CMS Hacking
Analyzing the Risk with 3rd Party Applications
Barry Shteiman – Director of Security Strategy
11/7/2013

1

© ...
Agenda
 CMS defined
 Risks and trends
 Recent incidents

 Into the details
• An attack campaign
• Industrialized attac...
Today’s Speaker - Barry Shteiman

 Director of Security Strategy

 Security Researcher working
with the CTO office
 Aut...
CMS Defined
Content Management System

4

© 2013 Imperva, Inc. All rights reserved.

Confidential
What is a CMS?

A content management system (CMS) is a computer program
that allows publishing, editing and modifying cont...
Deployment Distribution

Source: http://trends.builtwith.com/cms

6

© 2013 Imperva, Inc. All rights reserved.

Confidenti...
Enterprise Adoption

7

© 2013 Imperva, Inc. All rights reserved.

Confidential
Risks and Trends

8

© 2013 Imperva, Inc. All rights reserved.

Confidential
OWASP Top 10 – 2013 Update

New, A9 - Using Known Vulnerable Components

9

© 2013 Imperva, Inc. All rights reserved.

Con...
3rd Party
According to Veracode:
• “Up to 70% of internally developed code originates outside of the
development team”
• 2...
When a 3rd Party Brings its Friends
 More than 20% of the 50 most popular WordPress plugins are
vulnerable to web attacks...
Attack Surface
In a research conducted by BSI in Germany, ~20% of the
vulnerabilities discovered were found in the CMS cor...
Classic Web Site Hacking
Single Site Attack

Hacking
1.
2.
3.

13

© 2013 Imperva, Inc. All rights reserved.

Identify Tar...
Classic Web Site Hacking
Multiple Site Attacks

Hacking
1.
2.
3.

Identify Target
Find Vulnerability
Exploit

Hacking
1.
2...
CMS Hacking
CMS Targeting Attack

Hacking
1.
2.
3.

15

Identify CMS
Find Vulnerability
Exploit

© 2013 Imperva, Inc. All ...
Recent Incidents

16

© 2013 Imperva, Inc. All rights reserved.

Confidential
3rd Party Code Driven Incidents
Breached via 3rd party application on Drupal.org own servers.

17

© 2013 Imperva, Inc. Al...
3rd Party Code Driven Incidents
3rd party service provider hacked, customer data affected.

18

© 2013 Imperva, Inc. All r...
3rd Party Code Driven Incidents
Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.

HII Report: http://ww...
Just Last Week…

20

© 2013 Imperva, Inc. All rights reserved.

Confidential
Into the Details
How a CMS Attack Campaign Might Look

21

© 2013 Imperva, Inc. All rights reserved.

Confidential
The Attacker’s Focus

Server Takeover

Direct Data Theft

22

© 2013 Imperva, Inc. All rights reserved.

Confidential
CMS Mass Hacking
Step 1: Find a vulnerability in a CMS platform

Source: www.exploit-db.com

Even public vulnerability dat...
CMS Gone Wild(card)
Step 2: Identify a fingerprint in a relevant CMS-based site
A fingerprint can be
• Image
• URL

• Tag
...
Fingerprinted
Tag based

The code will usually contain fingerprints (unless obfuscated) of
the CMS in use.

25

© 2013 Imp...
Fingerprinted
URL based

An administrator interface may be front facing, allowing detection
and login attempts
26

© 2013 ...
Google Dork for the Masses
 Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)
 Results: 144,000

2...
Google Dork for the Masses
In our case: Database Host, User and Password Exposed

28

© 2013 Imperva, Inc. All rights rese...
Botnets Targeting Your CMS

Recently Observed:
• Botnets Scan websites for
vulnerabilities
• Inject Hijack/Drive-by code t...
From a Botnet Communication
Google Dork

Botnet operator uses zombies to
scan sites for vulnerabilities

* As observed by ...
From a Botnet Communication

Botnet exploits vulnerabilities and
absorbs victim servers
* As observed by Imperva’s ADC Res...
Reclaiming Security
Securing 3rd Party Applications

32

© 2013 Imperva, Inc. All rights reserved.

Confidential
Analyzing the Attack Surface

Certain vulnerabilities in 3rd party applications, can only be properly fixed
using Web Appl...
Deployment Matters

Imperva Incapsula
Cloud

On premise deployment

Cloud based deployment

Applications and 3rd party cod...
Recommendations

When a company builds its security model it usually does
not take into account elements that are not in c...
Technical Recommendations
 Assume third-party code – coming from partners,
vendors, or mergers and acquisitions – contain...
Questions?
www.imperva.com

37

© 2013 Imperva, Inc. All rights reserved.

Confidential
Thank You

38

© 2013 Imperva, Inc. All rights reserved.

Confidential
Upcoming SlideShare
Loading in …5
×

CMS Hacking

1,167 views
1,017 views

Published on

ISACA 10/22/2013
Covering an analysis of the 3rd party application threats, focusing on CMS systems.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,167
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Popularity > less dev more results, consistency, ease of use and time-to-deliver
  • Wordpress 6.3 M sitesJoomla 1.7 M sitesDrupal 400k sites
  • Organizations choose to outsource code knowingly or unknowinglyUsing 3rd party code means faster development lifecycle, sometimes more matureNOT more secure
  • The threat landscape is rich and full of different vulnerabilitiesCMSs and their plugins are like petri dishes for vulnerabilities
  • Hackers have spread thin but effectively.
  • Hackers have spread thin but effectively.
  • Hackers have spread thin but effectively.
  • CMS Hacking

    1. 1. CMS Hacking Analyzing the Risk with 3rd Party Applications Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
    2. 2. Agenda  CMS defined  Risks and trends  Recent incidents  Into the details • An attack campaign • Industrialized attack campaign  Reclaiming security 2 © 2013 Imperva, Inc. All rights reserved. Confidential
    3. 3. Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
    4. 4. CMS Defined Content Management System 4 © 2013 Imperva, Inc. All rights reserved. Confidential
    5. 5. What is a CMS? A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system 5 © 2013 Imperva, Inc. All rights reserved. Confidential
    6. 6. Deployment Distribution Source: http://trends.builtwith.com/cms 6 © 2013 Imperva, Inc. All rights reserved. Confidential
    7. 7. Enterprise Adoption 7 © 2013 Imperva, Inc. All rights reserved. Confidential
    8. 8. Risks and Trends 8 © 2013 Imperva, Inc. All rights reserved. Confidential
    9. 9. OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 9 © 2013 Imperva, Inc. All rights reserved. Confidential
    10. 10. 3rd Party According to Veracode: • “Up to 70% of internally developed code originates outside of the development team” • 28% of assessed applications are identified as created by a 3rd party 10 © 2013 Imperva, Inc. All rights reserved. Confidential
    11. 11. When a 3rd Party Brings its Friends  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it. 11 © 2013 Imperva, Inc. All rights reserved. Confidential
    12. 12. Attack Surface In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions. Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security 12 © 2013 Imperva, Inc. All rights reserved. Confidential
    13. 13. Classic Web Site Hacking Single Site Attack Hacking 1. 2. 3. 13 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
    14. 14. Classic Web Site Hacking Multiple Site Attacks Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. 14 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
    15. 15. CMS Hacking CMS Targeting Attack Hacking 1. 2. 3. 15 Identify CMS Find Vulnerability Exploit © 2013 Imperva, Inc. All rights reserved. Confidential
    16. 16. Recent Incidents 16 © 2013 Imperva, Inc. All rights reserved. Confidential
    17. 17. 3rd Party Code Driven Incidents Breached via 3rd party application on Drupal.org own servers. 17 © 2013 Imperva, Inc. All rights reserved. Confidential
    18. 18. 3rd Party Code Driven Incidents 3rd party service provider hacked, customer data affected. 18 © 2013 Imperva, Inc. All rights reserved. Confidential
    19. 19. 3rd Party Code Driven Incidents Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf 19 © 2013 Imperva, Inc. All rights reserved. Confidential
    20. 20. Just Last Week… 20 © 2013 Imperva, Inc. All rights reserved. Confidential
    21. 21. Into the Details How a CMS Attack Campaign Might Look 21 © 2013 Imperva, Inc. All rights reserved. Confidential
    22. 22. The Attacker’s Focus Server Takeover Direct Data Theft 22 © 2013 Imperva, Inc. All rights reserved. Confidential
    23. 23. CMS Mass Hacking Step 1: Find a vulnerability in a CMS platform Source: www.exploit-db.com Even public vulnerability databases, contain thousands of CMS related vulnerabilities. 23 © 2013 Imperva, Inc. All rights reserved. Confidential
    24. 24. CMS Gone Wild(card) Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be • Image • URL • Tag • Object Reference • Response to a query • etc.. 24 © 2013 Imperva, Inc. All rights reserved. Confidential
    25. 25. Fingerprinted Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use. 25 © 2013 Imperva, Inc. All rights reserved. Confidential
    26. 26. Fingerprinted URL based An administrator interface may be front facing, allowing detection and login attempts 26 © 2013 Imperva, Inc. All rights reserved. Confidential
    27. 27. Google Dork for the Masses  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)  Results: 144,000 27 © 2013 Imperva, Inc. All rights reserved. Confidential
    28. 28. Google Dork for the Masses In our case: Database Host, User and Password Exposed 28 © 2013 Imperva, Inc. All rights reserved. Confidential
    29. 29. Botnets Targeting Your CMS Recently Observed: • Botnets Scan websites for vulnerabilities • Inject Hijack/Drive-by code to vulnerable systems • Onboarding hijacked systems into the Botnet 29 © 2013 Imperva, Inc. All rights reserved. Confidential
    30. 30. From a Botnet Communication Google Dork Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team 30 © 2013 Imperva, Inc. All rights reserved. Confidential
    31. 31. From a Botnet Communication Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team 31 © 2013 Imperva, Inc. All rights reserved. Confidential
    32. 32. Reclaiming Security Securing 3rd Party Applications 32 © 2013 Imperva, Inc. All rights reserved. Confidential
    33. 33. Analyzing the Attack Surface Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls. Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security 33 © 2013 Imperva, Inc. All rights reserved. Confidential
    34. 34. Deployment Matters Imperva Incapsula Cloud On premise deployment Cloud based deployment Applications and 3rd party code deployed in your virtual/physical data center. 34 © 2013 Imperva, Inc. All rights reserved. Hosted applications and B2B services. Confidential
    35. 35. Recommendations When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should:  Implement policies both on the legal and technical aspects to control data access and data usage.  Require third party applications to accept your security policies and put proper controls in place  Monitor. 35 © 2013 Imperva, Inc. All rights reserved. Confidential
    36. 36. Technical Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to • Virtually patch pen test findings • Mitigate new risks (unknown on the pen test time) • Mitigate issues the pen tester missed • Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs • Requires a robust security update service 36 © 2013 Imperva, Inc. All rights reserved. Confidential
    37. 37. Questions? www.imperva.com 37 © 2013 Imperva, Inc. All rights reserved. Confidential
    38. 38. Thank You 38 © 2013 Imperva, Inc. All rights reserved. Confidential

    ×