cyber security risks report
TRANSCRIPT
-
8/3/2019 Cyber Security Risks Report
1/24
T 2011 Md-Y Top CYbSCuTY SS poT
Table of contents
Contributors 2Overview 2
Vulnerabilitytrends 4 Discoveryanddisclosureofnewvulnerabilities 5 Furtheranalysis:ZeroDayInitiative 7 Seeingthebigpicture:wherethevulnerabilitiesare 9 Staticanalysis 10 Dynamicanalysis 11 Manualanalysis 13
Attacktrends 14 Newvulnerabilitiesareunnecessary;attackscontinueto riseregardless 15 Cross-SiteScripting 17 SQLInjectionplaysastarringrole 18Mitigation 20 Cross-SiteRequestForgery 21 SQLInjection 21 Cross-SiteScripting 23 RemoteFileIncludes 24References 24
-
8/3/2019 Cyber Security Risks Report
2/24
2
ContributorsProducingtheTopCyberSecurityRisksReportisacollaborativeeffortamongHPDVLabsandotherHPteams,suchasFortifyandtheApplicationSecurityCenter.WewouldliketosincerelythanktheOpenSourceVulnerabilityDatabase(OSVDB)forallowingprintrightstotheirdatainthisreport.For
informationonhowyoucanhelpOSVDB:https://osvdb.org/account/signup
http://osvdb.org/support
Contributor Title
MikeDausin AdvancedSecurityIntelligenceTeamLead
AdamHils ApplicationSecurityCenterProductManager
DanHolden Director,HPDVLabs
PrajaktaJagdale WebSecurityResearchGroupLead
JasonJones AdvancedSecurityIntelligenceEngineer
RohanKotian DigitalVaccineTeamLead JenniferLake ProductMarketing,HPDVLabs
MarkPainter ApplicationSecurityCenterContentStrategist
TaylorAndersonMcKinley Director,FortifyonDemand
AlenPuzic AdvancedSecurityIntelligenceEngineer
BobSchiermann SeniorTechnicalPublicationsWriter
OverviewIncreasingly,organizationsfacesecurityrisksimposeduponthembyattackersintentonachievingfame,glory,orprofit.Attackers,familiarwithcommonvulnerabilitiesinherentinmanyoftodayswebsites,
knowhowtoexploitthosevulnerabilitieswithattacksdesignedspecificallytotakeadvantageofthem.ExamplesofsuchdestructiveactivitieshaverecentlyhitthenewsinstoriesabouthacktivistgroupssuchasLulzSecandAnonymous.
TheHP2011mid-yeareditionofthebiannualTopCyberSecurityRisksReportfeaturesin-depthanalysisandattackdatafromHPDVLabs,ApplicationSecurityCenter,andFortifysecurityunitsaswellasvulnerabilitydisclosuredatagarneredfromtheOSVDB.Giventhemediaattentionpaidtotheserecentattacks,aswellasdataHPobtainedfromitspartnersandcustomers,thebulkofthisreportisfocusedonWebapplications,includingthevulnerabilitiesthatexistandtheattacksthatareexploitingthoseweaknesses.
ThisreportisintendedforIT,network,andsecurityadministratorswhoareresponsibleforsecuringthepublic-facingcommunicationwithanorganizationscustomers,partners,andemployees.TheprimaryobjectiveofthiseditionoftheTopCyberSecurityRisksReportistoclearlyarticulatetherisksandweaknessesinherentinWebapplications.Wellhighlighttheoverallvulnerabilitylandscape,including
vulnerabilitiesincommerciallyavailableandcustom-builtapplicationsthatcanleadtoattacks,aswellashowoftenthesearebeingreported.Thereportwillalsohighlighttherisingnumberofattacksthatareleveragingthevulnerabilitiesdiscussedthroughoutthepaper.
https://osvdb.org/account/signuphttp://osvdb.org/supporthttp://osvdb.org/supporthttps://osvdb.org/account/signup -
8/3/2019 Cyber Security Risks Report
3/24
Keyfindingsfromthisreportinclude:
The number of Web application vulnerabilities that are reported differs significantly from the numberthat actually exist.
TheOpenSourceVulnerabilityDatabase(OSVDB)monitorsvulnerabilitydiscoveryandreportingthroughdisclosureprograms.Datafromthefirstsixmonthsof2011showsadistinctandsignificantdecreaseinthedisclosureofnewvulnerabilities.Whilethismightseemlikegoodnews,itisactuallytheopposite.DatacollectedfromscansofactualcustomerWebapplicationdeploymentsindicatesthatthenumberofvulnerabilitiesisnotdecreasing;itisonlythenumberofreportednewvulnerabilitiesthatisdecreasing.Productionwebsitesforsomeoftheworldsleadingorganizationsarestillburstingwithvulnerabilitiesthatleavethewebsitesopentodevastatingattacks.
Web application attacks are on the rise, despite the lack of new vulnerabilities being disclosed.
HPDVLabscompiledattackdatafromitsnetworkofHPTippingPointintrusionpreventionsystems(IPS)todeterminethedangerthesevulnerabilitiesposetoInternetsecurity.InformationpulledfromthesesystemsshowsthatthenumberofattacksonWebapplicationsistentimesthenumberofvulnerabilitiesbeingreported.Thisfactleadsustobelievethatattackerseitherdontneedanynewvulnerabilitiestoachievetheirgoals,orthatthereareplentyofvulnerabilitiesincustomapplicationsthatareunknownor
untracked,increasingtheattacksurfacetoattackers.Therealityislikelyamixtureofboth.Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools.
TwoofthemostcommonWebapplicationattacktypes,Cross-SiteScripting(XSS)andSQLInjection(SQLi),arecoveredin-depthinthisreport.BasedondataobtainedfromHPTippingPointIPSdevices,thesearetwoofthemostfrequentlyusedattacktypesthoughmanytimesfordifferentreasons.XSS,whichisoftenusedforspamorphishingattempts,providesaneasywaytodistributeanattackonawidescale.Conversely,SQLicanbeusednotonlyforoverwritingadatabaseandthenredirectingvisitorstoamalicioussitesimilarinfashiontohowXSSisleveragedbutalsoformassivedatabasetheft.
Theinformationinthisreportcomesfromvarioussources,allowingHPDVLabstoobtainabroadsetofdatafromwhichtocorrelatemeaningfulfindings.Thesesourcesinclude:
AworldwidenetworkofHPTippingPointIntrusionPreventionSystems
VulnerabilityinformationfromOSVDBandtheZeroDayInitiative(ZDI)WebapplicationdatafromtheASCWebSecurityResearchGroup,theEBSWBTOProfessional
ServicesOrganization,andFortifyonDemand
-
8/3/2019 Cyber Security Risks Report
4/24
4
Figure1
DisclosedvulnerabilitiesaccordingtoOSVDB,20002010
2000
Totalvulnerabilities
11K
8.8K
6.6K
4.4K
2.2K
02001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
VulnerabilitytrendsTobetterunderstandthethreatlandscape,itisimportanttostartwiththeweaknessespresentincomputinginfrastructures.Theseweaknessestypicallymanifestthemselvesasapplicationvulnerabilities,whicharethefocusofthissectionofthereport.Thevulnerabilitylandscapeisdiscussedinthefollowingthreesections:
Discovery and disclosure of new vulnerabilities:Thissectiondescribescurrenttrendsinvulnerabilityreporting,highlightingvulnerabilitiesthathavebeendisclosedincommerciallyavailablecomputing
systems,includingWebapplications.Basedonthetrendinformation,onecandiscernthevolumeandcategoryofnewlydiscoveredvulnerabilities,whichprovidesinsightintohowsuchvulnerabilitiesattractattackersattention.
Trends in vulnerability research:ThissectionhighlightsdatafromtheHPDVLabsZeroDayInitiative(ZDI)vulnerabilityresearchprogram.ItprovidesadeeperlookintothetypesofvulnerabilitiesthattheZDIresearchesanddiscoversinanefforttogetabettersenseofwhatdrivesasecurityattack.
Vulnerabilities discovered in production Web application environments:ThissectionhighlightsresultsfromscansofliveWebapplications.Datainthissectiondemonstratesthevulnerabilitiesthatarepresentinreal-worldWebapplications,includingnewvulnerabilitiesthatareunreportedaswellasthosethatwerepreviouslydisclosed,andas-yetunfixedvulnerabilities.
-
8/3/2019 Cyber Security Risks Report
5/24
Figure2
VulnerabilitydisclosureaccordingtoOSVDB,20002011,brokendownbymonth
1.3K
1.04K
780
Totalvulnerabilities
520
280
0
Discovery and disclosure of new vulnerabilities
BasedondatapulledfromOSVDB,thetotalnumberofnewvulnerabilitiesreportedforthefirsthalfof2011isabout25percentlowerthanthenumberofnewvulnerabilitiesreportedatmid-year2010andpreviousyears.AsofJune30,2011,OSVDBcataloged3,087 (Figure 1)reportedvulnerabilitiesinInternet-basedsystems,applications,andothercomputingtools,ascomparedto4,091catalogedinthecorrespondingperiodin2010.
Afterpeakingin2006,vulnerabilityreportingforcommerciallyavailableproductshasbeeninaslow
decline(Figure 2).Thereasonsforthisdeclinearevaried,butseverallikelyreasonsstandout.Softwaremakersandsystemdevelopershaveincreasedtheirsecurityawarenessandhavetakenstepstoreducevulnerabilitiespriortoreleasingtheirproducts.Thesecondreasonisareductioninthedisclosuresofdiscoveredvulnerabilities,motivatedbyadesiretoinsteadsellthevulnerabilityforprofit.Anotheristhatsomeorganizationswouldratherannouncedetailsregardingvulnerabilitiesonlyaftertheyvebeenfixed.
Despitetheoveralldeclineinnewvulnerabilitiesbeingdiscoveredandreported,itisimportanttonotethattheratioofvulnerabilitiesdiscoveredinWebapplicationsstillmakesup31percent(Figure 3)ofallvulnerabilitiesdisclosed.Itisworthnotingthatroughlyhalfofallvulnerabilitydisclosuressince2006haveinvolvedWebapplications,sothedownwardtrendforthefirsthalfof2011isyetanotherproofpointfortheoveralldropinvulnerabilitydisclosurethusfar.
-
8/3/2019 Cyber Security Risks Report
6/24
6
Figure3
ComparisonofWebapplicationvulnerabilitiesversusnon-Webapplicationvulnerabilities,JanuaryJune2011
31%
69%
Web apps vulns
Other vulns
ThereasonforthehighnumberofWebapplicationvulnerabilitiesisamatterofopportunityandprofit.First,thenumberofWebapplicationsincirculationgrowssteadilyeveryday.AWebapplicationinitssimplestformtiestogetheranoperatingsystem,aWebserver,adatabase,andsometop-levelapplicationthatcustomersusetointeractwiththeback-endsystems.Manyorganizationshaveadoptedthismodelforinteractingwithcustomersthroughretailsites,onlinebankingorfinanceapplications,orevenappointmentscheduling.Inaddition,manyorganizationshaveconfidentialorsensitivedatastoredinthedatabase(s)connectedtotheseapplications,offeringanalmostlimitlessfieldofopportunityforattackers,whoviewitallasaverylucrativeproposition.
Whenvulnerabilitiesarebrokendownbycategory,someinterestingtrendsbegintoemerge.DatapresentedinFigure 4showsthatcertaintypesofvulnerabilitiesaremorefrequentlydiscoveredanddisclosed.Cross-SiteScripting(XSS)stillcomprisesthemostsignificantamountofnewWebapplicationvulnerabilitydisclosures.XSSiscommonlyusedforspam,phishing,andWebbrowserexploits.BufferOverflowandDenialofService(DoS)vulnerabilitiesroundoutthetopthree.
Buffer OverflowAbufferoverflowattackoccurswhenattackerspurposelyoverloadasystemstemporarymemory(calledabuffer)towreakhavoconavictimsmachine.Oftentimesattackersalsoincludeinstructionalcodeininformationtheyusetooverflowthememory.Thatcodecaninstructtheaffectedsystemtoaccessorchangeconfidentialdataorevensendinformationbacktotheattacker.
Denial of Service (DoS)Atypeofvulnerabilitythatallowsanattackertoexhaustcomputerresourcesonavulnerablesystemtoapointwherelegitimateusageofthatsystemisimpossible.
Distributed Denial of Service (DDos)AtypeofDoSattackthatemploysanumberofseparatecomputers,whichsimultaneouslylaunchaDenialofServiceattackagainstasingleapplicationorsystem.
-
8/3/2019 Cyber Security Risks Report
7/24
Figure4
Disclosedvulnerabilitiesbrokendownbycategory,January2000June2011
Totalvulnerabilities
3K
2.4K
1.8K
1.2K
600
0
2000
2001
2002
2004
2005
2006
2007
2008
2009
2010
2011
Cros s Si te Scri pt ing Cross Si te Request Forger y SQL I nj ect ion Buffe r Ove rfl ow Remote Fi le I ncl ude Denial of Se rvi ce
Itisinterestingtonotethatthebreakdownofpopularvulnerabilitiesbycategoryremainsfairlyconsistentoverthepastthreeyears (Figure 5),likelybecauseXSSvulnerabilitiesarerelativelyeasytofindandareveryusefultoattackers.Spammersandphishersarealwayslookingforwaystomaketheirtrademoreprofitable,andXSScontinuestobeausefulvulnerabilityforthesepurposes.
Further analysis: Zero Day Initiative
TheZeroDayInitiative(ZDI),foundedbyHPTippingPointin2005,isaprogramforrewardingsecurityresearchersforresponsiblydisclosingvulnerabilities.Theprogramisdesignedsothatresearchers
provideHPTippingPointwithexclusiveinformationaboutpreviouslyunpatchedvulnerabilitiestheyhavediscovered.HPDVLabsvalidatesthevulnerabilityandthenworkswiththeaffectedvendoruntilthevulnerabilityispatched.Atthesametime,HPDVLabsdevelopsasecuritysolutionthatprovidespreemptiveprotectionforHPscustomersevenbeforetheapplicationvendordistributesafixforthevulnerability.
From2005throughJune2011,ZDIandHPDVLabsresearchershavediscoveredandresponsiblydisclosedmorethan980vulnerabilitiesinpopularcomputingsystemsincludingWebbrowsers,mediaplayers,anddocumentreaders.
In2010,ZDIannouncedchangestoitsdisclosurepolicythatincentvendorstointroducemoretimelybugfixesintotheirproducts.Underthenewpolicy,ZDIofferstheaffectedvendorssixmonthstoissuepatches,fixes,orworkaroundsforundisclosedvulnerabilitiesreportedtothemviatheZDIprogram.If,aftersixmonths,thevendorhasnotissuedafixorclearedanexceptionwithZDI,limiteddetailofthevulnerabilitywillbedisclosedsothatthedefensivecommunityandconsumersoftheseaffected
applicationscanfindtheirownwaystomitigatetheriskassociatedwiththeseopenbugs.FurtherinformationregardingtheZDIdisclosurepolicycanbefoundhere:http://www.zerodayinitiative.com/advisories/disclosure_policy/.
http://www.zerodayinitiative.com/advisories/disclosure_policy/http://www.zerodayinitiative.com/advisories/disclosure_policy/ -
8/3/2019 Cyber Security Risks Report
8/24
8
Figure5
Three-yearview:popularvulnerabilitiesbycategory
0
200
400
600
800
1000
1200
1400
1600
1800
2009 2010 2011
BO
DOS
PHP
SQLi
XSS
CSRF
(through 6/30/2011)
Inthetable(Figure 6)belowyoucanseethetop10applicationswithvulnerabilitiesdisclosedthroughtheZDIsincetheprogramwasstartedin2005.
Forthefirsthalfof2011,DVLabsandtheZDIeitherdiscoveredoracquired,anddisclosedtoaffectedvendors,231vulnerabilitiesinawiderangeofproducts.Onthenextpage(Figure 7)youcanseethetop10applicationsforwhichvulnerabilitiesweredisclosedthroughtheZDI.Whileonlyfourofthe10applicationsarerelatedtoWebbrowsers,thetotalnumberofvulnerabilitiesfromtheseapplicationsisstaggering.
Figure6
MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIfrom20052011
0 10 20 30 40 50 60 70
Apple Quicktime
Microsoft Internet Explorer
Oracle/Sun JavaMicrosoft Office
Mozilla Firefox
Apple Webkit
RealNetworks Real Player
Adobe Shockwave
HP OpenView
Adobe Reader
-
8/3/2019 Cyber Security Risks Report
9/24
Figure7
MostfrequentlyreportedvulnerabilitiesdisclosedthroughZDIin2011
0 5 10 15 20 25 30
CA Total Defense
IBM Lotus (general)
Microsoft Office Tools
HP OpenView Network Node Manager
Novell iPrint
Apple WebKit
Adobe Reader
HP Data Protector
Oracle Java (general)
Adobe Shockwave
Seeing the big picture: where the vulnerabilites are
Sofar,thisreporthasfocusedprimarilyonvulnerabilitydisclosure,whichmayormaynotreflectthecompletepictureofvulnerabilitytrendsunfoldingontheInternet.Inanefforttoseeaclearerpictureofthereal-worldvulnerabilitylandscape,theHPApplicationSecurityCenterWebSecurityResearchGroup(WSRG)compiledresultsfromover2,750securityassessmentsperformedagainstavarietyofcustomer
Webapplicationsduringthefirstsixmonthsof2011.Whileitisgoodtoseeanoverallreductioninthenumberofnewvulnerabilitiesbeingreported,thathasunfortunatelyhadnoimpactonthedangersofexploitation.Theseresultshavebeendividedintothreesections:
Thefirstcorrelatesresultsfromalmost250Webapplicationsanalyzedstatically(attheline-of-codelevel)forWebapplicationvulnerabilities.
Thesecondgroupincludesresultsfromdynamicanalysis(duringtheactualrunningoftheapplication)conductedagainstover2,500uniqueWebapplications.
Finally,thethirdsetofanalysesincludesacloserinspectionofamuchsmallergroupofassessmentstoexplorethedifferentwaysinwhichWebapplicationvulnerabilitiescanbeexploited,howthatimpactstheoverallriskstandingoftheapplication,andwhatmitigationmeasuresdevelopersareemployingthatarenotworking.
EachsetofanalyseswillshedlightonthenatureandseriousnessofWebapplicationvulnerabilitiesandhowprevalenttheyare.Whatsecurityprofessionalshavesteadilywitnessedinthelastdecadeisthatattackshavemovedfromdefacementandgeneralannoyancetoone-timeattacksdesignedtostealasmuchdataaspossible,andfromtheretoperniciousongoingattacksthatattempttodistribute
malwareandstealasmuchdataforaslongaspossiblewithoutbeingdetected.ItisimperativetorealizethatitoftentakesonlyoneWebapplicationvulnerabilityforanentiresystemtobecompromised.Theenormityofthedangercannotbeoverstated.
-
8/3/2019 Cyber Security Risks Report
10/24
10
Static analysis
ThefirstsetofapplicationswasstaticallyanalyzedbytheWSRGinconjunctionwiththeHPFortifyonDemandgroupandincluded236uniqueapplications.Thefirststatisticistrulystaggering:afull69%oftheapplicationstestedcontainedatleastoneSQLiflaw.Fundamentally,SQLiisanattackuponthe
Webapplication,nottheWebserverortheoperatingsystemitself.Asthenameimplies,itistheactofaddingunexpectedSQLcommandstoaquery,therebymanipulatingthedatabaseinwaysunintendedbythedatabaseadministratorordeveloper.Whentheattackissuccessful,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbyvulnerableWebapplications.IfattackerscanfindoneSQLInjectionvulnerabilityinanapplication,theresaverygoodchancetheycancompromiseitcompletely.Alotofhigh-profileattacksoverthecourseofthefirsthalfof2011werethedirectresultofSQLi.EvenLadyGagaisntimmunetoSQLi.
ThesecondmostprevalentvulnerabilitydiscoveredinthisseriesofassessmentswasCross-SiteScripting(XSS),(specifically,thereflectedvariety).Putsimply,reflectedXSSattackscomefromsomewhereelse,suchaswhenuser-suppliedinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.Usingsomesocialengineering,anattackercantrickavictim,perhapsthroughamaliciouslinkorariggedform,tosubmitinformationwhichwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.Theinjectedcodeisthenreflectedbacktotheusersbrowserwhichexecutesitbecauseitcamefromatrustedserver.64%oftheassessedapplications
containedatleastonereflectedXSSflaw.
Itssistervulnerability,persistentXSS,wasdiscoveredin42%oftheapplicationstestedinthisgroup.Persistentattacksarejustthat:insomeformtheyarestoredonthetargetserver,suchasinadatabase,orviaasubmissiontoabulletinboardorvisitorlog.Thevictimwillretrieveandexecutetheattackcodeinhisbrowserwhenarequestismadeforthestoredinformation.Whatsalsointerestingaboutthisparticularvulnerabilityisthateventhoughitwasfoundin27%feweroftheapplicationsthanSQLi,therewereactuallymoreuniqueinstancesofpersistentXSSdiscoveredthananyothervulnerabilityforwhichtheWSRGtested.TheimpactsofeachflavorofXSSarethesame.
Amoregenericvulnerability,HeaderManipulation,wasfoundin37%oftheapplications.HeaderManipulationvulnerabilitiesoccurwhendataentersaWebapplicationthroughanuntrustedsource,mostfrequentlyaWebrequest.ThedataisincludedinanHTTPresponseheadersenttoaWebuserwithoutbeingvalidated.AswithmanyWebapplicationsecurityvulnerabilities,HeaderManipulationisameanstoanend,notanendinitself.Atitsroot,thevulnerabilityisstraightforward:anattackerpassesmaliciousdatatoavulnerableapplication,andtheapplicationincludesthedatainanHTTPresponseheader.IncludingunvalidateddatainanHTTPresponseheadercanenablecache-poisoning,XSS,cross-userdefacement,pagehijacking,cookiemanipulation,oropenredirectvulnerabilities.And18%oftheapplicationsalsocontainedaspecificcookieHeaderManipulationvulnerability.
Cross-Site Scripting (XSS)
AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationtoenableanattackertoinjectmaliciousclient-sidecodeintoaWebpagewhichisviewedbyavictimsWebbrowser.VariousformsofXSSarecurrentlybeingusedtophishwebsiteusersintorevealingsensitiveinformationsuchasusernames,passwords,andcreditcarddetails.XSScangenerallybedividedintostored,reflected,andDOM-basedattacks.StoredXSSresultsinthepayloadbeingpersistedonthetargetsystemineitherthedatabaseorthefilesystem.Thevictimswillretrieveandexecutetheattackcodeintheirbrowserwhenarequestismadeforthestoredinformation.ExecutionofthereflectedXSSattacks,ontheotherhand,occurswhenuserinputfromaWebclientisimmediatelyincludedviaserver-sidescriptsinadynamicallygeneratedWebpage.DOM-basedXSSattacksrelyonmaliciousmodificationoftheDOMenvironmentinavictimsbrowser.ItdiffersfromthestoredandreflectedXSSinthefactthatthemaliciousdataisneversenttotheserver.Viasomesocialengineering,anattackercantrickavictim,suchasthroughamaliciouslinkorriggedform,tosubmitinformationthatwillbealteredtoincludeattackcodeandthensenttothelegitimateserver.
Command ExecutionAtypeofvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertorunoperatingsystemcommandsonthevulnerableapplicationserver.Typically,thisvulnerabilitycategoryallowsattackerstoexploitWebapplicationsthatpassuserdataasparameterstoI/OoperationsbyappendingOScommandstousersuppliedinputusingspecialcharacterssuchasapipe(|).
http://www.mirror.co.uk/celebs/news/2011/07/16/lady-gaga-website-hacked-and-fans-details-stolen-115875-23274356/http://www.mirror.co.uk/celebs/news/2011/07/16/lady-gaga-website-hacked-and-fans-details-stolen-115875-23274356/ -
8/3/2019 Cyber Security Risks Report
11/24
AnotherwidespreadvulnerabilitydiscoveredduringtheWSRGanalysiswasPathManipulation.Thisoccurswhenuser-suppliedinputcancontrolorotherwiseinfluencefilenamesorpathsutilizedinfilesystemoperations,whichcanthengiveanattackerthemeanstoaccessorchangeprotectedsystemresources.63%ofthescansdetectedaPathManipulationvulnerability.
Whilenoneofthevulnerabilitiesdiscussedsofarcanbeconsideredinnocuous,oneextremelydangerousvulnerabilitywasalsodetectedinlargenumbers.CommandInjectionoccurswhenaremoteusercansupplyaspeciallycraftedvaluetoexecutearbitraryoperatingsystemcommandsonthetargetsystem.35%oftheapplicationscontainedatleastoneCommandInjectionvulnerability.
Anothersignificantvulnerabilityoccurswhendevelopersleavepasswordshardcodedintheircode.Hardcodedpasswordswerediscoveredin30%oftheapplications.Anattackerwhodiscoversahardcodedpasswordcouldobviouslygainunintendedaccesstotheapplication.Thedamageswoulddependonthefunctionalityoftheapplicationitself.
5%oftheapplicationscontainedXPathInjectionvulnerabilities.XPathInjectionisverysimilartoSQLi.Inthatscenario,SQLcommandsaremodifiedbyanattackertogainaccesstodatabasecontentsandinformation.InXPathInjection,XPathstatementsaremodifiedtogainaccesstothedatacontainedwithinanXMLdocument,whichoftenservesastheXMLdatabase.Importantly,XPathdoesnotutilizeaccesscontrolrestrictionsasSQLdoesviaprivileges,soasuccessfulXPathInjectionattackwillyieldcomplete
resultsinthatallthedatainthedocumentwillberevealed.TheXPathlanguageisalsouniform,unlikeSQL,sothatanyinstalledimplementationispotentiallyvulnerable.Intheseaspects,XPathInjectioniseasiertoexecutethanSQLiandhasgreaterresultsreturnedonaffectedsystems.
Anotherinterestingsetofdatadescribesthenumberofvulnerabilitiesfoundperapplication,andper1000linesofcode.Duringinitialscans(beforeremediationefforts),410vulnerabilitieswerefoundonaverageforeachofthe236applicationsevaluated,equatingto4.6vulnerabilitiesper1000linesofcode.Ofthethreelanguagescounted,PHPwasthemostvulnerableprogramminglanguage,with13.1vulnerabilitiesper1000lines,followedby.Netat7.7.Javawasthemostsecure,at4.1.
Dynamic analysis
ThesecondsetofdatawascollectedbytheWSRGinconjunctionwiththeHPEnterpriseBusinessSoftwareBTOProfessionalServicesorganizationandwassplitacrossthreeenterprise-levelorganizations:onefromtheenergysector,onefrombankingandfinance,andonefromproduct
manufacturinganddistributiontoseehowWebapplicationvulnerabilitiesarepresentedinreal-worldapplicationsandareencounteredacrossalltypesofbusinesses.Eachassessmentwasconductedusingdynamic(real-time)analysismethods.Thefirsttwosetsofdatawereanalyzedagainstasmall(lessthan20)numberofapplications,whilethelastsetconsistedofmorethan2,300scansandwasactuallyanalyzedinfargreaterdepththanthefirsttwo.However,allthreesetsofdatayieldedinterestingresults.Eachwastestedforaseriesofcommon,yetdangerous,Webapplicationvulnerabilities.
Cross-Site Request Forgery (CSRF)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofauthorizationonavulnerableWebapplicationtoallowanattackertoexecuteapplicationcommandsonbehalfofanotheruseroftheapplication.ThetypicalscenarioofaCross-SiteRequestForgeryattackinvolvesanattackertrickingavictimintoclickingonaspeciallycraftedlinkthatisdesignedtoperformamaliciousoperationonbehalfofthevictim.Forexample,avictimmayclickonamaliciouslinkthatforcesthevictimtotransfermoneyfromthevictimsbankaccounttoanattackersbankaccount.
Remote File IncludeAtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizedcode(typicallyPHPorASP)onavulnerableserver.RemoteFileIncludeattackstypicallyarisefromascriptinglanguagesinherentabilitytoincludecodefromexternalURLs,orarbitrarylocalfiles.Itisthisabilitythatallowstheattackertoincludeunauthorizedcodefromanexternalsource.
-
8/3/2019 Cyber Security Risks Report
12/24
12
Theenergysectorapplicationscontainedanumberofvulnerabilitiesthatcouldbeutilizedtocompromisethesystem.Forexample,23%werevulnerabletoSQLi.15.3%werevulnerabletoRemoteFileInclude(RFI)vulnerabilities.53.8%werevulnerabletoReflectedXSS,whileanother23%werevulnerabletoPersistentXSS.Also,38.4%werevulnerabletoCross-SiteRequestForgery.Cross-SiteRequestForgeryreliesonabrowsertoretrieveandexecuteanattack.Itincludesalinkorscriptinapagethatconnects
toasitethattheusermayhaverecentlyused.Thescriptthenconductsseeminglyauthorized,yetmalicious,actionsontheusersbehalf.Othervulnerabilitiescouldbeexploitedtoblocktheaccessoflegitimateusers.30.76%weresusceptibletoaBufferOverflow,withanother15.3%vulnerabletoaDenial-of-Serviceattack.ItisimportanttonotethatanapplicationthatsuffersfromanyoneofthesevulnerabilitieswouldfailaPCIcomplianceaudit.
Whilenotasmanyspecificvulnerabilitiesweredetected,thebankingandfinancesectorapplicationsalsocontainedalargenumberofdisconcertingvulnerabilities.58.3%oftheapplicationswerevulnerabletoReflectedXSS,butonly8.3%containedaPersistentXSSvulnerability.16.6%werevulnerabletoCross-SiteRequestForgery.Exploitationofanyofthosevulnerabilitiescouldresultinanattackergaininglegitimateauthenticationcredentials,inadditiontootherpossibilities.Inabitofagoodanomalyforthisparticularorganization,only8.3%oftheapplicationswerefoundtocontaineitheraSQLiorRFIvulnerability.Yet,thatpositivesecuritypostureissomewhatlessenedbythefactthat21.4%oftheapplicationswerentusingSSLcookies.And50%sufferedfromDirectoryPathDisclosure
vulnerabilities,whichattackerscanutilizetoformulatemoredamagingattacks(thinkofthisasastepinreconnaissanceifyouknowwheresomethingis,itsmucheasiertoattackit).
Finally,thethirdsetofapplications(all2,345ofthem)isutilizedbyaverylargeproductmanufacturinganddistributionorganization.Althoughgreaterinnumber,theseapplicationswereactuallyassessedatahigherlevelofgranularitythantheprecedingsetsofdata.Oftheseapplications,31%werevulnerabletoXSSand15%werevulnerabletoaversionofXSSthatrequireduserinteraction,suchasclickingalinkormovingthemousepointerovertext.Another6.5%werevulnerabletoaspecificformofXSSresultingfromthewayApacheWebserversincorrectlyfilteredinputintheExpectheader.Another5.8%werevulnerableduetospecificfilteringvulnerabilitiesinMicrosoftASP.NET.
Whileonly1.9%oftheapplicationswereconfirmedtobevulnerabletoSQLi,and2.3%registeredasvulnerabletoSQLialbeitwithnodataabletobeextracted,18%werestillvulnerabletoBlindSQLi.NormalSQLiattacksdependinalargemeasureonanattackerreverse-engineeringportionsoftheoriginalSQLqueryusinginformationgainedfromerrormessages.However,applicationscanstillbe
susceptibletoBlindSQLievenifnoerrormessageisdisplayed.Theconsequencesarethesame.
OneinterestingstatisticisthatonlytwooftheseapplicationsregisteredasbeingvulnerabletoCross-SiteRequestForgery.Whencodingapplications,developerstendtomakethesamesecuritymistakesinmorethanonceplace.Inotherwords,ifanapplicationisvulnerabletoSQLi,chancesareitsvulnerableinmanylocations,notjustone.However,theoppositecanholdtrue,too.Itisapparentthatthesedevelopersutilizedanti-CSRFtokensorothereffectivecountermeasuresintheirapplications.
AnotherissuethattheWSRGexaminedwasthatofinformationleakage.Informationleakageconsistsofdirectoryprobing,errormessagesthatrevealinformationunintendedbythedeveloper,commonguesseddirectories,andotheritemsthatcouldrevealinformationbeneficialtoescalatingattackmethodology.Successfulexploitationwouldgiveanattackerunauthorizedaccesstosensitiveinformation.Themainproblemwithinformationleakageisthattheinformationgainedfromtheseattackscanbeusedtoconductfarmoredamagingattacks.
18.8%oftheapplicationscontainedlogininformationsentoverunencryptedconnection.AnyareaofaWebapplicationthatpossiblycontainssensitiveinformationoraccesstoprivilegedfunctionalitysuchasremotesiteadministrationfunctionalityshouldutilizeSSLoranotherformofencryptiontopreventlogininformationfrombeingsniffedorotherwiseinterceptedorstolen.5.6%oftheapplicationscontainedaknownfileordirectory.OneofthemostimportantaspectsofWebapplicationsecurityistorestrict
-
8/3/2019 Cyber Security Risks Report
13/24
accesstoimportantfilesordirectoriestoonlythoseindividualswhoactuallyneedtoaccessthem.2.2%containedsomeformofcodedisclosurevulnerability.Anattackerwhogainsaccesstothesourcecodeofanapplicationobviouslyhasanupperhandindeterminingthebestmethodofattackingit.
Manual analysis
TheWSRGalsoconductedextensivemanualanalysisofvulnerabilitiesdiscoveredwhileconductingautomatedsecuritytestsforadifferentgroupofcommercialapplications.Theanalysisfocusedondiscoveringtrendsthathelp:
1. Determinetheimpactofvariousfactorspertainingtothevulnerabilitysource/contextonitscriticalityandexploitability
2.AssessthemitigationsputinplacebydeveloperstosecuretheirWebapplicationsagainstthemostcommonvulnerabilitycategoriesandunderstandtheirshortcomings
WhilesecuringWebapplicationsagainsteverypossiblethreatisimportant,notallvulnerabilitiesarecreatedequal,eveniftheybelongtothesamecategory.Inthecaseofproductionsystems,thediscoveryofcriticalvulnerabilitiesnecessitatesanimmediateresponse.This,inturn,entailsprioritizingthediscoveredissuesbasedontheexploitability,severity,andimpactonthesecuritypostureoftheoverallsystem.ThemanualanalysishelpedtheWSRGidentifythefollowingnumerousfactorsthatimpacta
vulnerabilitystrueriskrating.1. Accesscontrolrequirementfortheresource
Anyresourcerequiringtheusertoauthenticateaddsanextralayerofcomplexityfortheattackerindiscoveringtheissue.However,oncediscovered,asuccessfulexploitationcanprovedeadly,allowingtheattackertobypasstheaccesscontrol,escalateprivileges,andgaincontroloverprotectedandpossiblysensitivesectionsofthesystem.46%ofthevulnerabilitieswerediscoveredinprotectedresources.
2.Function/Purposeoftheresource
Obviously,thesensitivityoftheWebpagecontentanditspurposegreatlyimpactsthecriticalityofanyvulnerability.AnXSSvulnerabilityintheloginpageprovidestheattackerwithmoreleveragetoachieveacompletetakeoverofthesystemthanonethatexistsonasearchpage.Ultimately,anygivensecurityissuecanbeturnedintoadeadlyweaponagainstaWebapplication.However,themoreeffortrequiredtoexploitavulnerability,thelessattractivetheapplicationbecomestoanattacker.Inthesampleset,31%ofvulnerabilitiesweredetectedinloginscriptswhile46%weredetectedinsearchpages.
3. In-houseapplicationsvs.third-partycomponents
Duringmanualanalysis,theWSRGdiscoveredthatvulnerabilitiesweredetectedinbothcustomcodeaswellasinthatofthird-partyapplications.In62%oftheapplications,thevulnerabilitieswereconcentratedinthesectionsofapplicationsthatweredevelopedin-house.In31%oftheapplications,thedistributionwasexactlyreversed.Securityissuesinthird-partysoftwarearedefinitelymoreconcerningsincethoseallowtheattackerstocompromisemultiplesystemsbypossiblyusingthesameexploit.Issuesdetectedwithincustomcodecouldtakelongertofixsincetheywillrequireunderstandingofallthevulnerableinputusagesandthenapplyingaseparatefixforeach.
4.Complexityoftheexploitthatledtothediscoveryofthevulnerability
Attackersalwaysprefertargetingsystemsthatareeasierandfastertocompromise.Thus,any
applicationvulnerabletosimpleattackvectorswillattractmoreattackersthanonethathasatleastsomemitigatingsecuritycontrolsinplace.69%ofvulnerabilitieswerediscoveredusingplainvanillaattackvectors.
-
8/3/2019 Cyber Security Risks Report
14/24
14
Despitethehigh-profilenatureofrecentWebapplicationcompromises,databreaches,andincreasedfinesfornoncompliancewithgovernmentalregulations,alargenumberofapplicationsstillremainvulnerabletothemostrudimentaryWebattacks.TheWSRGhasdeterminedthatafewrecurringissuescontributetothisproblem:
1. Mitigationsappliedwithoutaccuratelyunderstandingtheusagecontextoftheuserinput23%oftheWebapplicationsinthesamplesetactuallyemployedtheHTMLencodingtechniquetoprotectagainstXSS,15%usedablacklistingapproach,and54%hadnoprotectionmechanismsimplemented.Themitigationsfailedtoprovideanyprotectionbecausein54%oftheapplications,thereflectionsoccurredwithintheclient-sideJavaScriptcodeblocks,makingthesecuritycontrolsineffective.
2.Relianceonspecificmitigationtechniquesinsteadofaholisticapproach
Manualinspectionoftheclient-sideapplicationsourcecodeindicatedthatthefewsecuritycontrolsemployedbythedeveloperswereappliedinresponsetoindividualvulnerabilitiesdiscoveredmorethanlikelyduringautomatedscans.TherewasnoindicationofdevelopmenthavingadheredtoanyformofaSecureDevelopmentLifecycle(SDLC)processtodevelopanyofthetestedapplications.Thiswasevidentintheunbalanceddistributionofvulnerabilitiesindifferentsectionsoftheapplications.
3.LackofuniformityinimplementationofsecuritycontrolsAlso,themanualanalysisrevealedthatwhilecertainsectionsofWebpageswereprotectedagainstXSSattacks,otherswereleftopentoexploitation.Thisbehaviorcouldbeattributedtovariousfactorssuchasthemixtureofin-housecodevs.third-partyapplicationcode,divisionofapplicationdevelopmenteffortswithnouniformprocessputinplacetogovernbestpractices,areactiveapproachtosecuringapplications,andsoon.Thislackofuniformityobviouslymakesvulnerabilitypatchingextremelycomplexandchallenging.Thebestapproachistoestablishawell-definedsecuredevelopmentprocessthatisuniformlyadheredtobyallthepartiesinvolvedinthecreationoftheapplication.
AttacktrendsTheprevioussectionprovidedaviewintothevulnerabilitylandscapespecificallywhereandhowapplicationscanbecompromised.Whilevulnerabilitiesprovideasolidunderstandingofwhatexists,lookingatwhatattacksareexploitingthosevulnerabilitiesandhowoftenwillprovideadeeper
understandingofenterpriserisk.Attackdatafromthissectionisbrokenoutintothreeareas:
Frequency and number of attacks.DatainthissectionisobtainedfromanetworkofHPTippingPointIntrusionPreventionSystem(IPS)devices.Thisdataisimportantforunderstandingtheriskseverityofparticularvulnerabilities.
A deeper look at Cross-Site Scripting (XSS) attacks.XSSisoneofthemostfrequentattacksmeasuredonHPTippingPointIPSdevices.ThissectiondelvesintothedifferenttypesofXSSattacksandthespecificdangerinherentinthesevariants.
A timeline and breakdown of SQL Injection (SQLi) attacks.SQLiisthemostfrequentWebapplicationattackthatwetrack.ThissectionlooksathowSQLihasevolvedandwhyitposessuchahugeriskfortodaysenterprises.
-
8/3/2019 Cyber Security Risks Report
15/24
Figure8
Totalnumberofattacksatmid-year,20092011
0
200000000
400000000
600000000
800000000
1000000000
1200000000
1400000000
2009 2010 2011
New vulnerabilities are unnecessary; attacks continue to rise regardless
Despitethefactthatthelevelofnewvulnerabilitydiscoveriesisdropping,thereisnoshortageofattacks.Whilethisistrueacrosstheboardeverysystem,everycategoryitisespeciallysignificantwhendiscussingWebapplications.Giventhelevelsofvulnerabilitiesthatarepresentinsomany
Webapplications,itsafairassessmentthatthisriseinattacksisduetoattackersleveragingexistingvulnerabilities.
First,thetrendofattacksforthefirsthalfoftheyearforthepastthreeyears(Figure 8)depictsadistinctupwardspike.
Next,comparingWebapplicationattacksatthemid-yearforthepastthreeyears(Figure 9),thereisa
distinctincreaseinattacksonWebapplicationsnearlyadoubleyear-on-yeargrowthforattacksaimedattheseapplications.
LookingatthedataanotherwaycomparingnumbersofWebapplicationattackstoallattacksinthegraph(Figure 10)onthenextpageitisinterestingtonotethattherationofWebapplicationattacksisactuallyabithigher.
-
8/3/2019 Cyber Security Risks Report
16/24
16
Figure9
TotalnumberofWebapplicationattacksatmid-year,20092011
0
5000000
10000000
15000000
20000000
25000000
30000000
35000000
2009 2010 2011(through 6/30/2011)
WhenWebapplicationattacksarebrokendownbycategory,wecanseesomedefinitetrendstakingshape.LetsreferbacktothethreetypesofWebapplicationvulnerabilitiesdiscussedinanearliersection:PHP/RemoteFileInclude(PHP/RFI),SQLInjection(SQLi),andCross-SiteScripting(XSS).WhileXSSvulnerabilitiesaredisclosedmoreoften,itisSQLivulnerabilitiesthatarebeingattackedthemost(Figure 11)byasignificantmargin.
DatainFigure 12 (onpage18)showsthatWebapplicationattacksareincreasingsorapidlythatthenumberofattacksforthefirsthalfof2011arenearlyatthesamelevelsasforthefullyearsin2009and2010.AndinonecaseSQLithenumbersarehigherthaninthepreviousyear.
Figure10
Webapplicationattacksversusnon-Webapplicationattacks,JanuaryJune2011
63%
37%
All attacks
Web attacks
-
8/3/2019 Cyber Security Risks Report
17/24
Figure11
Webapplicationattacksinthefirsthalf2011,brokendownbycategory
0
1000000
2000000
3000000
4000000
5000000
6000000
Jan Feb Mar Apr May Jun
PHP/RFI
SQLi
XSS
Cross-Site Scripting
Cross-SiteScripting(XSS)vulnerabilityhasbeenaroundforawhileandhasbeenwell-documentedovertheyears.Torefresh,XSSisahackingtechniquethatallowsattackerstoexploitvulnerabilitiesinWebapplicationsandinjectclient-sidescriptintothevulnerableWebpagesthatareviewedbyunsuspectingusers.Asuccessfulattackwillallowanattackertohijackusersessions,stealsensitiveinformation,ordefacewebsites.TherearetwoprimarytypesofXSSvulnerability:non-persistent(orreflected),andpersistent(orstored).
Thereflected(non-persistent)XSSisbyfarthemostcommontypeofXSSattack.Therootcauseistheimproperhandling(lackofsanitization)ofHTTPrequestdatabytheservercode,allowingmalicious
sitestoreflectmaliciouscodeandattacktheuser.ThemainattackvectorisusuallyanemailmessagecontainingamaliciousURL.WhentheuserclicksontheURL,theyaretakentothevulnerablesitewherethemaliciouscodeisexecutedandreflectedbackontheuserinordertoexecutetheattack.ItistheXSSvulnerabilityofthewebsitethatallowsthistypeofattacktohappen.TheWebbrowserexecutesthecodebecauseitbelievesthecodeoriginates,andisunaltered,fromatrustedwebsite.
Apersistent,orstored,XSSattackisafarmoredevastatingXSSvariant.ThisattackdoesnotrequireuserstoclickURLsinordertopassmaliciouscodebacktothevulnerablewebsiteandattacktheuser.Inthiscase,themaliciouscodeisabletoliveonthevulnerableserverandisservedupalongsideregularHTMLcontent.Again,thistypeofattackisadirectresultofpoorinputvalidationontheserverside,whichallowsfornon-sanitizedinputtoendupbeingdisplayedonthesite.Thistypeofattackisparticularlyriskynotonlybecauseitdoesnotrequiredirectuserinteractionbutalsobecauseithasamuchwiderscope.Withnon-persistentattacks,theonlyuserswhogetattackedaretheoneswhoreflectthemaliciouscodetothesitebyclickingtheURL.WithpersistentXSSattacks,everyvisitortothesitemaygetcompromisedasthemaliciouscodelivesontheserveritself.Also,thismaliciouscodecanbeself-
propagating,creatingatypeofclient-sideworm.
-
8/3/2019 Cyber Security Risks Report
18/24
18
Figure12
Webapplicationattacks,20092011
0
5000000
10000000
15000000
20000000
25000000
30000000
2009 2010 2011
PHP
SQLi
XSS
(through 6/30/2011)
Overthelastdecade,XSShasbeenapopularpartofthesecuritythreatlandscape.AccordingtovulnerabilitiesdocumentedbySymantecin2007,XSSaccountedforroughly80%ofallthesecurityvulnerabilities.Thatpercentagehasleveledoffovertherecentyears,butXSSisstillthesecondmostpopulartypeofWebapplicationvulnerability.AccordingtotheOpenWebApplicationSecurityProject(OWASP)2010TopTen,XSSwassecondonlytoSQLi.WhatmakesXSSevenmoredangerousisthatitcouldbeleveragedbyanattackertoexploitotherWebapplicationvulnerabilitiessuchasInformationDisclosures,ContentSpoofing,andmore.
WhileorganizationshaveabetterunderstandingoftherisksposedbyXSSattacks,thesetypesofvulnerabilitiesstillmakeupahighpercentageofbugsbeingdisclosedeveryyear.SowhilemanyXSSvulnerabilitieshavealowcommonvulnerabilityscoringsystem(CVSS)score,theirprevalenceincreases
theoverallattacksurfaceofaWebapplication,whichputenterprisesatahighriskforexposureandcanbecostlytofix.
SQL Injection plays a starring role
SQLiattacksgainedmediaattentionthisyearfromthehacktivistgroupsLulzSecandAnonymous,whousedthistypeofattacktocompromisesystemsofseveralhigh-profileorganizations.Datafromtheearliergraph(Figure 12)showsthatthistypeofattackisontheriseandhasbeenextensiveforsometime.
Thechartandtimelineonthenextpage(Figure 13)demonstratehowSQLiattackshaveevolvedovertheyears.
1998RainForestPuppy(RFP)discloses/discussestheinitialideaofSQLInjectionin phrack Magazine(Volume9,Issue54)
2000SQLInjectionFAQChipAndrewsusesthefirstpublicusageoftermSQLInjectionina
paper2003TheideaofblindSQLInjectionisdisclosed/discussed
2006WebapplicationvulnerabilitydisclosureskyrocketsinpartduetoSQLInjection
2008SQLInjectionvulnerabilitydisclosurepeaks
SQL Injection (SQLi)AtypeofWebapplicationvulnerabilitythattakesadvantageofalackofinputvalidationonawebsiteinordertoexecuteunauthorizeddatabasecommandsonaWebapplicationsdatabaseserver.Whensuccessfullyexploited,datacanbeextracted,modified,inserted,ordeletedfromdatabaseserversthatareusedbythevulnerableWebapplication.Incertaincircumstances,SQLInjectioncanbeutilizedtotakecompletecontrolofasystem.
-
8/3/2019 Cyber Security Risks Report
19/24
Rain Forest Puppy (RFP)discloses/discussesthe initial idea ofSQL Injection inPhrack Magazine(volume 9, issue 54)Dec 25, 1998
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 SQL Injection timelin
SQL Injection FAQ Chip Andrews uses thefirst public usage of termSQL Injection in a paperOct 23, 2000
The idea of blind SQL Injection isdisclosed/discussed2003
Hackers have gainedaccess to a databasecontaining personalinformation on 800,000current and former UCLAstudents2006
Web applicationvulnerability disclosureskyrockets in partdue to SQL Injection2006
An estimated500,000 websitescompromised asa result ofSQL Injections2008
SQL Injectionvulnerabilitydisclosure peaks2008
The Asprox botnetleveragesSQL Injection formass drive bySQL Injection attacksto grow botnet2008
Another half a million sites hit with automated SQL Injection2010
HBGary, a technology security firm, was brokeninto by Anonymous using SQL Injection in theirCMS-driven websiteFeb 5, 2011
Expedias TripAdvisor member data stolenas a result of SQL InjectionMar 24, 2011
Barracuda Networks was compromised using anSQL Injection flaw
April 11, 2011
The Asprox botnet leverages SQL Injection formass drive by SQI Injection attacks to growbotnet Aug 5, 2011
LulzSec hacktivists are accused of usingSQL Injection to steal coupons, download keys,and passwords that were stored in plaintext onSonys website, accessing the personal informatiof a million users
June 1, 2011
Group Anonymous claims to have hacked theNATO site, using a simple SQL InjectionJune 5, 2011
Three men, responsible for the largest data security breach in U.S. historystole 130 million credit card and debit card numbers from five leadingcompanies. They took advantage of a coding error, and allegedly used aSQL Injection attack to compromise a Web application, which was used a
the starting point to help them bypass company network firewalls and gaaccess over companies networks.Aug 17, 2009
Figure13
TimelineandevolutionofSQLInjectionattacks
2008TheAsproxbotnetleveragesSQLInjectionformassdrivebySQLiattackstogrowbotnet(http://en.wikipedia.org/wiki/Asprox).FromatleastAprilthroughAugust,asweepofattacksbeganexploitingtheSQLInjectionvulnerabilitiesofMicrosoftsIISWebserverandSQLServerdatabaseserver.Theattackdoesnotrequireguessingthenameofatableorcolumn,anditcorruptsalltextcolumnsinalltablesinasinglerequest.AnHTMLstringthatreferencesamalwareJavaScriptfileis
appendedtoeachvalue.Whenthatdatabasevalueislaterdisplayedtoawebsitevisitor,thescriptattemptsseveralapproachesatgainingcontroloveravisitorssystem.ThenumberofexploitedWebpagesisestimatedat500,000.
OnAugust17,2009,theU.S.JusticeDepartmentchargedanAmericancitizen AlbertGonzalezandtwounnamedRussianswiththetheftof130millioncreditcardnumbersusingaSQLInjectionattack.InreportedlythebiggestcaseofidentitytheftinAmericanhistory,themanstolecardsfromanumberofcorporatevictimsafterresearchingtheirpaymentprocessingsystems.AmongthecompanieshitwerecreditcardprocessorHeartlandPaymentSystems,conveniencestorechain7-Eleven,andsupermarketchainHannafordBrothers.
OnFebruary5,2011,HBGary,atechnologysecurityfirm,wasbrokenintobyAnonymoususingaSQLInjectionintheirCMS-drivenwebsite.
OnApril11,2011,BarracudaNetworkswascompromisedusingaSQLInjectionflaw.Emailaddressesandusernamesofemployeeswereamongtheinformationobtained.
OnJune1,2011,hacktivistsofthegroupLulzSecwereaccusedofusingSQLitostealcouponsandtodownloadkeysandpasswordsthatwerestoredinplaintextonSonyswebsite,accessingthepersonalinformationofamillionusers.
InJune2011,GroupAnonymousclaimstohavehackedtheNATOsite,usingasimpleSQLInjection.
http://en.wikipedia.org/wiki/Asproxhttp://en.wikipedia.org/wiki/Internet_Information_Serviceshttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Albert_Gonzalezhttp://en.wikipedia.org/wiki/Heartland_Payment_Systemshttp://en.wikipedia.org/wiki/7-Elevenhttp://en.wikipedia.org/wiki/Hannaford_Brothershttp://en.wikipedia.org/wiki/HBGaryhttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/Lulzsechttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/NATOhttp://en.wikipedia.org/wiki/NATOhttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/Lulzsechttp://en.wikipedia.org/wiki/Anonymous_(group)http://en.wikipedia.org/wiki/HBGaryhttp://en.wikipedia.org/wiki/Hannaford_Brothershttp://en.wikipedia.org/wiki/7-Elevenhttp://en.wikipedia.org/wiki/Heartland_Payment_Systemshttp://en.wikipedia.org/wiki/Albert_Gonzalezhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Microsoft_SQL_Serverhttp://en.wikipedia.org/wiki/Internet_Information_Serviceshttp://en.wikipedia.org/wiki/Asprox -
8/3/2019 Cyber Security Risks Report
20/24
20
Figure14
Webapplicationvulnerabilitiesdisclosed,JanuaryJune2011
5%
25%
60%
10%
PHP/RFI
SQLi
XSS
CSRF
Figure15
TotalWebapplicationattacks,JanuaryJune2011
11%
68%
21%
PHP/RF
SQLi
XSS
WithSQLiattacks,itisreadilyapparentthatattackersarecontentleveragingexistingvulnerabilitiesfortheirexploits.Thegraphsabove(Figures 14 and 15)showaside-by-sidecomparisonofthemostreportedtypesofWebapplicationvulnerabilitiesversesthemostattackedWebapplicationvulnerabilities.SQLivulnerabilitiesmakeupaquarterofthenewvulnerabilitiesrerteforthefirsthalfof2011.YetSQLiattacksmakeupmorethan60percentoftheWebapplicationattacks seenintheHPTippingPointIPS.
Webapplicationsareaffectedbymultipletypesofattacks,andSQLiandXSSarejusttwothathavereceivedasignificantamountofmediaattentionoverthelastfewmonths.ThenextsectionofthispaperpresentsgeneralmitigationstrategiesforprotectingWebapplicationsanddecreasingtherisk
ofoutages,dataloss,ornetworkcompromisethatcanresult.Mitigation
Visibilityisincreasinglybecomingoneofthemostimportantaspectsofinformationsecurity,alongwithreducingtheoverallattacksurfacemadeavailabletoattackers.Tomitigateriskresponsibly,organizationsshouldtestcodeindevelopment,scanforvulnerabilitiesinQAbeforestaging,andtestapplicationsinproductiononanongoingbasis.ThefollowinginformationisintendedtohelpdeveloperscorrectcertainspecificcategoriesofcriticalWebapplicationvulnerabilities.
-
8/3/2019 Cyber Security Risks Report
21/24
Cross-Site Request Forgery
ResolvingCross-SiteRequestForgeryisnotasimpletask,anditactuallymayrequirerecodingeveryformandfeatureofaWebapplication.WhilenomethodofpreventingCross-SiteRequestForgeryisperfect,usingCross-SiteRequestForgerynoncetokenseliminatesmostoftherisk.Althoughanattackermayguessavalidtoken,noncetokensareneverthelessthemosteffectivesolutionforpreventingCross-SiteRequestForgeryattacks.Ausercanbeverifiedaslegitimatebygeneratingasecret,suchasasecrethashortoken,aftertheuserlogsin.Thesecretshouldbestoredinaserver-sidesessionandthenincludedineverylinkandsensitiveform.EachsubsequentHTTPrequestshouldincludethistoken;otherwise,therequestisdeniedandthesessioninvalidated.ThetokenshouldnotbethesameasthesessionIDincaseaCross-SiteScriptingvulnerabilityexists.Initializethetokenasothersessionvariables.Itcanbevalidatedwithasimpleconditionalstatement,anditcanbelimitedtoasmalltimeframetoenhanceitseffectiveness.AttackersneedtoincludeavalidtokenwithaCross-SiteRequestForgeryattackinordertomatchtheformsubmission.Becausetheuserstokenisstoredinthesession,anyattackerwouldneedtousethesametokenasthevictim.
CAPTCHAcanalsopreventCross-SiteRequestForgeryattacks.WithCAPTCHA,auserneedstoenterawordshownindistortedtext,containedinsideanimage,beforecontinuing.Theassumptionisthatacomputercannotdeterminethewordinsidethegraphic,althoughahumancan.CAPTCHArequiresthatauserauthorizespecificactionsbeforetheWebapplicationinitiatesthem.Itisdifficulttocreatea
scriptthatautomaticallyenterstexttocontinue,butresearchisunderwayonhowtobreakCAPTCHAs,sostrongCAPTCHAsareanecessity.BuildingasecureCAPTCHAtakesmoreeffort.Inadditiontomakingsurethatcomputerscannotreadtheimages,youneedtomakesurethattheCAPTCHAcannotbebypassedatthescriptlevel.ConsiderwhetheryouusethesameCAPTCHAmultipletimes,makinganapplicationvulnerabletoareplayattack.AlsomakesuretheanswertotheCAPTCHAisnotpassedinplaintextaspartofaWebform.
SQL Injection
SQLInjectionarisesfromanattackersmanipulationofquerydatatomodifyquerylogic.ThebestmethodofpreventingSQLInjectionattacksis,therefore,toseparatethelogicofaqueryfromitsdata;thiswillpreventcommandsinsertedfromuserinputfrombeingexecuted.Thedownsideofthisapproachisthatitcanhaveanimpactonperformance,albeitslight,andthateachqueryonthesitemustbestructuredinthismethodforittobecompletelyeffective.Ifonequeryisinadvertentlybypassed,that
couldbeenoughtoleavetheapplicationvulnerabletoSQLInjection.ThefollowingcodeshowsasampleSQLstatementthatisSQLinjectable.
sSql=SELECTLocationNameFROMLocations;
sSql=sSql+WHERELocationID=+Request[LocationID];
oCmd.CommandText=sSql;
ThefollowingexampleutilizesparameterizedqueriesandissafefromSQLInjectionattacks.
sSql=SELECT*FROMLocations;
sSql=sSql+WHERELocationID=@LocationID;
oCmd.CommandText=sSql;
oCmd.Parameters.Add(@LocationID,Request[LocationID]);
-
8/3/2019 Cyber Security Risks Report
22/24
22
TheapplicationwillsendtheSQLstatementtotheserverwithoutincludingtheusersinput.Instead,aparameter-@LocationID-isusedasaplaceholderforthatinput.Inthisway,userinputneverbecomespartofthecommandthatSQLexecutes.Anyinputthatanattackerinsertswillbeeffectivelynegated.Anerrorwouldstillbegenerated,butitwouldbeasimpledata-typeconversionerror,andnotsomethingthatahackercouldexploit.
ThefollowingcodesamplesshowaproductIDbeingobtainedfromanHTTPquerystringandthenusedinaSQLquery.NotehowthestringcontainingtheSELECTstatementpassedtoSqlCommandissimplyastaticstringandisnotconcatenatedfrominput.AlsonotehowtheinputparameterispassedusingaSqlParameterobject,whosename(@pid)matchesthenameusedwithintheSQLquery.
C#sample:
stringconnString=WebConfigurationManager.ConnectionStrings[myConn].ConnectionString;
using(SqlConnectionconn=newSqlConnection(connString))
{
conn.Open();
SqlCommandcmd=newSqlCommand(SELECTCount(*)FROMProductsWHEREProdID=@pid,
conn);
SqlParameterprm=newSqlParameter(@pid,SqlDbType.VarChar,50);
prm.Value=Request.QueryString[pid];
cmd.Parameters.Add(prm);
intrecCount=(int)cmd.ExecuteScalar();
}
VB.NETsample:
DimconnStringAsString=WebConfigurationManager.ConnectionStrings(myConn).ConnectionString
UsingconnAsNewSqlConnection(connString)
conn.Open()
DimcmdAsSqlCommand=NewSqlCommand(SELECTCount(*)FROMProductsWHEREProdID=@pid,conn)
DimprmAsSqlParameter=NewSqlParameter(@pid,SqlDbType.VarChar,50)
prm.Value=Request.QueryString(pid)
cmd.Parameters.Add(prm)
DimrecCountAsInteger=cmd.ExecuteScalar()
EndUsing
-
8/3/2019 Cyber Security Risks Report
23/24
2
Cross-Site Scripting
Cross-SiteScriptingattackscanbeavoidedbycarefullyvalidatingallinputandproperlyencodingalloutput.Whenvalidatinguserinput,verifythatitmatchesthestrictestdefinitionpossibleofvalidinput.Forexample,ifacertainparameterissupposedtobeanumber,attempttoconvertittoanumericdatatypeinyourprogramminglanguage.
PHP:intval(0.$_GET[q]);
ASP.NET:int.TryParse(Request.QueryString[q],outval);
Thesameappliestodateandtimevalues,oranythingthatcanbeconvertedtoastrictertypebeforebeingused.Whenacceptingothertypesoftextinput,makesurethevaluematcheseitheralistofacceptablevalues(white-listing),orastrictregularexpression.White-listinginvolvescreatingalistofacceptablecharacters,asopposedtoblack-listing,whichisalistofunacceptablecharacters.Ifatanypointthevalueappearsinvalid,donotacceptit.Also,donotattempttoreturnthevaluetotheuserinanerrormessage.
Mostserver-sidescriptinglanguagesprovidebuilt-inmethodstoconvertthevalueoftheinputvariableintocorrect,non-interpretableHTML.Theseshouldbeusedtosanitizeallinputbeforeitisdisplayedtotheclient.
PHP:stringhtmlspecialchars(stringstring[,intquote_style])
ASP.NET:Server.HTMLEncode(strHTMLString)
WhenreflectingvaluesintoJavaScriptoranotherformat,makesuretouseatypeofencodingthatisappropriate.EncodingdataforHTMLisnotsufficientwhenitisreflectedinsideofascriptorstylesheet.Forexample,whenreflectingdatainaJavaScriptstring,makesuretoencodeallnon-alphanumericcharactersusinghex(\xHH)encoding.
IfyouhaveJavaScriptonyourpagethataccessesunsafeinformation(likelocation.href)andwritesittothepage(eitherwithdocument.write,orbymodifyingaDOMelement),makesurethedataisencodedforHTMLbeforewritingittothepage.JavaScriptdoesnothaveabuilt-infunctiontodothis,butmanyframeworksdo.Ifyouarelackinganavailablefunction,somethinglikethefollowingwillhandlemostcases:
s=s.replace(/&/g,&).replace(//i,").replace(//i,>).replace(//i,')
Ensurethatyouarealwaysusingtherightapproachattherighttime.Validatinguserinputshouldbedoneassoonasitisreceived.Encodingdatafordisplayshouldbedoneimmediatelybeforedisplayingit.
-
8/3/2019 Cyber Security Risks Report
24/24
Get connectedwww.hp.com/go/getconnected
Get the insider view on tech trends, alerts, andHP solutions for better business outcomes
Sharewithcolleagues
Copyright2011Hewlett-PackardDevelopmentComp any,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.
Remote File Includes
Asthesayinggoes,securityisbakedin,notbrushedon.Anyapplicationunderdevelopmentshouldbedesignedwithsecurityinmindfromtheonset.ThefollowingrecommendationswillhelpyoubuildWebapplicationsthatarenotsusceptibletoparameterincludevulnerabilities.
Definewhatisallowed.EnsurethattheWebapplicationvalidatesallinputparameters(cookies,headers,querystrings,forms,hiddenfields,etc.)againstastringentdefinitionofexpectedresults.Thebestmethodofdoingthisisviawhite-listing;thisisdefinedasonlyacceptingspecificaccountnumbersorspecificaccounttypesforthoserelevantfields,oronlyacceptingintegersorlettersoftheEnglishalphabetforothers.Manydeveloperswilltrytovalidateinputbyblack-listingcharacters,orescapingthem.Basically,thisentailsrejectingknownbaddatabyplacinganescapecharacterinfrontofitsothattheitemthatfollowswillbetreatedasaliteralvalue.Thisapproachisnotaseffectiveaswhite-listingbecauseitisimpossibletoknowallformsofbaddataaheadoftime.
ChecktheresponsesfromPOSTandGETrequeststoensurewhatisbeingreturnediswhatisexpected,andisvalid.
Verifytheoriginofscriptsbeforeyoumodifyorutilizethem.
Donotimplicitlytrustanyscriptgiventoyoubyothers(whetherdownloadedfromtheWeborgiventoyoubyanacquaintance)foruseinyourowncode.
Referenceshttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.phrack.org/issues.html?id=8&issue=54
http://sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx
http://www.isti.tu-berlin.de/fileadmin/fg214/Papers/ravi-asprox.pdf
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3
http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/
http://techtimely.wordpress.com/2011/04/22/web-hacking-threats/https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttp://en.wikipedia.org/wiki/Cross-site_scriptinghttp://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://nakedsecurity.sophos.com/2011/06/02/sony-pictures-attacked-again-4-5-million-records-exposed/http://en.wikipedia.org/wiki/Cross-site_scriptinghttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttp://techtimely.wordpress.com/2011/04/22/web-hacking-threats/