proactive forensics of web application attacks

Proactive Forensics of Web Application Attacks

Shlomi Ben-Hur and Shay ChenHacktics ASC

June 2013

A Step By Step Guide

Detecting Attacks that Slipped Past the WAF – Proactive Web Forensics

Shlomi Ben-Hur► Hacktics ASC, E&Y► Forensics Service Leader

Shay Chen► Hacktics ASC, E&Y► Chief Technology Officer

Introduction

[email protected] [email protected]


Proactive Web Forensics (PWF): What’s New?

► The Business Case ► An excellent tool for managing budgets and priorities

► Proactive process benefits

► Recent Technical Advancements► Methodology per vulnerability (as in Security Assessments)

► New commercial tools and open source projects


Live Demo: Using PWF to Detect Incidents


A Missing PieceThe Limitations of Traditional Security

Controls


Traditional Services – Penetration Tests

Locates “A possible way into the system”

X Doesn’t provide solid proof the system was hacked

Do we know if the system was Hacked?


Traditional Services – Forensics

Indentify and trace-back security incidents

X Trace-back limited to the attacks that caused the impact

In the absence of a “Trigger”, We’re left unaware as to whether the system was actually compromised


The Current Coverage of Security Controls

Vulnerabilities

Security Testing(Attack & Pen)

Attacks

SIEM/SOC

Incidents

Reactive Forensics

Undetected Incidents, Attacks &

Vulnerabilities


What is Proactive Web Forensics?

Attacks leave traces and audit trails

Familiarity with System Architecture

Identify attacks and hacking incidents for each component


The outcome of a PWF process

Provides evidence of system hacks

Identifies how attacks were performed

Evaluates the severity of hacks


Benefits of Proactive Web Forensics

Identify your most attacked/hacked systems

Identify the impact on sensitive systems


Benefits of Proactive Web Forensics

Sensitive Systems

Most Hacked Systems

Request Budget Based on Facts

Manage Resources Effectively

Improve Risk Management

Spot-on Security Controls


We’re currently mitigating POSSIBILITIES,Wouldn't we do it better if we mitigated FACTS?


Proactive Web ForensicsCapabilities, Methodologies and Tools


WHID Incidents


Prolonged and Ongoing Incidents

► Incident Components► Vulnerability Detection

► Exploitation

► Incubation Period

► Impact

► Incident Timeframes► Dormant, Ongoing, Prolonged and Immediate

► Incident Response Timeframes


Why PWF?

► Exposures detected in pen-tests are rarely investigated► There usually isn’t any attempt to identify past exploits

► Exploitation might have occurred prior to the implementation of countermeasures:► WAF / IDS / Security Mechanisms Integration

► An active or dormant exploit could be hosted on a machine for years, and the evidence may still be there.


Logs

App / CMS

Web Server

OS

DB

Device

File System Metadata

Property Analysis

Privilege Analysis

Data

DB Content Analysis

Website Analysis

Macro / Ext

Replica

SCM

Compare

Backup Compare

3rd Party Sources

Google Analytics

External Captcha Verifier

Information Sources


► Triggers► Penetration Test Reports

► File System► File Metadata

► Crash Dump Files

► Content► Data Repository Content (DB, Web, File, LDAP, etc)

► Log Files► OS, Web Server, DB, Application, Network Devices

► Security Products, Forensics Blackbox, SIEM/SOC

► 3rd Party Analysis Tools► Google Analytics, External Captcha Repositories, Etc

Information Sources


Injections•SQL•OS Commanding•LDAP•SSJS•Format String•MX•CRLF•X-Path•XML / HTTP•SSI•Null Byte•Code (ASP/JSP/PHP)

Client Targeted•Persistent / XSS•Reflected XSS•Dom XSS•Cross Frame Scripting•Open Redirect•CSRF•Clickjacking•Content Spoofing

Manipulations•Path Traversal•LFI / RFI•Insecure Direct Object Reference•Malicious File Upload•HTTP Verb Tampering•Log Forging•Integer / Buffer Overflow

Direct Access•Forceful Browsing•Flow Bypass•Predictable Resource Access•Obsolete Resource Access


POC: Locating Persistent XSS in System DB

► Persistent XSS rely on HTML/JS/VBS injection, in either clear on encoded format; these patterns can be detected by scanning the data stored in the database, and the content hosted on the website:► iScanner / ScanEx vs. Live Web Site

► OWASP Scrubber vs. Database


POC: Locating Malicious File Upload

► Abusing vulnerabilities to upload malicious files eventually results in the malicious file being uploaded into the context of the web application.:► Check the system metadata of the application files and locate

abnormal date/time, permissions or similar properties.

► Use WinMerge to compare the application files in the production environment to those of the relevant build in the development / staging environment.

► Recover deleted file names in the web application directories

► Compare deleted file names to historical file names in the source code management systems


POC: Locating SQL Injection Attempts

► SQL Injection is often performed after executing multiple attempts with invalid syntax. These instances often cause exceptions that leave traces in multiple layers:► Apache Scalp & PHP IDS on System Logs


► Initial Log Analysis► AWStats

► Log Analysis Tools► Apache Scalp & PHP IDS Engine

► Web Forensik

► PHP IDA

► File Metadata Analysis Tools► Winmerge

► Content/Data Analysis► iScanner / ScanEx

► OWASP Scrubber

Prominent Open Source Analysis Tools

http://awstats.sourceforge.net/

https://code.google.com/p/apache-scalp/

http://www.phpids.org/

http://sourceforge.net/projects/webforensik/

http://sourceforge.net/projects/webforensik/

http://sourceforge.net/projects/phpida/

http://winmerge.org/

http://iscanner.isecur1ty.org/

http://www.blueinfy.com/ScanEx.zip

https://code.google.com/p/owaspscrubbr/


Proactive Forensics Methodology

Profile Compare Analyze Conclude

Infrastructure

Optional/Default Logs

3rd Party Sources

Content Replica

Environment

File Update Timeline

Prd vs. Dev

Prd vs. SCM

Prd vs. Base

Structure

Website Content

Database Content

Logs (Various Layers)

Uploaded Files

3rd Party Data

Identify Anomalies

Detect Patterns

Correlate Incidents

Traceback

Impact


► Infrastructure Familiarity► CMS/Framework Logs

► OS/Database Logs

► Crash Dump Files

► Application Familiarity► External Data Tracked by 3rd Party Components

Log Analysis Perquisites


► Wordpress► Optional* configuration in file: ‘wp-config.php’, Relevant values:

► @ini_set('log_errors','On')

► @ini_set('error_log','/SecuredPath/logs/wp-php_error.log')

► Apache► Default Access and Error logs Path:

Linux Installation: ‘/var/log/apache2/’ - access_log, error_logWindows Installation: ‘Apache root/logs/’ - access.log, error.log

► MySQL► By default, the server writes files for all enabled logs in the data

directory(i.e. .

► By default, no logs are enabled(except the error log on Windows), Optional log types: Error log, General Query log, Binary log, Relay log, Slow query log

Wordpress / Apache / MySQL Sample


► Version History► SCM Repositories

► SVN, CVS, Mercurial, Git, SourceSafe, Etc

► Developer Stations

► Backup Solutions► NAS, Drives, Cloud, Etc

► Technology Familiarity► Identify executables, legitimate and illegitimate files

Environment Comparison Perquisites


Proactive Web Forensics in the

Security Lifecycle


PWF Triggers in Security Assessments

► Embedding PWF in the organization security policy► After detecting high risk vulnerabilities in penetration

tests, follow up and check if they were exploited


► Assessment Frequency

► Sample Scenario:

Proactive Web Forensics Frequency

Exposure Detection

Incubation Period Effective Response Timeframe

Exploit Impact

Infection

Trojan via SQL Injection

Theft Start

Theft End

3 Months2 Months

PONR

PONR

Insurance Timeframe


► Incubation Period► The incubation period of the Attack AND Exploitation

► Affected by the type of system and the type of exploit

► Effective Response Timeframe► The timeframe in which a proper incident response will still

mitigate the damage somehow

► PWF Analysis Timeframe► The assessment segment dedicated to analysis information

sources

Analysis Result:

The gap between PWF instances

PWF Frequency Formula Glossary


► False Positives► Penetration Tests might create similar traces

► Can be mitigated by focusing on events that occurred in dates prior to the penetration test, and/or on events generated from non trusted sources.

► An ever growing collection of attack vectors► Focus on attack vectors with higher severity

► Adapt the assessment for each technology-in-use

► Enhance the assessment methodology and toolset over time

Potential Issues


Summary


Recommendations

► Embed PWF into the organization security lifecycle► Calculate the PWF frequency based on the threat map

► Perform PWF periodically on sensitive

► Use output to adjust budget allocations and priorities

► Perform PWF follow-ups on severe exposures detected in attack and penetration services ► Identify past exploitations of vulnerabilities

► Evaluate the severity of the impact

► Adapt PWF to system specific technology and enhance the PWF tool arsenal


References

► WASC Web Hacking Incident Database: http://goo.gl/zNwMU

► Presentations► Web Application IR & Forensics: A whole New Ball Game!

► Blackhat Aug 2006 & AppSec Seattle 2006

► Web Application Digital Forensics (ISACA)

► Whitepapers ► Web Application Forensics: Taxonomy and Trends

► Krassen Deltchev, Sep 5th, 2011

► Web Application Forensics: The Uncharted Territory► Ory Segal, July 2002

► Fingerprinting port 80 Attacks, Part 1 & 2► CGI Security, March 2002

http://goo.gl/zNwMU

https://twitter.com/test2v

https://twitter.com/test2v

https://twitter.com/orysegal

Thank You!

proactive forensics of web application attacks

Documents