Web Hacking Incidents Revealed: Trends, Stats and How to Defend Ryan Barnett Senior Security Researcher SpiderLabs Research Ryan Barnett - Background Trustwave • Senior Security Researcher −Web application firewall research/development −Virtual patching for web applications • Member of the SpiderLabs Research Team −Web application firewall signature lead • ModSecurity Community Manager −Interface with the community on public mail-list −Steer the internal development of ModSecurity Author • “Preventing Web Attacks with Apache” Copyright Trustwave 2010 Confidential Ryan Barnett – Community Projects Open Web Application Security Project (OWASP) • Speaker/Instructor • Project Leader, ModSecurity Core Rule Set • Project Contributor, OWASP Top 10 • Project Contributor, AppSensor Web Application Security Consortium (WASC) • Board Member • Project Leader, Web Hacking Incident Database • Project Leader, Distributed Open Proxy Honeypots • Project Contributor, Web Application Firewall Evaluation Criteria • Project Contributor, Threat Classification The SANS Institute • Courseware Developer/Instructor • Project Contributor, CWE/SANS Top 25 Worst Programming Errors Copyright Trustwave 2010 Confidential Session Outline The Challenge of Risk Analysis for Web Applications • Risk Rating Methodology • How to quantify risk? WASC Web Hacking Incident Database (WHID) • What is it? • Goals • Recent Project Changes and Updates 2010 Semiannual Report (July – December) • Incidents By Attacked Entity Field • Incidents By Outcome • Incidents By Attack Methods • Incidents By Application Weakness • Comparing the OWASP Top 10 vs. the WHID Top 10 Incidents of Interest Conclusion Copyright Trustwave 2010 Confidential The Challenge of Risk Analysis for Web Application Security OWASP Risk Rating Methodology #Step 1: Identifying a Risk #Step 2: Factors for Estimating Likelihood #Step 3: Factors for Estimating Impact #Step 4: Determining Severity of the Risk #Step 5: Deciding What to Fix #Step 6: Customizing Your Risk Rating Model http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Copyright Trustwave 2010 Confidential OWASP Risk Rating Methodology Copyright Trustwave 2010 Confidential The Challenge of Risk Analysis for Web Applications: Analyzing Public Incidents Risk Rating Problem Instead of being concerned about what CAN happen (theoretical scenarios), perhaps we should first be dealing with what IS happening (analysis of real-world web compromises)… Copyright Trustwave 2010 Confidential Publicly Quantifying Web Incidents is Challenging Incidents are not detected • ~156 day lapse between compromise and detection* • Vast majority of cases the merchant did not identify the intrusion – a 3rd party did based on fraud detection (card brands and banks)* • Logging Issues - poor logging and/or no one reviewing them for signs of compromise https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf Copyright Trustwave 2010 Confidential Copyright Trustwave 2010 Confidential Publicly Quantifying Web Incidents is Challenging Victims hide breaches • Defacement (visible) and information leakage (regulated) are publicized more than other breaches • Example - Banks are not forced to disclose when individual customer funds are stolen Copyright Trustwave 2010 Confidential Web Hacking Incident Database (WHID) WASC Web Hacking Incident Database (WHID) http://projects.webappsec.org/Web-Hacking-Incident-Database Copyright Trustwave 2010 Confidential Tracking Public Web Compromises Copyright Trustwave 2010 Confidential WHID Goals • Raise awareness of real-world, web application security incidents • Provide data for the following Risk Rating steps: • #Step 2: Factors for Estimating Likelihood − What application weaknesses are actively being targeted? • #Step 3: Factors for Estimating Impact − What outcome are you worried about? • #Step 5: Deciding What to Fix − Prioritized listing of remediation issues • #Step 6: Customizing Your Risk Rating Model − Customized view based on your vertical-market Copyright Trustwave 2010 Confidential WHID Data • Data Samples (statistically insignificant) • Focus on % rather than raw numbers • Inclusion Criteria • Only publicly disclosed, web related incidents • Incidents of interest • Defacements of “High Profile” sites are included • Ensure quality and correctness of incidents • Severely limits the number of incidents that get in Copyright Trustwave 2010 Confidential WHID Data: Community Submittal Form • Community incident submission leverages crowdsourcing • Project team validation ensures quality http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident Copyright Trustwave 2010 Confidential WHID Database Content ~222 incidents for 2010 Incidents since 1999 Each incident is classified • Attack type • Application Weakness • Outcome • Country of organization attacked • Industry segment of organization attacked • Country of origin of the attack (if known) • Vulnerable Software Copyright Trustwave 2010 Additional information: • A unique identifier: WHID 200x-yy • Dates of occurrence and reporting • Description • Internet references Confidential Real-Time Statistics • Browse real-time data • Drill down in to incident details • Pivot on key variables (year/vertical market) http://projects.webappsec.org/Web-Hacking-Incident-Database Copyright Trustwave 2010 Confidential Real-time, Searchable DB WHID data is available year-round Useful for application developers and researchers Search by • Attack method • Outcome • Source geography • and many more… http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase Copyright Trustwave 2010 Confidential Geographic Views Copyright Trustwave 2010 Confidential Monitoring WHID Updates http://projects.webappsec.org/Web-Hacking-IncidentDatabase#RSSFeed @wascwhid Copyright Trustwave 2010 Confidential WHID 2010 Biannual Status Report: July-December What Vertical Markets are Attacked Most Often? Copyright Trustwave 2010 Confidential What are the Goals for Web Hacking? Copyright Trustwave 2010 Confidential What Attack Methods do Hackers Use? Copyright Trustwave 2010 Confidential Which Application Weaknesses are Exploited? Copyright Trustwave 2010 Confidential #Step 5: Deciding What to Fix Prioritized listing of remediation issues OWASP vs. WHID Top 10 OWASP Top 10 WHID Top 10 1 Injection Insufficient Anti-Automation (Brute Force and DoS) 2 Cross-site Scripting (XSS) Improper Output Handling (XSS and Planting of Malware) 3 Broken Authentication and Session Management Improper Input Handling (SQL Injection) 4 Insecure Direct Object Reference Application Misconfiguration (Detailed error messages) 5 CSRF Insufficient Authentication (Stolen Credentials/Banking Trojans) 6 Security Misconfiguration Insufficient Process Validation (CSRF and DNS Hijacking) 7 Insecure Cryptographic Storage Insufficient Authorization (Predictable Resource Location/Forceful Browsing) 8 Failure to Restrict URL Access Abuse of Functionality (CSRF/Click-Fraud) 9 Insecure Transport Layer Protection Insufficient Password Recovery (Brute Force) 1 0 Unvalidated Redirects and Forwards Improper Filesystem Permissions (info Leakages) Copyright Trustwave 2010 Confidential Top Trends Denial of Service Copyright Trustwave 2010 Confidential Layer 4 DDoS Attacks Copyright Trustwave 2010 Confidential Layer 4 DDoS Attacks - Botnets Reach bandwidth or connection limits of hosts or networking equipment. Fortunately, current antiDDOS solutions are effective in handling Layer 4 DDOS attacks. http://www.cert.org/reports/dsit_workshop.pdf 34 Copyright Trustwave 2010 Confidential Layer 7 DDoS Attacks Copyright Trustwave 2010 Confidential Layer 7 DDoS Attacks Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity. Requires lesser number of connections => higher efficiency. Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality. We will focus on protocol weaknesses of HTTP or HTTPS. HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris) HTTP POST => Wong Onn Chee Copyright Trustwave 2010 Confidential http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool Copyright Trustwave 2010 Confidential Copyright Trustwave 2010 Confidential Copyright Trustwave 2010 Confidential Application Performance Monitoring Dashboard Copyright Trustwave 2010 Confidential Excessive Access Rate Detection Copyright Trustwave 2010 Confidential Copyright Trustwave 2010 Confidential Cross-site Scripting (XSS) Defense Copyright Trustwave 2010 Confidential Banking Trojans Copyright Trustwave 2010 Confidential Questions?
© Copyright 2024