8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 1/56
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 2/56
SPI Dynamics Confidential
Agenda
Part 1: Introduction – How on earth did we get to this point?
Part 2: Identifying the Problem – How does this stuff happen?
Part 3: Key Application Vulnerabilities – Past, present and
future
Part 4: What Application Security Means to ComplianceEfforts and how to fix the problem.
Part 5: More information and online resources
Part 6: Q&A
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 3/56
SPI Dynamics Confidential
Part One
Introduction
Who We Are - SPI Dynamics in a nutshell Application Security -How did we get to
this point?
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 4/56
SPI Dynamics Confidential
SPI Dynamics
We manufacture and license WebInspect, our industry
leading web application security assessment product,to enterprises, consultants, and other institutions,both directly and via global partners.
We own the world’s leading database of webapplication security vulnerabilities, SecureBase™.
SecureBase is updated frequently by SPI Labs, ourU.S.-based research & development organization.
The Leader In Web ApplicationSecurity Assessment
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 5/56
SPI Dynamics Confidential
Web Sites
Web Server
HTML
CGI
Browser
Simple, single server solutions
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 6/56
SPI Dynamics Confidential
Web Applications
Browser
Web Servers
PresentationLayer
Media Store
Very complex architectures, multipleplatforms, multiple protocols
DatabaseServer
Customer Identification
AccessControls
TransactionInformation
Core BusinessData
Wireless
Web Services
ApplicationServer
BusinessLogic
Contentservices
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 7/56
SPI Dynamics Confidential
Common Web Applications
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 8/56
SPI Dynamics Confidential
The Absolute Truth
All code has bugs – regardless of platform,language or application.
From a Microsoft to a Mom and Pop’s home-brewed application, all code has bugs.
Some bugs are functionality bugs, which arediscovered by QA.
Other bugs are security bugs, which largely gounidentified.
As long as functionality is the main objective andnot security, there will always be vulnerabilities incomputer applications.
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 9/56
SPI Dynamics Confidential
is is your application design.
This is your developed application.
This is all the stuff thatyour application issupposed to do.
This is all the stuff thatyour application wassupposed to do, but
doesn’t do. These areFunctionality bugs
This is all the stuff that your
application CANalso do, but you’re
not aware of.These are Security
vulnerabilities
Why These Thing Happen
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 10/56
SPI Dynamics Confidential
Security Professionals Don’tKnow The Applications
“As an ApplicationDeveloper, I canbuild great featuresand functions whilemeeting deadlines,
but I don’t knowhow to develop myweb applicationwith security inmind.”
The Web ApplicationSecurity Gap
“As a Network SecurityProfessional, I don’tknow how mycompany’s webapplications aresupposed to work so Ideploy a protective
solution…but don’tknow if it’s protectingwhat it’s supposed to.”
ApplicationDevelopers andQA ProfessionalsDon’t KnowSecurity
Why Web Application Attacks Occur
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 11/56
SPI Dynamics Confidential
Web Applications Breach the Perimeter
HTTP
I N T E
R N E T
D M Z
T R
U S
T E D
I N S
I D E
C O
R P
O R A T E
I N S
I D E
FTP TELNET
Firewall only allows PORT 80 (or 443SSL) traffic from the internet to theweb server.
Any – Web Server: 80
Firewall only allows applicationson the web server to talk toapplication server.
Web Server Application Server
Firewall onlyallows application
server to talk todatabase server.
Application Server Database
IMAP SSH POP3
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 12/56
SPI Dynamics Confidential
Web Applications Invite Public Access
“Today over 70% of attacks against acompany’s website orweb application comeat the ‘ApplicationLayer’ not the networkor system layer.”
- Gartner Group
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 13/56
SPI Dynamics Confidential
Web Application Risk
“Web application incidents cost companiesmore than $320,000,000 in 2001.”
Forty-four percent (223 respondents) to the2002 Computer Crime and Security Survey werewilling and/or able to quantify their financiallosses. These 223 respondents reported$455,848,000 in financial losses.
“2002 Computer Crime and Security Survey”
Computer Security Institute & San FranciscoFBI Computer Intrusion Squad
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 14/56
SPI Dynamics Confidential
Part Two
Identifying the Problem
What are the primary vulnerabilities? How and why they occur
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 15/56
SPI Dynamics Confidential
Web Application Vulnerabilities
Platform
Administration
Application
Known
Vulnerabilities
Extension Checking
Common File Checks
Data ExtensionChecking
Backup Checking
Directory
Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Parameter
Manipulation
Cross-Site ScriptingSQL Injection
Buffer Overflow
Reverse Directory
Transversal
JAVA Decompilation
Path TruncationHidden Web Paths
Cookie Manipulation
Application Mapping
Backup Checking
Directory Enumeration
Web application vulnerabilitiesoccur in multiple areas.
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 16/56
Cross Site Scripting
(or XSS)
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 17/56
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 18/56
SQL Injection
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 19/56
SPI Dynamics Confidential
SQL Injection – Defined
SQL injection is a technique for exploiting webapplications that use client-supplied data in SQLqueries without stripping potentially harmful
characters first.
Allow me to demonstrate!
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 20/56
SPI Dynamics Confidential
Part Three
Key Application Vulnerabilities
Past, Present and Future
Google Hacking
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 21/56
Google Hacking
More then searching for great pr0n.
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 22/56
SPI Dynamics Confidential
Google Hacking
Find vulnerable sites using Google (Old method –new life)
Example Search Queries
“filetype:mdb inurl:admin” – 180 results “Filetype:xls inurl:admin” – 14,100 results
“ORA-00921: unexpected end of SQLcommand” – 3,470 results
“allintitle:Netscape Enterprise Server HomePage” – 431 results
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 23/56
SPI Dynamics Confidential
Google Hacking
Take this method a step further and use it tonarrow your attack victims.
“inurl:id= filetype:asp site:gov” – 572,000 results
“inurl:id= filetype:asp site:com” – 7,150,000results
“inurl:id= filetype:asp site:org” – 3,240,000results
Use this list as a baseline for identifying SQLinjection vulnerabilities
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 24/56
SPI Dynamics Confidential
Google Hacking
Take this method a step further and use it tonarrow your attack victims.
“inurl:id= filetype:asp site:gov” – 572,000 results
“inurl:id= filetype:asp site:com” – 7,150,000results
“inurl:id= filetype:asp site:org” – 3,240,000results
Use this list as a baseline for identifying SQLinjection vulnerabilities
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 25/56
SPI Dynamics Confidential
Google Hacking
Took 1 hour of coding
500 vulnerable sites were found in 1 minute and26 seconds
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 26/56
SPI Dynamics Confidential
Google Hacking
Application Worm
Find next victim
Exploit victim Exploit victim
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 27/56
SPI Dynamics Confidential
Enter the Santy Worm
Perl.Santy is a worm written in Perl script that attempts tospread to Web servers running versions of the phpBB 2.xbulletin board software Viewtopic.PHP PHP Script Injection
Vulnerability
Other systems are not affected. If successful, the worm copiesitself to the server and overwrites the files with the followingextensions:.asp, .htm, .jsp, .php, .phtm, .shtm
The worm uses the Google search engine to find potential new
infection targets. Google has now implemented blockingPerl.Santy search requests, which is expected to greatly reducethe worm's ability to propagate and lower the risk of furtherinfections.
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 28/56
SPI Dynamics Confidential
Enter the Santy Worm
Perl.Santy.A [Computer Associates], Santy [F-Secure], Net-Worm.Perl.Santy.a [Kaspersky],Perl/Santy.worm [McAfee], PHP/Santy.A.worm[Panda], Perl/Santy-A [Sophos], WORM_SANTY.A
[Trend Micro]
UNIX, LINUX, Windows 2000, Windows 95,Windows 98, Windows Me, Windows NT, Windows
Server 2003, Windows XP
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 29/56
SPI Dynamics Confidential
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+
%22viewtopic.php%22+%22
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 30/56
The Past, the Present, and the Future of Hacking
How prolific could this whole scenario be?
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 31/56
SPI Dynamics Confidential
Where We’ve Been – The Past
Since most sites werestatic HTML, not much todo but try to obtain root /admin privileges on the
machine or deface thewebsite.
This proved for some
great comedy.
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 32/56
SPI Dynamics Confidential
Where We’re At– The Present
Since more dynamicand unique content hasbeen added towebsites, and usersdemand even MOREfunctionality so thatthey can do everythingelectronically, insecurecontent was added atan expedited pace!
And users andmanagement demandeven more!
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 33/56
SPI Dynamics Confidential
Where We’re Going– The Future
Application hacking isbecoming more complexas applications arebecoming more complex.The possibilities are
endless when it comesdown to what can youexploit in webapplications.
Take for InstanceApplication Worms, WebApplication Worms.
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 34/56
What Application Security Means to Compliance Efforts
How prolific could this whole scenario be?
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 35/56
SPI Dynamics Confidential
Types of Compliance Regulations
Privacy
HIPPA (Health Insurance Portability andAccountability Act)
SOX (The Sarbanes-Oxley Act )
GLBA (Gramm-Leach-Bliley Act)
Disclosure
CA1386
Federal Trade Commission
Privacy Policy
Practice
PCI
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 36/56
SPI Dynamics Confidential
Privacy
Privacy
HIPAA (Health Insurance Portability andAccountability Act)
SOX (The Sarbanes-Oxley Act )
GLBA (Gramm-Leach-Bliley Act)
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 37/56
SPI Dynamics Confidential
HIPAA
The Health Insurance Portability and Accountability Act(HIPAA) mandates the privacy and security of personalhealth
The Security Rule of the Act recommends informationsecurity best practices to protect personal information.
HIPAA requires organizations to perform a HIPAA security
risk assessment to determine what applications and data arevulnerable, to ensure proper authentication, accesscontrol, and logging systems, and to conduct ongoingauditing of information systems to test for newly discoveredvulnerabilities.
Web Challenge:
Establishing a security policy
Establishing standards that support the policy
Effectively auditing to ensure policy compliance
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 38/56
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 39/56
SPI Dynamics Confidential
GLBA - The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA), formally known as the Financial
Modernization Act of 1999, Established requirements for financial institutions in the United States
to protect consumers’ personal financial information. The GLBA contains three principle requirements
The Financial Privacy Rule requires financial institutions to publisha privacy notice to their customers
Consumers also must be given the right to limit the sharing of
their personal information. The Safeguards Rules require all financial institutions to design,
implement and maintain safeguards and a security plan to protectcustomer information that they handle.
Web Challenges Customer information resides on the same networks as web
applications or there associated systems (Databases, etc)
Web front ends for financial systems are a common interface tocustomer financial systems. These can be susceptible to web application attacks Requires the development of a policy
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 40/56
SPI Dynamics Confidential
Disclosure
Disclosure
CA1386
MANY others are coming VERY SOON
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 41/56
SPI Dynamics Confidential
CA 1386
Enacted in order to force anyone holding private personalinformation, to inform consumers immediately if theirpersonal information has been compromised.
The law also gives consumers the right to sue
Any business, organization or individual that holds private
personal information for a person residing in the state of California is bound by the provisions of the law, soCalifornia SB 1386 has a much greater impact nationallythan is typical for state legislation.
Web Challenges:
Is a performance based law, not policy based
If you get hacked you have to disclose the incident
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 42/56
SPI Dynamics Confidential
Federal Trade Commission
Federal Trade Commission
Privacy Policy
www.owasp.org
www.webappsec.org
www.securityfocus.com
www.spidynamics.com
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 43/56
SPI Dynamics Confidential
Federal Trade Commission
From: http://www.ftc.gov/privacy/
“Under the FTC Act, the Commission guards againstunfairness and deception by enforcing companies'privacy promises about how they collect , use andsecure consumers' personal information.”
Web security challenge: Companies are being investigated for FTC violations
because they are not living up to there stated policy
http://www.webappsec.org/documents/real_world_web_hac
PETCO
Guess Many others
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 44/56
SPI Dynamics Confidential
Visa PCI
The Payment Card Industry (PCI) Data Security Standard is acollaborative effort by Visa, MasterCard, American Express andDiscover to ensure the protection of customers' personalinformation.
The standard establishes 12 security requirements that allmembers, merchants and service providers must adhere to.
Sections 6, 11 and 12 have specific web related issues.
Web security challenges
PCI is the most comprehensive and specific standard in theindustry.
Following the standard will greatly improve a companies
web application security overall
Not following PCI can cost a company it’s ability to processcredit cards
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 45/56
SPI Dynamics Confidential
VISA PCI
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
Go to VISA.COM and search for PCI
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other securityparameters
Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across publicnetworks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 46/56
SPI Dynamics Confidential
General compliance needs
Establish a security policy
Identify what will be done to address web applicationsecurity needs and who will be responsible for it
Follow the policy
Ensure that security policies are being followed
throughout the software lifecycle Document that the policy was followed
Have a record of testing that was done to ensure thatthe policy was followed
SDLC
The Software Development Lifecycle Cycle needs torespect and support compliance efforts
Unlike other compliance efforts, web application securityneeds to be integrated into the SDLC
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 47/56
SPI Dynamics Confidential
ASAP Process
Security Training
Threat
Modeling
Create Development
Standards
Infrastructure
Design
Security
Kickoff
Requirements Design Development Test (QA) Release
Source code review
Development
AssessmentTools
Pen Testing
Secure coding
libraries
QA
AutomatedAssessment
tools
QA Manual
Assessment
tools
Automated assessment
tools
Security services
Infrastructure Assessment
Support &
Services
Regulatory Compliance
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 48/56
SPI Dynamics Confidential
Enterprise-Wide Web Application Security
Web Application Security testingmust be applied in all phases of theApplication Lifecycle and by allconstituencies throughout theenterprise – Auditors, Application
Developers, QA and SecurityOperations.
AA DD
QQSS
WebApplication
Security
WebApplication
Security
WebApplication
Security
WebApplication
Security
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 49/56
SPI Dynamics Confidential
• Must have clear cut securityrequirement to follow duringDevelopment and QA phases
• Need to run automated tests on code
during Development phase• Must utilize secure code for re-use
• Require automated testing productsthat integrate into currentenvironment
Application Developers
Enterprise-Wide Web Application Security
QQSS
A
WebWebApplication
Web
Application
Security
Web
Application
Security
A
DD
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 50/56
SPI Dynamics Confidential
Quality Assurance Professionals
•Must test applications not only for functionality but also for security
•Must test environments for potential flaws and insecurities
•Must provide detailed security flaw reports to development
•Require automated testing products that integrate into currentenvironment
Enterprise-Wide Web Application Security
DD
SS
A
WebWebApplicationWeb
Application
Security
WebApplication
Security
A
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 51/56
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 52/56
SPI Dynamics Confidential
• Help define regulatory requirements during
the Definition phase of the Application
Lifecycle
• Assess applications once they are in theProduction phase to validate compliance
• Must act as resource for what is and is not
acceptable
Security Auditors and Risk
and Compliance Officers
Enterprise-Wide Web Application Security
DD
QQSS
WebWebApplication
WebApplication
Security
WebApplication
Security
A
P t Fi
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 53/56
SPI Dynamics Confidential
Part Five
Other Online Resources
Websites and mailing lists on the net
W b it
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 54/56
SPI Dynamics Confidential
Websites
- www.spidynamics.com
Web Application Security Consortium -www.webappsec.org
CGISecurity.net – http://www.cgisecurity.net/
Open Web Application security Project -www.owasp.org
WebAppSec Mailing list – Security Focus
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 55/56
Questions?
Contact
8/8/2019 Spi Workshop Preso Worm Hack2
http://slidepdf.com/reader/full/spi-workshop-preso-worm-hack2 56/56
Contact
SPI Dynamics, Inc.115 Perimeter Center Place
Suite 1100
Atlanta, GA 30346
For a freeWebInspectTM 15-daytrial download visit:
www.spidynamics.com
Brian Christian: [email protected]