Your SlideShare is downloading. ×
0
© 2013 Imperva, Inc. All rights reserved.
CMS Hacking 101
Analyzing the Risk with 3rd Party Applications
Confidential1
Bar...
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential2
§  CMS defined
§  Risks and trends
§  Recent incidents
§...
© 2013 Imperva, Inc. All rights reserved.
Today’s Speaker - Barry Shteiman
Confidential3
§  Senior Security Strategist
§...
© 2013 Imperva, Inc. All rights reserved.
CMS Defined
Confidential4
Content Management System
© 2013 Imperva, Inc. All rights reserved.
What is a CMS?
Confidential5
A content management system (CMS) is a computer pro...
© 2013 Imperva, Inc. All rights reserved.
Deployment Distribution
Confidential6
Source: http://trends.builtwith.com/cms
© 2013 Imperva, Inc. All rights reserved.
Enterprise Adoption
Confidential7
© 2013 Imperva, Inc. All rights reserved.
Risks and Trends
Confidential8
© 2013 Imperva, Inc. All rights reserved.9
OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
Confiden...
© 2013 Imperva, Inc. All rights reserved.10
3rd Party
According to Veracode:
•  “Up to 70% of internally developed code or...
© 2013 Imperva, Inc. All rights reserved.
When a 3rd Party Brings its Friends
Confidential11
§  More than 20% of the 50 m...
© 2013 Imperva, Inc. All rights reserved.
Attack Surface
Confidential12
Source: https://www.bsi.bund.de/DE/Publikationen/S...
© 2013 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
Confidential13
Hacking
1.  Identify Target
2.  Find Vul...
© 2013 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
Confidential14
Hacking
1.  Identify Target
2.  Find Vul...
© 2013 Imperva, Inc. All rights reserved.
CMS Hacking
Confidential15
Hacking
1.  Identify CMS
2.  Find Vulnerability
3.  E...
© 2013 Imperva, Inc. All rights reserved.
Recent Incidents
Confidential16
© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential17
Breached via 3rd party applicatio...
© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential18
3rd party service provider hacked...
© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential19
Yahoo’s 3rd party hack as detaile...
© 2013 Imperva, Inc. All rights reserved.
CMS Related Incidents
Confidential20
© 2013 Imperva, Inc. All rights reserved.
Into the Details
Confidential21
How a CMS Attack Campaign Might Look
© 2013 Imperva, Inc. All rights reserved.22
The Attacker’s Focus
Server Takeover
Direct Data Theft
Confidential
© 2013 Imperva, Inc. All rights reserved.
CMS Mass Hacking
Confidential23
Source: www.exploit-db.com
Step 1: Find a vulner...
© 2013 Imperva, Inc. All rights reserved.
CMS Gone Wild(card)
Confidential24
Step 2: Identify a fingerprint in a relevant ...
© 2013 Imperva, Inc. All rights reserved.
Fingerprinted
Confidential25
Tag based
The code will usually contain fingerprint...
© 2013 Imperva, Inc. All rights reserved.
Fingerprinted
Confidential26
URL based
An administrator interface may be front f...
© 2013 Imperva, Inc. All rights reserved.
Google Dork for the Masses
Confidential27
§  Query: inurl:(wp-config.conf | wp-...
© 2013 Imperva, Inc. All rights reserved.
Google Dork for the Masses
Confidential28
In our case: Database Host, User and P...
© 2013 Imperva, Inc. All rights reserved.
Botnets Targeting Your CMS
Confidential29
Recently Observed:
•  Botnets Scan web...
© 2013 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential30
Botnet operator uses zombies to
scan ...
© 2013 Imperva, Inc. All rights reserved.
From a Botnet Communication
Confidential31
Botnet exploits vulnerabilities and
a...
© 2013 Imperva, Inc. All rights reserved.
Reclaiming Security
Confidential32
Securing 3rd Party Applications
© 2013 Imperva, Inc. All rights reserved.
Analyzing the Attack Surface
Confidential33
Graphics Source: https://www.bsi.bun...
© 2013 Imperva, Inc. All rights reserved.
Deployment Matters
Confidential34
Cloud based deploymentOn premise deployment
Ap...
© 2013 Imperva, Inc. All rights reserved.
When a company builds its security model it usually does
not take into account e...
© 2013 Imperva, Inc. All rights reserved.
§  Assume third-party code – coming from partners,
vendors, or mergers and acqu...
© 2013 Imperva, Inc. All rights reserved.
Post-Webcast
Discussions
Answers to
Attendee
Questions
Webcast
Recording Link
Jo...
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
38 Confidential
Upcoming SlideShare
Loading in...5
×

CMS Hacking 101

2,785

Published on

With the rise of blogs, forums, online magazines, e-commerce, and corporate websites, many organizations are turning to Content Management Systems (CMS), such as Joomla or SharePoint, to create rich websites. CMSs simplify website delivery - but they also expose your organization to a new set of vulnerabilities.This presentation shows how malicious hackers exploit vulnerabilities found in popular Content Management Systems to systematically identify and attack unsuspecting organizations.

Published in: Technology
2 Comments
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,785
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
74
Comments
2
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "CMS Hacking 101"

  1. 1. © 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
  2. 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
  3. 3. © 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
  4. 4. © 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
  5. 5. © 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
  6. 6. © 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
  7. 7. © 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
  8. 8. © 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
  9. 9. © 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
  10. 10. © 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
  11. 11. © 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
  12. 12. © 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
  13. 13. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
  14. 14. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
  15. 15. © 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
  16. 16. © 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
  17. 17. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
  18. 18. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
  19. 19. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
  20. 20. © 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
  21. 21. © 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
  22. 22. © 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
  23. 23. © 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
  24. 24. © 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
  25. 25. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
  26. 26. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
  27. 27. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
  28. 28. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
  29. 29. © 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
  30. 30. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
  31. 31. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  32. 32. © 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
  33. 33. © 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
  34. 34. © 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
  35. 35. © 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
  36. 36. © 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
  37. 37. © 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
  38. 38. © 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×