute Force and DoS)
2 Cross-site Scripting (XSS) Improper Output Handling (XSS and Planting of Malware)
3 Broken Authentication and Session Management Improper Input Handling (SQL Injection)
4 Insecure Direct Object Reference Application Misconfiguration (Detailed error messages)
5 CSRF Insufficient Authentication (Stolen Credentials/Banking Trojans)
6 Security Misconfiguration Insufficient Process Validation (CSRF and DNS Hijacking)
7 Insecure Cryptographic Storage Insufficient Authorization (Predictable Resource Location/Forceful Browsing)
8 Failure to Restrict URL Access Abuse of Functionality (CSRF/Click-Fraud)
9 Insecure Transport Layer Protection Insufficient Password Recovery (Brute Force)
10 Unvalidated Redirects and Forwards Improper Filesystem Permissions (info Leakages)
Top Trends
Copyright Trustwave 2010 Confidential
Denial of Service
Copyright Trustwave 2010 Confidential
Layer 4 DDoS Attacks
Copyright Trustwave 2010 Confidential34
http://www.cert.org/reports/dsit_workshop.pdf
Layer 4 DDoS Attacks - Botnets
Reach bandwidth or connection limits of hosts or networking equipment.
Fortunately, current anti-DDOS solutions are effective in handling Layer 4 DDOS attacks.
Copyright Trustwave 2010 Confidential
Layer 7 DDoS Attacks
Copyright Trustwave 2010 Confidential
Layer 7 DDoS Attacks
Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity.
Requires lesser number of connections => higher efficiency.
Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality.
We will focus on protocol weaknesses of HTTP or HTTPS.
HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris)
HTTP POST => Wong Onn Chee
Copyright Trustwave 2010 Confidential
http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
Copyright Trustwave 2010 Confidential
Copyright Trustwave 2010 Confidential
Copyright Trustwave 2010 Confidential
Application Performance Monitoring Dashboard
Copyright Trustwave 2010 Confidential
Excessive Access Rate Detection
Copyright Trustwave 2010 Confidential
Copyright Trustwave 2010 Confidential
Cross-site Scripting (XSS) Defense
Copyright Trustwave 2010 Confidential
Banking Trojans
Questions?