Trends, Stats and How to Defend Web Hacking Incidents Revealed:

Web Hacking Incidents Revealed:
Trends, Stats and How to Defend
Ryan Barnett
Senior Security Researcher
SpiderLabs Research
Ryan Barnett - Background
Trustwave
• Senior Security Researcher
−Web application firewall research/development
−Virtual patching for web applications
• Member of the SpiderLabs Research Team
−Web application firewall signature lead
• ModSecurity Community Manager
−Interface with the community on public mail-list
−Steer the internal development of ModSecurity
Author
• “Preventing Web Attacks with Apache”
Copyright Trustwave 2010
Confidential
Ryan Barnett – Community Projects
Open Web Application Security Project (OWASP)
• Speaker/Instructor
• Project Leader, ModSecurity Core Rule Set
• Project Contributor, OWASP Top 10
• Project Contributor, AppSensor
Web Application Security Consortium (WASC)
• Board Member
• Project Leader, Web Hacking Incident Database
• Project Leader, Distributed Open Proxy Honeypots
• Project Contributor, Web Application Firewall Evaluation Criteria
• Project Contributor, Threat Classification
The SANS Institute
• Courseware Developer/Instructor
• Project Contributor, CWE/SANS Top 25 Worst Programming Errors
Copyright Trustwave 2010
Confidential
Session Outline
The Challenge of Risk Analysis for Web Applications
• Risk Rating Methodology
• How to quantify risk?
WASC Web Hacking Incident Database (WHID)
• What is it?
• Goals
• Recent Project Changes and Updates
2010 Semiannual Report (July – December)
• Incidents By Attacked Entity Field
• Incidents By Outcome
• Incidents By Attack Methods
• Incidents By Application Weakness
• Comparing the OWASP Top 10 vs. the WHID Top 10
Incidents of Interest
Conclusion
Copyright Trustwave 2010
Confidential
The Challenge of Risk Analysis for Web Application
Security
OWASP Risk Rating Methodology
#Step 1: Identifying a Risk
#Step 2: Factors for Estimating Likelihood
#Step 3: Factors for Estimating Impact
#Step 4: Determining Severity of the Risk
#Step 5: Deciding What to Fix
#Step 6: Customizing Your Risk Rating Model
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Copyright Trustwave 2010
Confidential
OWASP Risk Rating Methodology
Copyright Trustwave 2010
Confidential
The Challenge of
Risk Analysis for
Web Applications:
Analyzing Public Incidents
Risk Rating Problem
Instead of being concerned about
what CAN happen (theoretical
scenarios), perhaps we should first
be dealing with what IS happening
(analysis of real-world web
compromises)…
Copyright Trustwave 2010
Confidential
Publicly Quantifying Web Incidents is Challenging
Incidents are not detected
• ~156 day lapse between
compromise and detection*
• Vast majority of cases the merchant
did not identify the intrusion – a 3rd
party did based on fraud detection
(card brands and banks)*
• Logging Issues - poor logging
and/or no one reviewing them for
signs of compromise
https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf
Copyright Trustwave 2010
Confidential
Copyright Trustwave 2010
Confidential
Publicly Quantifying Web Incidents is Challenging
Victims hide breaches
• Defacement (visible) and information leakage
(regulated) are publicized more than other
breaches
• Example - Banks are not forced to disclose
when individual customer funds are stolen
Copyright Trustwave 2010
Confidential
Web Hacking
Incident Database
(WHID)
WASC Web Hacking Incident Database (WHID)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Copyright Trustwave 2010
Confidential
Tracking Public Web Compromises
Copyright Trustwave 2010
Confidential
WHID Goals
• Raise awareness of real-world, web application security
incidents
• Provide data for the following Risk Rating steps:
• #Step 2: Factors for Estimating Likelihood
− What application weaknesses are actively being
targeted?
• #Step 3: Factors for Estimating Impact
− What outcome are you worried about?
• #Step 5: Deciding What to Fix
− Prioritized listing of remediation issues
• #Step 6: Customizing Your Risk Rating Model
− Customized view based on your vertical-market
Copyright Trustwave 2010
Confidential
WHID Data
•
Data Samples (statistically insignificant)
• Focus on % rather than raw numbers
•
Inclusion Criteria
• Only publicly disclosed, web related incidents
•
Incidents of interest
• Defacements of “High Profile” sites are included
• Ensure quality and correctness of incidents
• Severely limits the number of incidents that get in
Copyright Trustwave 2010
Confidential
WHID Data: Community Submittal Form
• Community incident submission leverages
crowdsourcing
• Project team validation ensures quality
http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident
Copyright Trustwave 2010
Confidential
WHID Database Content
~222 incidents for 2010
Incidents since 1999
Each incident is classified
• Attack type
• Application Weakness
• Outcome
• Country of organization
attacked
• Industry segment of
organization attacked
• Country of origin of the
attack (if known)
• Vulnerable Software
Copyright Trustwave 2010
Additional information:
• A unique identifier: WHID
200x-yy
• Dates of occurrence and
reporting
• Description
• Internet references
Confidential
Real-Time Statistics
• Browse real-time data
• Drill down in to incident
details
• Pivot on key variables
(year/vertical market)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Copyright Trustwave 2010
Confidential
Real-time, Searchable DB
WHID data is available year-round
Useful for application developers and researchers
Search by
• Attack method
• Outcome
• Source geography
• and many more…
http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase
Copyright Trustwave 2010
Confidential
Geographic Views
Copyright Trustwave 2010
Confidential
Monitoring WHID Updates
http://projects.webappsec.org/Web-Hacking-IncidentDatabase#RSSFeed
@wascwhid
Copyright Trustwave 2010
Confidential
WHID 2010 Biannual
Status Report:
July-December
What Vertical Markets are Attacked Most Often?
Copyright Trustwave 2010
Confidential
What are the Goals for Web Hacking?
Copyright Trustwave 2010
Confidential
What Attack Methods do Hackers Use?
Copyright Trustwave 2010
Confidential
Which Application Weaknesses are Exploited?
Copyright Trustwave 2010
Confidential
#Step 5: Deciding What to Fix
Prioritized listing of remediation issues
OWASP vs. WHID Top 10
OWASP Top 10
WHID Top 10
1
Injection
Insufficient Anti-Automation (Brute Force and DoS)
2
Cross-site Scripting (XSS)
Improper Output Handling (XSS and Planting of
Malware)
3
Broken Authentication and Session
Management
Improper Input Handling (SQL Injection)
4
Insecure Direct Object Reference
Application Misconfiguration (Detailed error
messages)
5
CSRF
Insufficient Authentication (Stolen
Credentials/Banking Trojans)
6
Security Misconfiguration
Insufficient Process Validation (CSRF and DNS
Hijacking)
7
Insecure Cryptographic Storage
Insufficient Authorization (Predictable Resource
Location/Forceful Browsing)
8
Failure to Restrict URL Access
Abuse of Functionality (CSRF/Click-Fraud)
9
Insecure Transport Layer Protection
Insufficient Password Recovery (Brute Force)
1
0
Unvalidated Redirects and Forwards
Improper Filesystem Permissions (info Leakages)
Copyright Trustwave 2010
Confidential
Top Trends
Denial of Service
Copyright Trustwave 2010
Confidential
Layer 4 DDoS Attacks
Copyright Trustwave 2010
Confidential
Layer 4 DDoS Attacks - Botnets
 Reach bandwidth or
connection limits of
hosts or networking
equipment.
 Fortunately, current antiDDOS solutions are
effective in handling Layer
4 DDOS attacks.
http://www.cert.org/reports/dsit_workshop.pdf
34
Copyright Trustwave 2010
Confidential
Layer 7 DDoS Attacks
Copyright Trustwave 2010
Confidential
Layer 7 DDoS Attacks
 Legitimate TCP or UDP connections. Difficult to differentiate
from legitimate users => higher obscurity.
 Requires lesser number of connections => higher efficiency.
 Reach resource limits of services.
Can deny services regardless of hardware capabilities of
host => higher lethality.
 We will focus on protocol weaknesses of HTTP or HTTPS.
 HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu,
RSnake (Slowloris)
 HTTP POST => Wong Onn Chee
Copyright Trustwave 2010
Confidential
http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
Copyright Trustwave 2010
Confidential
Copyright Trustwave 2010
Confidential
Copyright Trustwave 2010
Confidential
Application Performance Monitoring Dashboard
Copyright Trustwave 2010
Confidential
Excessive Access Rate Detection
Copyright Trustwave 2010
Confidential
Copyright Trustwave 2010
Confidential
Cross-site Scripting (XSS) Defense
Copyright Trustwave 2010
Confidential
Banking Trojans
Copyright Trustwave 2010
Confidential
Questions?