Date post: | 28-Nov-2014 |
Category: |
Business |
Upload: | jeremiah-grossman |
View: | 8,086 times |
Download: | 0 times |
Website Security Statistics
Jeremiah GrossmanFounder & CTO
Webinar08.27.2008
© 2008 WhiteHat Security, Inc.
Jeremiah GrossmanWhiteHat Security Founder & CTOTechnology R&D and industry evangelist(InfoWorld's CTO Top 25 for 2007)
Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting Attacks
Former Yahoo! information security officer
2
© 2008 WhiteHat Security, Inc.
Website Security – Top of Mind Issue3
Online customers are becoming more aware
High profile breaches are on the rise
PCI 6.6 Compliance
© 2008 WhiteHat Security, Inc.
Agenda4
• Collection methodology
• Updated Top Ten list of vulnerabilities
• Time-to-fix and remediation metrics
• Industry vertical comparisons
• Best practices & lessons learned
© 2008 WhiteHat Security, Inc.
FoundstoneSymantecQualysNessusnCircleeEye Digital SecurityVerisign+ Others
Commercial & Open Source Code
Vulnerability Stack
5
Custom Web Application Vulnerabilities
Data contained within this report is different from statistics presented by Symantec, Mitre (CVE), IBM X-Force, SANS, and others. Those reports track publicly disclosed vulnerabilities in commercial and open source software. We focus solely on previously unknown vulnerabilities in custom Web applications, code unique to an organization, on real-world websites
“Custom Code”WhiteHat Sentinel
© 2008 WhiteHat Security, Inc.
Mass SQL Injection - Drive-by-Downloads6
• Google recon for weak websites (*.asp, *.php)
• Generic SQL Injection populates databases with malicious JavaScript IFRAMEs.
• Visitors arrive (U.N., DHS, Sony, Dolphin Stadium, etc.) and their browser connects to a malware server infecting their machine.
• Botnets form and continue SQL injecting websites.
• Infected sites are blacklisted on search engines and web filtering gateways causing loss of visitors.
•http://blogs.zdnet.com/security/?p=1150http://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines.htmlhttp://blogs.zdnet.com/security/?p=1122http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.htmlhttp://news.zdnet.com/2424-1009_22-198647.html
Over 79% of websites hosting malicious code are legitimate(compromised by attackers)
© 2008 WhiteHat Security, Inc.
2006, 0.3% of all Internet queries return at least one URL containing malicious content.
2007 - 1.3%
2008 - ?
The Hostile Web7
How Unsecure Is The Web?http://blogs.forrester.com/srm/2008/03/how-unsecure-is.html
8
hacked
9
© 2008 WhiteHat Security, Inc.
Costs of Breach Disclosure• Communication with affected individuals• Additional customer service expenditures• Credit monitoring services• Professional fees and legal expenses• Recovery costs and security improvements
Security Breaches Cost $90 To $305 Per Lost Record“Forrester Research surveyed 28 companies that had some type of data breach and found it difficult to calculate the expenses that resulted.”
10
© 2008 WhiteHat Security, Inc.
(2006 & 2007) New Web Hacking Techniques11
The Attack of the TINY URLsBackdooring MP3 FilesBackdooring QuickTime MoviesCSS history hacking with evil marketingI know where you've beenStealing Search Engine Queries with JavaScriptHacking RSS FeedsMX Injection : Capturing and Exploiting Hidden Mail ServersBlind web server fingerprintingJavaScript Port ScanningCSRF with MS WordBackdooring PDF FilesExponential XSS AttacksMalformed URL in Image Tag Fingerprints Internet ExplorerJavaScript Portscanning and bypassing HTTP AuthBruteforcing HTTP Auth in Firefox with JavaScriptBypassing Mozilla Port BlockingHow to defeat digg.comA story that diggs itselfExpect Header Injection Via FlashForging HTTP request headers with FlashCross Domain Leakage With Image SizeEnumerating Through User AccountsWidespread XSS for Google Search ApplianceDetecting States of Authentication With Protected ImagesXSS Fragmentation AttacksPoking new holes with Flash Crossdomain Policy FilesDetecting Privoxy Users and Circumventing ItUsing CSS to De-AnonymizeResponse Splitting Filter EvasionAdultspace XSS WormCSS History Stealing Acts As CookieDetecting FireFox ExtensionsStealing User Information Via Automatic Form FillingCircumventing DNS Pinning for XSSNetflix.com XSRF vulnBrowser Port Scanning without JavaScriptWidespread XSS for Google Search ApplianceBypassing Filters With EncodingVariable Width EncodingNetwork Scanning with HTTP without JavaScriptAT&T Hack Highlights Web Site VulnerabilitiesHow to get linked from SlashdotF5 and Acunetix XSS disclosureAnti-DNS Pinning and Circumventing Anti-Anti DNS pinningGoogle plugs phishing hole
Nikon magazine hit with security breachGovernator HackMetaverse breached: Second Life customer database hackedHostGator: cPanel Security Hole Exploited in Mass HackI know what you've got (Firefox Extensions)ABC News (AU) XSS linking the reporter to Al QaedaAccount Hijackings Force LiveJournal ChangesXanga Hit By Script WormAdvanced Web Attack Techniques using GMailPayPal Security Flaw allows Identity TheftInternet Explorer 7 "mhtml:" Redirection Information DisclosureBypassing of web filters by using ASCIIGoogle Indexes XSSXML Intranet Port ScanningIMAP Vulnerable to XSSSelecting Encoding Methods For XSS Filter EvasionAnonymizing RFI Attacks Through GoogleGoogle Hacks On Your BehalfGoogle Dorks Strike AgainCross-Site Printing (Printer Spamming)Stealing Pictures with PicasaHScan ReduxISO-8895-1 Vulnerable in Firefox to Null InjectionMITM attack to overwrite addons in FirefoxMicrosoft ASP.NET Request Validation Bypass Vulnerability (POC)Non-Alpha-Non-Digit 3Steal History without JavaScriptPure Java™, Pure Evil™ PopupsGoogle Adsense CSRF holeThere’s an OAK TREE in my blog!?!?!BK for Mayor of Oak Tree ViewGoogle Docs puts Google Users at RiskAll Your Google Docs are Belong To US…Java Applets and DNS RebindingScanning internal Lan with PHP remote file opening.Firefox File Handling WoesFirefoxurl URI Handler FlawBugs in the Browser: Firefox’s DATA URL Scheme VulnerabilityMultiviews Apache, Accept Requests and free listingOptimizing the number of requests in blind SQL injectionBursting Performances in Blind SQL Injection - Take 2 (Bandwidth)Port Scan without JavaScriptFavorites Gone WildLogin Detection without JavaScriptAnti-DNS Pinning ( DNS Rebinding ) : Online DemonstrationUsername Enumeration Timing Attacks (Sensepost)Google GMail E-mail Hijack Technique
Recursive Request DoSExaggerating Timing Attack Results Via GET FloodingInitiating Probes Against Servers Via Other ServersEffects of DNS Rebinding On IE’s Trust ZonesPaper on Hacking Intranets Using Websites (Not Web Browsers)More Port Scanning - This Time in FlashHTTP Response Splitting and Data: URI scheme in FirefoxRes:// Protocol Local File EnumerationRes Timing AttackIE6.0 Protocol GuessingIE 7 and Firefox Browsers Digest Authentication Request SplittingHacking Intranets Via Brute ForceHiding JS in Valid ImagesInternet Archiver Port ScannerNoisy Decloaking MethodsCode Execution Through Filenames in UploadsCross Domain Basic Auth Phishing TacticsAdditional Image Bypass on WindowsDetecting users via Authenticated RedirectsPassing Malicious PHP Through getimagesize()Turn Any Page Into a Greasemonkey PopupEnumerate Windows Users In JSAnti-DNS Pinning ( DNS Rebinding ) + Socket in FLASHIframe HTTP PingRead Firefox Settings (PoC)Stealing Mouse Clicks for Banner Fraud(Non-Persistent) Untraceable XSS AttacksInter Protocol ExploitationDetecting Default Browser in IEBypass port blocking in Firefox, Opera and Konqueror.LocalRodeo DetectionImage Names Gone BadIE Sends Local Addresses in Referer HeaderPDF XSS Can Compromise Your MachineUniversal XSS in Adobe’s Acrobat Reader PluginFirefox Popup Blocker Allows Reading Arbitrary Local FilesIE7.0 Detectoroverwriting cookies on other people’s domains in Firefox.Embeding SVG That Contains XSS Using Base64 Encoding in FirefoxFirefox Header Redirection JavaScript ExecutionMore URI Stuff… (IE’s Resouce URI)Hacking without 0days: Drive-by JavaGoogle Urchin password theft madness
...MORE
© 2008 WhiteHat Security, Inc.
Where do we begin?12
To fix the Web security problem, we first have to know what’s broken.
© 2008 WhiteHat Security, Inc.
Collection Methodology13
• SaaS-based infrastructure performing remote black-box vulnerability assessments on-demand on both production and pre-deployment websites.
• Approximately 150 enterprise customers ranging from start-ups to Fortune 500 listed companies including those with extremely high traffic and transaction volume website.
• The vast majority of websites are assessed on a weekly basis with all results verified to remove false-positives.
• Proprietary scanning technology identifies technical vulnerabilities such as Cross-Site Scripting, SQL Injection, and many vulnerability classes.
• Experts create customized tests for each website to uncover business logic flaws including Insufficient Authorization, Abuse of Functionality, etc.
WhiteHat Sentinel (Launched in 2003)Complete Website Vulnerability Management Service
WhiteHat Security (Founded in 2001)
© 2008 WhiteHat Security, Inc.
WASC 24 (+2)* Classes of Attacks
Technical: Automation Can Identify
Command Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection
Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location
Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*
Business Logic: Humans Required
Authentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*
Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation
Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation
14
© 2008 WhiteHat Security, Inc.
How the Sentinel Service WorksCustom Testing by Security Operations Team
• Manual testing for business logic flaws
• Determine if hierarchical privileges can be abused
• Examine account structures for potential exploits
• Test for ability to circumvent user authentication and authorization rules
• Creation of “proof-of-concept” vulnerabilities upon request
15
© 2008 WhiteHat Security, Inc.
Data Set16
Total Websites:
Identified vulnerabilities:
Unresolved vulnerabilities:
Websites having had at least one serious issue (Urgent, Critical, High):
Websites currently with at least one serious issue (Urgent, Critical, High):
Average vulnerabilities per website:
3,541 (66% resolved)
11,234
687
82%
5
61%
© 2008 WhiteHat Security, Inc.
Development Technology and Vulnerabilities17
URL Extension % of websites % of vulnerabilitiesunknown 55% 38%
asp 27% 26%aspx 22% 10%jsp 8% 7%xml 7% 1%do 7% 4%
php 5% 2%html 4% 2%old 4% 1%dll 4% 1%
cfm 3% 3%Not an indication that one technology is “more secure” than another
• Average number of inputs per website: 290• Ratio of vulnerabilities / inputs: 1%
Attack Surface
© 2008 WhiteHat Security, Inc.
Vulnerability Prevalence by Severity18
URGENT
HIGHCRITICAL
URGENT
HIGH
CRITICAL
Percentage likelihood of websites having a least one vulnerability
(sorted by severity)
Percentage of overall vulnerabilities (sorted by severity)
© 2008 WhiteHat Security, Inc.
WhiteHat Security Top Ten19
Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationInsufficient AuthenticationHTTP Response SplittingAbuse of FunctionalityCross-Site Request Forgery
i.e. 67% of Websites have Cross-Site Scripting issues
Vulnerability Classes (sorted by percentage likelihood)
© 2008 WhiteHat Security, Inc.
Vulnerability Population (sorted by class)20
i.e. 70% of all vulnerabilities are Cross-Site Scripting issues
© 2008 WhiteHat Security, Inc.
When a vulnerability is identified21
1. Take the website down
2. Revert to an older version of the website/code (if it is secure)
3. Stay up while exposed
4. Virtually patch with a Web Application Firewall(i.e. WhiteHat Sentinel / F5 Application Security Manager integration)
Ideally the time to fix an issue should be as short as possible because it represents an opportunity for hackers to exploit the website. In the meantime, what are the options?
© 2008 WhiteHat Security, Inc.
Time-to-Fix (Days)22
90 180 270 365
URGENT
CRITICAL
HIGH
© 2008 WhiteHat Security, Inc.
Remediation (sorted by class & severity)23
Class of Attack % resolved severityInformation Leakage 50% urgentInsufficient Authorization 42% urgentSQL Injection 66% urgentHTTP Response Splitting 83% urgentDirectory Traversal 31% urgentInsufficient Authentication 26% criticalCross-Site Scripting 55% criticalAbuse of Functionality 41% criticalCross-Site Request Forgery 48% criticalSession Fixation 11% criticalBrute Force 8% highContent Spoofing 26% highHTTP Response Splitting 31% highInformation Leakage 34% highPredictable Resource Location 31% high
© 2008 WhiteHat Security, Inc.
Comparing Industry Verticals24
RetailFinancial Services
Insurance Health-care
ITEducationSocial
Network
Percentage of websites with a URGENT, CRITICAL or HIGH severity vulnerability sorted by industry vertical
© 2008 WhiteHat Security, Inc.
Burdened by years of insecure code25
Website Founded
Amazon 1994
Yahoo 1995
eBay 1995
Bank of America
1997
Google 1998
MySpace 2003
YouTube 2005
Vulnerability Known
Buffer Overflow 1996
Command Injection 1996
SQL Injection 2004
XSS 2005
Predictable Resource Location
?
HTTP Response Splitting
2005 / ?
CSRF ?
© 2008 WhiteHat Security, Inc.
Best Practices & Lessons Learned26
• Find and prioritize all websites by designating their value to the business and a party responsible for their security.
• Find and fix website vulnerabilities before the bad guys exploit them by assessing them for weaknesses with each code change. Prioritize remediation efforts based on severity, difficulty of exploitation, and business value of the website.
• Implement a secure software development process utilizing an organizational standard development framework, recurring developer security education program, and success incentives directed towards known trouble spots.
• Utilize a defense-in-depth website security strategy that includes a Web Application Firewall providing organization with additional security against zero-day threat and difficult to resolve issues.
Full Report: http://www.whitehatsec.com/home/assets/WPstats0808.pdfFor more information: http://www.whitehatsec.com/
Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.com/[email protected]
Questions!?