James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray

Impact of Plugins on Web Application Security

James Walden, Maureen DoyleNorthern Kentucky University

Students: Andrew Plunkett, Rob Lenhof, John Murray

IMI Security Symposium 2010

1. Web Application Security2. Plugins3. Plugin Vulnerabilities4. Comparing Core and Plugin

Security5. Vulnerabilities by Category6. Conclusions

Topics

2


Why Web Applications?

3


Reasons for Attacking Web Apps

4


Firewalls don’t protect web apps

Firewall

Port 80HTTP Traffic

WebClient

WebServer

Application

Application

DatabaseServer

telnet

ftp

5

History of Web Security

Year Technology Security

1993 CGI Firewalls, SSL

1995 PHP, Javascript Firewalls, SSL

1997 ASP, JSP Firewalls, SSL

2000 REST, SOA Firewalls, SSL

2006 AJAX Firewalls, SSL

IMI Security Symposium 2010 6


Evolution of Web App Security

7

IMI Security Symposium 2010 8

9IMI Security Symposium 2010

SQL Injection

1. App sends form to user.2. Attacker submits form

with SQL exploit data.3. Application builds string

with exploit data.4. Application sends SQL

query to DB.5. DB executes query,

including exploit, sends data back to application.

6. Application returns data to user.

Attacker

Web Server

DB Server

Firewall

User

Pass ‘ or 1=1--


SQL Injection in PHP

$link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());

mysql_select_db($DB_DATABASE);$query = "select count(*) from users where

username = '$username' and password = '$password'";

$result = mysql_query($query);

10


SQL Injection Attack #1

Unauthorized Access Attempt:password = ’ or 1=1 --

SQL statement becomes:select count(*) from users where username =

‘user’ and password = ‘’ or 1=1 --Checks if password is empty OR 1=1, which is

always true, permitting access.

11


SQL Injection Attack #2

Database Modification Attack:password = foo’; delete from table users

where username like ‘%

DB executes two SQL statements:select count(*) from users where username

= ‘user’ and password = ‘foo’delete from table users where username

like ‘%’

12


Exploits of a Mom

http://www.xkcd.com/327/

13


Real Estate Site Hacking

www.website.com/fullnews.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,char(58),password),4,5/**/FROM/**/admin/*

Exploit against http://phprealestatescript.com/

14


Cross-Site Scripting (XSS)Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.XSS used to obtain session ID for◦ Bank site (transfer money to attacker)◦ Shopping site (buy goods for attacker)◦ E-mail

Key ideas◦ Attacker sends malicious code to server.◦ Victim’s browser loads code from server and

runs it.15


Anatomy of an XSS Attack

1. Login

2.

Cookie

Web Server

3. XSS Attack

AttackerUser

4. User clicks on XSS link.

5. XSS URL

7. Browser runs injected code.

Evil site saves ID.

8. Attacker hijacks user session.

6. Page with injected code.

16


Are Individual Web Apps Worsening?

17


Example: Addressing Security Issues

18


Add features to apps: Advertising E-commerce Media Security Site Navigation Statistics Themes User Management

Web Application Plugins

19


Is it the core code or core code + plugins? Some apps are almost always deployed with plugins. Plugins are written by non-core developers. Core site may or may not track plugin security.

Some apps are packaged in distributions with plugins such as Drupal which has:

OpenAtrium (Development Seed) Acquia Drupal OpenPublish Pressflow (Four Kitchens)

What makes up a web application?

20


Research Objective

Goal: Identify differences between security of core code and plugins for web applications.

Research questions:1. Are plugins less secure than core code?2. How are vulnerabilities distributed

across plugins?3. How do different applications compare

in terms of plugin security?

21


Open Source◦ Evaluate source code that has no barriers to

access◦ 85% of businesses use open source software◦ Probably all if embedded open source is counted,

such as printers, routers, projectors, etc.

PHP is most widely used language for OS web◦ 35.3% of web apps on Freshmeat are PHP, 14%

Java◦ Most popular apps written in PHP: Drupal, Joomla,

Mediawiki, phpBB, PhpMyAdmin, WordPress

Open Source and PHP Security

22


Open Source Web Apps are Targets

23


Open Source Web Applications

Selection process PHP web applications from freshmeat.net. A central plugin repository. Automatable downloads. At least 10 plugins.

Why PHP? Most popular web applications written in PHP. Can compare applications evenly.

Range of projects 12 projects met selection criteria. 13,535 plugins for these applications. Plugins per app ranged from 10 to 8989

plugins.

24


Reported Vulnerabilities in NVD or OSVD◦ Coarse-grained time evolution.◦ Difficult to correlate with revision.◦ Undercounts actual vulnerabilities.

Dynamic Analysis◦ Expensive.◦ False positives and negatives.◦ Must install and execute application.

Static Analysis◦ Expensive.◦ False positives and negatives.◦ Requires application installation

Measuring Vulnerabilities

25

http://nvd.nist.gov/

http://osvdb.org/


Plugin Size Distribution

26


Plugin Vulnerability Distribution

27


% of Vulnerable Plugins by Size

28


Number of vulnerabilities found by a static analysis tool per 1000 lines of source code.

Fortify SourceAnalyzer 5.8.0

Aggregate SAVD Use aggregate of source code for all

plugins. Total vulnerabilities / Total KSLOC

Average SAVD Compute SAVD for each plugin individually. Average individual plugin SAVD values.

Static Analysis Vulnerability Density

29


Aggregate vs. Average SAVD

phpw

ebsite

achi

evo

galle

ry

drup

al

man

tisbt

roun

dcub

emai

l

know

ledg

etre

e

squi

rrelm

ail

dotp

roje

ct

mod

x

wordp

ress

smar

ty0.00

2.00

4.00

6.00

8.00

10.00

12.00

14.00

16.00

18.00

20.00

1.281.75

2.32 2.32

4.04

6.49

4.32

11.95 12.1213.16

16.42

19.91

1.41 3.26 2.48 2.47 7.38 14.69 3.55 11.73 8.69 12.04 25.81 25.75

aggregate avg

SA

VD

30


Core code developed by small core team. Team experienced with core code over years. May or may not be paid full-time developers. Most sites have some form of security

information.

Plugins developed by many people. Wide variety of programming experience. Few develop more than one plugin and so

have little experience with application compared to core team.

Few plugins mention security unless a vulnerability has been previously reported.

Do plugins make a site less secure?

31


Core vs. Plugin SAVD

32


Drupal tracked both core and plugin vulns since 2006.

Most popular CMS with 1.58% of web sites including whitehouse.gov

Drupal Core vs. Plugins

www.drupalsecurityreport.org

Secure coding documentation. XSS Filter API. DB API to handle SQLi attacks. Input validation API.

33


X-Force 2010H1 Report: Plugins

34


WordPress: Effect of Adding Plugins

35


Mapped SCA categories to OWASP Top 10 2010.◦ SCA 5.8 reports 73

categories, only 25 in this code.

◦ 18 of 25 categories mapped to 5 of OWASP Top 10.

◦ 7 remaining categories did not map to Top 10.

Vulnerability Categories SCA → Top 10

36


OWASP Top 10: Core vs. Plugin

37


Drupal: Core vs. Plugins by Category

www.drupalsecurityreport.org38


OWASP Sum: Core vs. Plugin

39


Conclusions

Plugins slightly less secure than core. Plugins made up 91% of 11.7 MLOC. Contained 92% of 135,907 vulnerabilities.

Plugin SAVD correlates with code size. ρ = 0.91 (strong correlation) Larger plugins are more likely to have

vulnerabilities.

Core SAVD does not correlate w/ code size.

40


Additional Material

41


Vulnerability Type Analysis

2006 2008

42


Plugin Counts and Max Plugin SAVD

43


SAVD by Plugin Size

44


Core vs. Plugin SLOC

45


%vulns by size, - wordpress and drupal

46


SAVD by size, -wordpress and drupal

47

Documents

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray