Web Hacking Incidents Revealed - Trends, Stats and How to ... · Web Hacking Incidents Revealed:...

Web Hacking Incidents Revealed:Trends, Stats and How to Defend

Ryan BarnettSenior Security Researcher

SpiderLabs Research

Copyright Trustwave 2010 Confidential

Ryan Barnett - Background

Trustwave• Senior Security Researcher

−Web application firewall research/development−Virtual patching for web applications

• Member of the SpiderLabs Research Team−Web application firewall signature lead

• ModSecurity Community Manager−Interface with the community on public mail-list−Steer the internal development of ModSecurity

Author• “Preventing Web Attacks with Apache”

Ryan Barnett – Community Projects

Open Web Application Security Project (OWASP)• Speaker/Instructor• Project Leader, ModSecurity Core Rule Set• Project Contributor, OWASP Top 10• Project Contributor, AppSensor

Web Application Security Consortium (WASC)• Board Member• Project Leader, Web Hacking Incident Database• Project Leader, Distributed Open Proxy Honeypots• Project Contributor, Web Application Firewall Evaluation Criteria• Project Contributor, Threat Classification

The SANS Institute• Courseware Developer/Instructor• Project Contributor, CWE/SANS Top 25 Worst Programming Errors

Session Outline

The Challenge of Risk Analysis for Web Applications• Risk Rating Methodology• How to quantify risk?

WASC Web Hacking Incident Database (WHID)• What is it?• Goals• Recent Project Changes and Updates

2010 Semiannual Report (July – December)• Incidents By Attacked Entity Field• Incidents By Outcome• Incidents By Attack Methods• Incidents By Application Weakness• Comparing the OWASP Top 10 vs. the WHID Top 10

Incidents of InterestConclusion

The Challenge of Risk Analysis for Web Application Security

OWASP Risk Rating Methodology

#Step 1: Identifying a Risk

#Step 2: Factors for Estimating Likelihood

#Step 3: Factors for Estimating Impact

#Step 4: Determining Severity of the Risk

#Step 5: Deciding What to Fix

#Step 6: Customizing Your Risk Rating Model

http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

OWASP Risk Rating Methodology

The Challenge of Risk Analysis for Web Applications:Analyzing Public Incidents

Risk Rating Problem

Instead of being concerned about what CAN happen (theoretical scenarios), perhaps we should first be dealing with what IS happening (analysis of real-world web compromises)…

Publicly Quantifying Web Incidents is Challenging

Incidents are not detected• ~156 day lapse between

compromise and detection*• Vast majority of cases the merchant

did not identify the intrusion – a 3rd party did based on fraud detection (card brands and banks)*

• Logging Issues - poor logging and/or no one reviewing them for signs of compromise

https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf

Publicly Quantifying Web Incidents is Challenging

Victims hide breaches• Defacement (visible) and information leakage

(regulated) are publicized more than other breaches

• Example - Banks are not forced to disclose when individual customer funds are stolen

Web Hacking Incident Database (WHID)

WASC Web Hacking Incident Database (WHID)

http://projects.webappsec.org/Web-Hacking-Incident-Database

Tracking Public Web Compromises

WHID Goals

• Raise awareness of real-world, web application security incidents

• Provide data for the following Risk Rating steps: • #Step 2: Factors for Estimating Likelihood

−What application weaknesses are actively being targeted?

• #Step 3: Factors for Estimating Impact−What outcome are you worried about?

• #Step 5: Deciding What to Fix−Prioritized listing of remediation issues

• #Step 6: Customizing Your Risk Rating Model−Customized view based on your vertical-market

WHID Data

• Data Samples (statistically insignificant)• Focus on % rather than raw numbers

• Inclusion Criteria• Only publicly disclosed, web related incidents

• Incidents of interest • Defacements of “High Profile” sites are included

• Ensure quality and correctness of incidents• Severely limits the number of incidents that get in

WHID Data: Community Submittal Form

• Community incident submission leverages crowdsourcing

• Project team validation ensures quality

http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident

WHID Database Content

~222 incidents for 2010Incidents since 1999Each incident is classified

• Attack type• Application Weakness• Outcome• Country of organization

attacked• Industry segment of

organization attacked• Country of origin of the

attack (if known)• Vulnerable Software

Additional information:• A unique identifier: WHID

200x-yy• Dates of occurrence and

reporting• Description• Internet references

Real-Time Statistics

http://projects.webappsec.org/Web-Hacking-Incident-Database

• Browse real-time data• Drill down in to incident details• Pivot on key variables (year/vertical market)

Real-time, Searchable DB

WHID data is available year-round

Useful for application developers and researchers

Search by

• Attack method

• Outcome

• Source geography

• and many more…

http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase

Geographic Views

Monitoring WHID Updates

http://projects.webappsec.org/Web-Hacking-Incident-Database#RSSFeed

@wascwhid

WHID 2010 Biannual Status Report:July-December

What Vertical Markets are Attacked Most Often?

What are the Goals for Web Hacking?

What Attack Methods do Hackers Use?

Which Application Weaknesses are Exploited?

#Step 5: Deciding What to FixPrioritized listing of remediation issues

OWASP vs. WHID Top 10OWASP Top 10 WHID Top 10

1 Injection Insufficient Anti-Automation (Brute Force and DoS)

2 Cross-site Scripting (XSS) Improper Output Handling (XSS and Planting of Malware)

3 Broken Authentication and Session Management Improper Input Handling (SQL Injection)

4 Insecure Direct Object Reference Application Misconfiguration (Detailed error messages)

5 CSRF Insufficient Authentication (Stolen Credentials/Banking Trojans)

6 Security Misconfiguration Insufficient Process Validation (CSRF and DNS Hijacking)

7 Insecure Cryptographic Storage Insufficient Authorization (Predictable Resource Location/Forceful Browsing)

8 Failure to Restrict URL Access Abuse of Functionality (CSRF/Click-Fraud)

9 Insecure Transport Layer Protection Insufficient Password Recovery (Brute Force)

10 Unvalidated Redirects and Forwards Improper Filesystem Permissions (info Leakages)

Top Trends

Denial of Service

Layer 4 DDoS Attacks

http://www.cert.org/reports/dsit_workshop.pdf

Layer 4 DDoS Attacks - Botnets

Reach bandwidth or connection limits of hosts or networking equipment.

Fortunately, current anti-DDOS solutions are effective in handling Layer 4 DDOS attacks.

Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity.

Requires lesser number of connections => higher efficiency.

Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality.

We will focus on protocol weaknesses of HTTP or HTTPS.

HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris)

HTTP POST => Wong Onn Chee

http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool

Application Performance Monitoring Dashboard

Excessive Access Rate Detection

Cross-site Scripting (XSS) Defense

Banking Trojans

Questions?

Web Hacking Incidents Revealed - Trends, Stats and How to ... · Web Hacking Incidents Revealed:...

Documents

Web Hacking Incidents Revealed - Trends, Stats and How to ... · Web Application Security Consortium (WASC) • Board Member • Project Leader, Web Hacking Incident Database •

Hacking – Ethical Hacking

# !@ Ethical Hacking. 2 # !@ Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting

HACKING AUTHENTICATION CHECKS IN WEB … · INDEX •Hacking Authentication Checks in Web Applications Hacking Application Designs Hacking J2EE Container Managed Authentication Hacking

Incidents transfusionnels A. Incidents Immunologiques B. Incidents de surcharge C. Incidents infectieux D. Les risques émergents

Crime Stats Presentation - Amazon Web Services › site › uploads › Chis-de... · 2016-08-21 · crime reporting some crime incidents or some of the crimes occurring during incidents

Stats Lecture 02 Descriptive Stats

Hacking Google AdWords - DEF CON® Hacking … · Hacking Google AdWords ... • Use general Google hacking techniques • Bust anyone who is “Google hacking”! Other Interesting

120 Incidents 2015 Stats This comes as no surprise, given 4 … · 2019-05-23 · 2014 2015 429 +23% 348 -37% 552 ... industry regarding reporting of data breaches. ... 2015 Stats

Die Hard 10.0: Ein Drehbuch für Industrielles Hacking · 7 Beispiel eines berühmten Incidents Polnische Stadt Lodz Ein polnischer Teenager studierte das System der Strassenbahn

Hacking Rapidshare Complete Hacking Process

03.30.14 Stats (Final Spring Stats)

Stats on Stats ETF August 2016

CyRes - sis.pitt.edu€¦ · Recent cyberattacks, such as the Target breach, Sony hacking incident, BlackEnergy malware, Anthem cyber-attack, the Chinese hacking incidents, etc.,

Hacking Incidents that made Headlines

Hacking Tips & Tricks - OWASP 2 Agenda Security Incidents Vulnerability Assessment Wireless Hacking Bluetooth Hacking Advance password hacking

Hacking health-camp - Hacking Health

Before the FEDERAL COMMUNICATIONS COMMISSION … Petition FINAL.pdf · roadways. Over the last year, a number of high profile hacking incidents have highlighted the extraordinary

Stats on Stats ETF June 2016

The Web Hacking Incidents Database (WHID) Report: January