Website Security Statistics (August 2008)

Website Security Statistics

Jeremiah GrossmanFounder & CTO

Webinar08.27.2008

© 2008 WhiteHat Security, Inc.

Jeremiah GrossmanWhiteHat Security Founder & CTOTechnology R&D and industry evangelist(InfoWorld's CTO Top 25 for 2007)

Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting Attacks

Former Yahoo! information security officer

2

http://www.webappsec.org

http://www.webappsec.org


Website Security – Top of Mind Issue3

Online customers are becoming more aware

High profile breaches are on the rise

PCI 6.6 Compliance


Agenda4

• Collection methodology

• Updated Top Ten list of vulnerabilities

• Time-to-fix and remediation metrics

• Industry vertical comparisons

• Best practices & lessons learned


FoundstoneSymantecQualysNessusnCircleeEye Digital SecurityVerisign+ Others

Commercial & Open Source Code

Vulnerability Stack

5

Custom Web Application Vulnerabilities

Data contained within this report is different from statistics presented by Symantec, Mitre (CVE), IBM X-Force, SANS, and others. Those reports track publicly disclosed vulnerabilities in commercial and open source software. We focus solely on previously unknown vulnerabilities in custom Web applications, code unique to an organization, on real-world websites

“Custom Code”WhiteHat Sentinel


Mass SQL Injection - Drive-by-Downloads6

• Google recon for weak websites (*.asp, *.php)

• Generic SQL Injection populates databases with malicious JavaScript IFRAMEs.

• Visitors arrive (U.N., DHS, Sony, Dolphin Stadium, etc.) and their browser connects to a malware server infecting their machine.

• Botnets form and continue SQL injecting websites.

• Infected sites are blacklisted on search engines and web filtering gateways causing loss of visitors.

•http://blogs.zdnet.com/security/?p=1150http://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines.htmlhttp://blogs.zdnet.com/security/?p=1122http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.htmlhttp://news.zdnet.com/2424-1009_22-198647.html

Over 79% of websites hosting malicious code are legitimate(compromised by attackers)

http://www.w3.org/Security/Faq/








http://news.zdnet.com/2424-1009_22-198647.html

http://news.zdnet.com/2424-1009_22-198647.html


2006, 0.3% of all Internet queries return at least one URL containing malicious content.

2007 - 1.3%

2008 - ?

The Hostile Web7

How Unsecure Is The Web?http://blogs.forrester.com/srm/2008/03/how-unsecure-is.html





8

hacked

9


Costs of Breach Disclosure• Communication with affected individuals• Additional customer service expenditures• Credit monitoring services• Professional fees and legal expenses• Recovery costs and security improvements

Security Breaches Cost $90 To $305 Per Lost Record“Forrester Research surveyed 28 companies that had some type of data breach and found it difficult to calculate the expenses that resulted.”

10


(2006 & 2007) New Web Hacking Techniques11

The Attack of the TINY URLsBackdooring MP3 FilesBackdooring QuickTime MoviesCSS history hacking with evil marketingI know where you've beenStealing Search Engine Queries with JavaScriptHacking RSS FeedsMX Injection : Capturing and Exploiting Hidden Mail ServersBlind web server fingerprintingJavaScript Port ScanningCSRF with MS WordBackdooring PDF FilesExponential XSS AttacksMalformed URL in Image Tag Fingerprints Internet ExplorerJavaScript Portscanning and bypassing HTTP AuthBruteforcing HTTP Auth in Firefox with JavaScriptBypassing Mozilla Port BlockingHow to defeat digg.comA story that diggs itselfExpect Header Injection Via FlashForging HTTP request headers with FlashCross Domain Leakage With Image SizeEnumerating Through User AccountsWidespread XSS for Google Search ApplianceDetecting States of Authentication With Protected ImagesXSS Fragmentation AttacksPoking new holes with Flash Crossdomain Policy FilesDetecting Privoxy Users and Circumventing ItUsing CSS to De-AnonymizeResponse Splitting Filter EvasionAdultspace XSS WormCSS History Stealing Acts As CookieDetecting FireFox ExtensionsStealing User Information Via Automatic Form FillingCircumventing DNS Pinning for XSSNetflix.com XSRF vulnBrowser Port Scanning without JavaScriptWidespread XSS for Google Search ApplianceBypassing Filters With EncodingVariable Width EncodingNetwork Scanning with HTTP without JavaScriptAT&T Hack Highlights Web Site VulnerabilitiesHow to get linked from SlashdotF5 and Acunetix XSS disclosureAnti-DNS Pinning and Circumventing Anti-Anti DNS pinningGoogle plugs phishing hole

Nikon magazine hit with security breachGovernator HackMetaverse breached: Second Life customer database hackedHostGator: cPanel Security Hole Exploited in Mass HackI know what you've got (Firefox Extensions)ABC News (AU) XSS linking the reporter to Al QaedaAccount Hijackings Force LiveJournal ChangesXanga Hit By Script WormAdvanced Web Attack Techniques using GMailPayPal Security Flaw allows Identity TheftInternet Explorer 7 "mhtml:" Redirection Information DisclosureBypassing of web filters by using ASCIIGoogle Indexes XSSXML Intranet Port ScanningIMAP Vulnerable to XSSSelecting Encoding Methods For XSS Filter EvasionAnonymizing RFI Attacks Through GoogleGoogle Hacks On Your BehalfGoogle Dorks Strike AgainCross-Site Printing (Printer Spamming)Stealing Pictures with PicasaHScan ReduxISO-8895-1 Vulnerable in Firefox to Null InjectionMITM attack to overwrite addons in FirefoxMicrosoft ASP.NET Request Validation Bypass Vulnerability (POC)Non-Alpha-Non-Digit 3Steal History without JavaScriptPure Java™, Pure Evil™ PopupsGoogle Adsense CSRF holeThere’s an OAK TREE in my blog!?!?!BK for Mayor of Oak Tree ViewGoogle Docs puts Google Users at RiskAll Your Google Docs are Belong To US…Java Applets and DNS RebindingScanning internal Lan with PHP remote file opening.Firefox File Handling WoesFirefoxurl URI Handler FlawBugs in the Browser: Firefox’s DATA URL Scheme VulnerabilityMultiviews Apache, Accept Requests and free listingOptimizing the number of requests in blind SQL injectionBursting Performances in Blind SQL Injection - Take 2 (Bandwidth)Port Scan without JavaScriptFavorites Gone WildLogin Detection without JavaScriptAnti-DNS Pinning ( DNS Rebinding ) : Online DemonstrationUsername Enumeration Timing Attacks (Sensepost)Google GMail E-mail Hijack Technique

Recursive Request DoSExaggerating Timing Attack Results Via GET FloodingInitiating Probes Against Servers Via Other ServersEffects of DNS Rebinding On IE’s Trust ZonesPaper on Hacking Intranets Using Websites (Not Web Browsers)More Port Scanning - This Time in FlashHTTP Response Splitting and Data: URI scheme in FirefoxRes:// Protocol Local File EnumerationRes Timing AttackIE6.0 Protocol GuessingIE 7 and Firefox Browsers Digest Authentication Request SplittingHacking Intranets Via Brute ForceHiding JS in Valid ImagesInternet Archiver Port ScannerNoisy Decloaking MethodsCode Execution Through Filenames in UploadsCross Domain Basic Auth Phishing TacticsAdditional Image Bypass on WindowsDetecting users via Authenticated RedirectsPassing Malicious PHP Through getimagesize()Turn Any Page Into a Greasemonkey PopupEnumerate Windows Users In JSAnti-DNS Pinning ( DNS Rebinding ) + Socket in FLASHIframe HTTP PingRead Firefox Settings (PoC)Stealing Mouse Clicks for Banner Fraud(Non-Persistent) Untraceable XSS AttacksInter Protocol ExploitationDetecting Default Browser in IEBypass port blocking in Firefox, Opera and Konqueror.LocalRodeo DetectionImage Names Gone BadIE Sends Local Addresses in Referer HeaderPDF XSS Can Compromise Your MachineUniversal XSS in Adobe’s Acrobat Reader PluginFirefox Popup Blocker Allows Reading Arbitrary Local FilesIE7.0 Detectoroverwriting cookies on other people’s domains in Firefox.Embeding SVG That Contains XSS Using Base64 Encoding in FirefoxFirefox Header Redirection JavaScript ExecutionMore URI Stuff… (IE’s Resouce URI)Hacking without 0days: Drive-by JavaGoogle Urchin password theft madness

...MORE


Where do we begin?12

To fix the Web security problem, we first have to know what’s broken.


Collection Methodology13

• SaaS-based infrastructure performing remote black-box vulnerability assessments on-demand on both production and pre-deployment websites.

• Approximately 150 enterprise customers ranging from start-ups to Fortune 500 listed companies including those with extremely high traffic and transaction volume website.

• The vast majority of websites are assessed on a weekly basis with all results verified to remove false-positives.

• Proprietary scanning technology identifies technical vulnerabilities such as Cross-Site Scripting, SQL Injection, and many vulnerability classes.

• Experts create customized tests for each website to uncover business logic flaws including Insufficient Authorization, Abuse of Functionality, etc.

WhiteHat Sentinel (Launched in 2003)Complete Website Vulnerability Management Service

WhiteHat Security (Founded in 2001)


WASC 24 (+2)* Classes of Attacks

Technical: Automation Can Identify

Command Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection

Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location

Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*

Business Logic: Humans Required

Authentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*

Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation

Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation

14


How the Sentinel Service WorksCustom Testing by Security Operations Team

• Manual testing for business logic flaws

• Determine if hierarchical privileges can be abused

• Examine account structures for potential exploits

• Test for ability to circumvent user authentication and authorization rules

• Creation of “proof-of-concept” vulnerabilities upon request

15


Data Set16

Total Websites:

Identified vulnerabilities:

Unresolved vulnerabilities:

Websites having had at least one serious issue (Urgent, Critical, High):

Websites currently with at least one serious issue (Urgent, Critical, High):

Average vulnerabilities per website:

3,541 (66% resolved)

11,234

687

82%

5

61%


Development Technology and Vulnerabilities17

URL Extension % of websites % of vulnerabilitiesunknown 55% 38%

asp 27% 26%aspx 22% 10%jsp 8% 7%xml 7% 1%do 7% 4%

php 5% 2%html 4% 2%old 4% 1%dll 4% 1%

cfm 3% 3%Not an indication that one technology is “more secure” than another

• Average number of inputs per website: 290• Ratio of vulnerabilities / inputs: 1%

Attack Surface


Vulnerability Prevalence by Severity18

URGENT

HIGHCRITICAL

URGENT

HIGH

CRITICAL

Percentage likelihood of websites having a least one vulnerability

(sorted by severity)

Percentage of overall vulnerabilities (sorted by severity)


WhiteHat Security Top Ten19

Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationInsufficient AuthenticationHTTP Response SplittingAbuse of FunctionalityCross-Site Request Forgery

i.e. 67% of Websites have Cross-Site Scripting issues

Vulnerability Classes (sorted by percentage likelihood)


Vulnerability Population (sorted by class)20

i.e. 70% of all vulnerabilities are Cross-Site Scripting issues


When a vulnerability is identified21

1. Take the website down

2. Revert to an older version of the website/code (if it is secure)

3. Stay up while exposed

4. Virtually patch with a Web Application Firewall(i.e. WhiteHat Sentinel / F5 Application Security Manager integration)

Ideally the time to fix an issue should be as short as possible because it represents an opportunity for hackers to exploit the website. In the meantime, what are the options?


Time-to-Fix (Days)22

90 180 270 365

URGENT

CRITICAL

HIGH


Remediation (sorted by class & severity)23

Class of Attack % resolved severityInformation Leakage 50% urgentInsufficient Authorization 42% urgentSQL Injection 66% urgentHTTP Response Splitting 83% urgentDirectory Traversal 31% urgentInsufficient Authentication 26% criticalCross-Site Scripting 55% criticalAbuse of Functionality 41% criticalCross-Site Request Forgery 48% criticalSession Fixation 11% criticalBrute Force 8% highContent Spoofing 26% highHTTP Response Splitting 31% highInformation Leakage 34% highPredictable Resource Location 31% high


Comparing Industry Verticals24

RetailFinancial Services

Insurance Health-care

ITEducationSocial

Network

Percentage of websites with a URGENT, CRITICAL or HIGH severity vulnerability sorted by industry vertical


Burdened by years of insecure code25

Website Founded

Amazon 1994

Yahoo 1995

eBay 1995

Bank of America

1997

Google 1998

MySpace 2003

YouTube 2005

Vulnerability Known

Buffer Overflow 1996

Command Injection 1996

SQL Injection 2004

XSS 2005

Predictable Resource Location

?

HTTP Response Splitting

2005 / ?

CSRF ?


Best Practices & Lessons Learned26

• Find and prioritize all websites by designating their value to the business and a party responsible for their security.

• Find and fix website vulnerabilities before the bad guys exploit them by assessing them for weaknesses with each code change. Prioritize remediation efforts based on severity, difficulty of exploitation, and business value of the website.

• Implement a secure software development process utilizing an organizational standard development framework, recurring developer security education program, and success incentives directed towards known trouble spots.

• Utilize a defense-in-depth website security strategy that includes a Web Application Firewall providing organization with additional security against zero-day threat and difficult to resolve issues.

Full Report: http://www.whitehatsec.com/home/assets/WPstats0808.pdfFor more information: http://www.whitehatsec.com/

Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.com/[email protected]

Questions!?

http://www.whitehatsec.com


http://www.whitehatsec.com/home/assets/WPstats0808.pdf

http://www.whitehatsec.com/home/assets/WPstats0808.pdf



http://jeremiahgrossman.blogspot.com

http://jeremiahgrossman.blogspot.com

mailto:[email protected]






Date post:	28-Nov-2014
Category:	Business
Upload:	jeremiah-grossman
View:	8,086 times
Download:	0 times