The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Web Application Testing for Today’s Biggest and Emerging Threats
1. Web Application Testing for Today’s Biggest and Emerging Threats Alan Kan Technical Manager IBM Rational Software
2. Agenda Let the Numbers Speak Testing for Vulnerabilities 1 3 Top and Emerging Attacks 2
3.
4.
5.
6.
7.
8.
9. Understanding the Web Application Hacking 102: Integrating Web Application Security Testing into Development Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Web Servers Databases Backend Server Application Servers Desktop Transport Network
10.
11. Agenda Let the Numbers Speak Testing for Vulnerabilities 1 3 Top and Emerging Attacks 2
12. OWASP Top Ten (2010 Edition) Source: http://www.owasp.org/index.php/Top_10
13.
14. SQL Injection Attack Tools * Automatic page-rank verification * Search engine integration for finding “vulnerable” sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc.
15. The drive-by-download process Desktop Users Browse The Internet Malicious iframe host Web server with embedded iframe Web browser targeted Downloader installed Malware installed and activated Exploit material Served
17. Cross Site Scripting – The Exploit Process Hacking 102: Integrating Web Application Security Testing into Development Evil.org User bank.com 1) Link to bank.com sent to user via E-mail or HTTP 2) User sends script embedded as data 3) Script/data returned, executed by browser 4) Script sends user’s cookie and session information without the user’s consent or knowledge 5) Evil.org uses stolen session information to impersonate user
18.
19.
20.
21.
22. Agenda Let the Numbers Speak Testing for Vulnerabilities 1 3 Top and Emerging Attacks 2
23.
24.
25. Car Safety – Protect Valuable Assets Security System Seatbelts Safety Cage Crash Test
26. Building Security & Compliance into the SDLC Developers Architects Developers Enable Security to effectively drive remediation into development Provides Developers and Testers with expertise and tools to detect and remediate vulnerabilities Ensure vulnerabilities are addressed before applications are put into production Provides Architects and Developers with knowledge to design and develop more secure applications Security penetration testing and application monitoring for on going protection Build Coding Testing Security Production Architecture
If internal presentations are confidential, please add: “IBM Confidential” to the slide masters Select: View / Master / Slide Master and add “IBM Confidential” to both the title master and slide master Use sentence case capitalization for presentation titles, slide titles, category labels and bullets: Format / Change Case / Sentence Case. Initial capitalization is limited to our products and offerings. Applying this template to your existing presentation Task Pane needs to be viewable: Select View / Task Pane Select Slide Design - Design Templates from the Task Pane pull-down menu Select “Browse” at the bottom, and find “Rational_Standard_Template.pot” on your hardrive and click Apply Please note that not all slides will reformat appropriately once template is applied. Some reformatting will be necessary Printing your presentation on a black and white printer Prior to printing your presentation, view the slides in grayscale mode: Select View / Color/Grayscale / Grayscale Select problem graphics or text and right-click and select Grayscale Setting Select the grayscale setting that displays the problem graphic/text the best Note: Changing the greyscale setting does not affect the color view Return to Normal View by selecting View / Color/Grayscale / Color
Speaker’s notes: We take data from a lot of various disciplines including the Web filtering database that provides analysis for more than 14 billion Web sites and images, we also see what kind of intrusion attempts the managed services team sees across its customer base currently tracking billions of events per day, we have more than 40 million documented spam attacks, and 54,000 documented unique vulnerabilities from both internal research and external disclosures. This report is unique in the fact that the sources listed above provide varying perspectives on the threat landscape to together provide a cohesive look at the industry based on factual data from the various research functions within the broader X-force team and databases.
According to the X-Force database tracking, 2010 had the largest number of vulnerability disclosures in history— 8,562 . This is a 27 percent increase over 2009 We think this increase demonstrates the effort software developers are working hard to discover, patching vulnerabilities and make better products. Top ten vendors who make software 8 of those 10 had increase in 2010 and average increase was 66% -- so lots of work happening on patching products and it is keeping everyone very busy.
These are only Web application vulnerabilities that are publically used and reported against. Most customers also deploy “custom Web apps” that are not public so we feel this data is just scratching the surface of what is publically available but does not speak to the volumes of 3 rd party or in-house applications that are custom built. Although the number of vulnerabilities affecting Web applications has grown at a staggering rate, the growth demonstrated in the first half of 2009 and continuing through the second half may indicate the start of a plateau, at least in standard (off-the-shelf) software applications for the Web. These figures do not include custom-developed Web applications or customized versions of these standard packages, which also introduce vulnerabilities.
The gap between when vulnerabilities are announced and the weeks that follow (sometimes) of when a patch is released is relevant to IBM customer conversations surrounding IPS. Intrusion prevention systems are designed to protect customers until they are able to get these patches applied.
Because there were more public vulnerabilities reported in 2010, the public exploits to those vulnerabilities were also increasing and reported publically. Total number is up and has continually increased in past 2 years. In the report we have some interesting data that shows that public exploit disclosure occurs sometimes 10’s to 100 days after the initial vulnerability disclosure. We think this is an important point for our customers. Attackers begin using that exploit to break into networks and when it is no longer valuable, then they dump it publically. We see there is a huge time window before patches are developed that attackers utilize to do bad. IPS is designed to protect between vuln disclosure and when a patch is made available.
Speaker’s notes: One of the things that we did 2 years ago was to take a slightly differently look at how the vulnerabilities are classified and how they are rated by criticality. We’ve noticed that the traditional way to categorize vulnerabilities is not the same criteria by which a hacker or crime organization might classify the vulnerability. What may appear to rate “high” on a traditional scale may never be exploited because it has too small a target audience or doesn’t provide the appropriate financial payout. The grid on the right hand side of the screen shows the Exploit Effort vs. Potential Reward Quadrant, on the Y axis is the total opportunity size whereas the X axis shows the cost to exploit the vulnerability. Ideally, the criminal community will look for an exploit that falls in the upper right hand “sweet spot” of a vulnerability that is cheap to exploit with lots of targets or opportunity that can result in a high payout.
Slide: Just remember, when we talk about securing an application it is important to understand applications don't live in isolation, it lives in broader environment. For example we put in firewalls, implement SSL, and add many more pieces to the puzzle in an attempt to create a secure system. Speaking Points -Firewalls and network protections protect the network, but ports 80 and 443 are wide open, we use SSL to encrypt the traffic, and so on, but if the application can’t protect itself, the rest of the environment could potentially be compromised. Similarly if the application is secure, but you’re not encrypting the traffic, an illegitimate user can gain access simply by sniffing out the username/password credentials. -Network protections can never fully understand the context of the application communication – what is allowed and what is not
The red ones are the new ones.
While cross-site scripting vulnerabilities continue to be one of the predominant types of vulnerabilities affecting Web applications, activity targeting these vulnerabilities seems to have leveled off in 2010. Ultimately want to control the end-user endpoint and load malware on it.
This is an example of a tool kit attackers can use for SQL injection. This toolkit allows an attacker to use Google to search websites that are vulnerable to SQL Injection. This took kit will give the the attacker page rankings and prioritized results based on the probability of success. This allows attackers to go after rich websites that are going to give them a big return which can be used for data theft or they can simply overwrite information in the database to redirect victims to a malicious site. Attackers have taken this simplistic model and made it scalable so that any novice attacker can use it without deep technical knowledge or skill.
Attackers use SQL Injection attacks to inject HTML redirects into legitimate websites. If you are out surfing the web and you visit a legitimate website that has been SQL injected you may get redirected to a malicious web server controlled by the attacker. These malicious web servers send down exploits that target vulnerabilities in your web browser and then dump malware on your system. At that point you end up as a zombie on a botnet that is used to send out spam or phishing emails to other victims. This shows how interconnected the threat landscape is and why it is important to use a defense in depth strategy to manage your IT security.
Highly automated tools that have these exploits built into them. This is an example of the public exploit and the automated tools that are available to target them.
Let’s take a look at the chain of events during a XSS attack 1) The attack creates and sends the victim a link to bank.com (a trusted site). The link contains a search string (or any other string that is echoed back), which contains a malicious JavaScript code 2) The victim, clicks on this link, since he/she trusts the bank.com web site 3) The bank.com web application, echoes back the malicious JavaScript code inside the response page. This JavaScript is executed in the security context of bank.com, since it is echoed by from that site. This means that it has access to DOM elements belonging to this domain/session 4) The malicious script, sends the current cookie and session information, without the victim’s consent, to the evil.org web site, where the hacker is waiting for it. 5) The attacker has valid session tokens, and the victim is no longer needed
Slide: In this module we discussed how software is tested. All technologies have their advantages and drawbacks. Whitebox and blackbox are both extremely valuable technologies, but remember, it’s not about technologies, it’s about how do we introduce security testing earlier! The goal is to introduce it earlier to reduce costs. So we may implement security in several or even all of these stages! Speaking Points The goal is to drive security responsibility back into the development organization The chief failure of creating secure software is leaving it till the last minute The sweet spot for security testing ROI seems to be automating testing into the Build process
Author Note: Optional Rational QUESTIONS slide. Available in English only.
Author Note: Mandatory Rational closing slide (includes appropriate legal disclaimer). Graphic is available in English only.