Web Hacking Incidents Revealed:
Trends, Stats and How to Defend
Ryan Barnett
Senior Security Researcher
SpiderLabs Research

Ryan Barnett - Background
Trustwave
•
Senior Security Researcher
− Web application firewall research/development
− Virtual patching for web applications
•
Member of the SpiderLabs Research Team
− Web application firewall signature lead
•
ModSecurity Community Manager
− Interface with the community on public mail-list
− Steer the internal development of ModSecurity
Author
•
“Preventing Web Attacks with Apache”
Confidential Copyright Trustwave 2010

Ryan Barnett – Community Projects
Open Web Application Security Project (OWASP)
•
Speaker/Instructor
•
Project Leader, ModSecurity Core Rule Set
•
Project Contributor, OWASP Top 10
•
Project Contributor, AppSensor
Web Application Security Consortium (WASC)
•
Board Member
•
Project Leader, Web Hacking Incident Database
•
Project Leader, Distributed Open Proxy Honeypots
•
Project Contributor, Web Application Firewall Evaluation Criteria
•
Project Contributor, Threat Classification
The SANS Institute
•
Courseware Developer/Instructor
•
Project Contributor, CWE/SANS Top 25 Worst Programming Errors
Confidential Copyright Trustwave 2010

Session Outline
The Challenge of Risk Analysis for Web Applications
•
Risk Rating Methodology
•
How to quantify risk?
WASC Web Hacking Incident Database (WHID)
•
What is it?
•
Goals
•
Recent Project Changes and Updates
2010 Semiannual Report (July – December)
•
Incidents By Attacked Entity Field
•
Incidents By Outcome
•
Incidents By Attack Methods
•
Incidents By Application Weakness
•
Comparing the OWASP Top 10 vs. the WHID Top 10
Incidents of Interest
Conclusion
Confidential Copyright Trustwave 2010

The Challenge of Risk Analysis for Web Application
Security

OWASP Risk Rating Methodology
#Step 1: Identifying a Risk
#Step 2: Factors for Estimating Likelihood
#Step 3: Factors for Estimating Impact
#Step 4: Determining Severity of the Risk
#Step 5: Deciding What to Fix
#Step 6: Customizing Your Risk Rating Model http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Confidential Copyright Trustwave 2010

OWASP Risk Rating Methodology
Copyright Trustwave 2010 Confidential

Analyzing Public Incidents

Risk Rating Problem
Copyright Trustwave 2010 Confidential

Publicly Quantifying Web Incidents is Challenging
Incidents are not detected
• ~156 day lapse between compromise and detection*
• Vast majority of cases the merchant did not identify the intrusion – a 3rd party did based on fraud detection
(card brands and banks)*
• Logging Issues - poor logging and/or no one reviewing them for signs of compromise https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf
Copyright Trustwave 2010 Confidential

Copyright Trustwave 2010 Confidential

Publicly Quantifying Web Incidents is Challenging
Victims hide breaches
• Defacement (visible) and information leakage
(regulated) are publicized more than other breaches
• Example - Banks are not forced to disclose when individual customer funds are stolen
Copyright Trustwave 2010 Confidential

WASC Web Hacking Incident Database (WHID) http://projects.webappsec.org/Web-Hacking-Incident-Database
Confidential Copyright Trustwave 2010

Copyright Trustwave 2010 Confidential

WHID Goals
• Raise awareness of real-world, web application security incidents
• Provide data for the following Risk Rating steps:
• #Step 2: Factors for Estimating Likelihood
−
What application weaknesses are actively being targeted?
• #Step 3: Factors for Estimating Impact
−
What outcome are you worried about?
• #Step 5: Deciding What to Fix
−
Prioritized listing of remediation issues
• #Step 6: Customizing Your Risk Rating Model
−
Customized view based on your vertical-market
Confidential Copyright Trustwave 2010

WHID Data
• Data Samples (statistically insignificant)
• Focus on % rather than raw numbers
• Inclusion Criteria
• Only publicly disclosed, web related incidents
• Incidents of interest
• Defacements of “High Profile” sites are included
• Ensure quality and correctness of incidents
• Severely limits the number of incidents that get in
Confidential Copyright Trustwave 2010

WHID Data: Community Submittal Form
• Community incident submission leverages crowdsourcing
• Project team validation ensures quality http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident
Copyright Trustwave 2010 Confidential

WHID Database Content
~222 incidents for 2010
Incidents since 1999
Each incident is classified
•
Attack type
•
Application Weakness
•
Outcome
•
Country of organization attacked
•
Industry segment of organization attacked
•
Country of origin of the attack (if known)
•
Vulnerable Software
Additional information:
•
A unique identifier: WHID
200x-yy
•
Dates of occurrence and reporting
•
Description
•
Internet references
Confidential Copyright Trustwave 2010

Real-Time Statistics
• Browse real-time data
• Drill down in to incident details
• Pivot on key variables
(year/vertical market)
Copyright Trustwave 2010 http://projects.webappsec.org/Web-Hacking-Incident-Database
Confidential

Real-time, Searchable DB
WHID data is available year-round
Useful for application developers and researchers
Search by
• Attack method
• Outcome
• Source geography
• and many more… http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase
Copyright Trustwave 2010 Confidential

Geographic Views
Copyright Trustwave 2010 Confidential

Monitoring WHID Updates http://projects.webappsec.org/Web-Hacking-Incident-
Database#RSSFeed
@wascwhid
Confidential Copyright Trustwave 2010

What Vertical Markets are Attacked Most Often?
Copyright Trustwave 2010 Confidential

What are the Goals for Web Hacking?
Copyright Trustwave 2010 Confidential

What Attack Methods do Hackers Use?
Copyright Trustwave 2010 Confidential

Which Application Weaknesses are Exploited?
Copyright Trustwave 2010 Confidential

Prioritized listing of remediation issues

OWASP vs. WHID Top 10
OWASP Top 10
1 Injection
2 Cross-site Scripting (XSS)
3
Broken Authentication and Session
Management
4 Insecure Direct Object Reference
5 CSRF
6 Security Misconfiguration
7 Insecure Cryptographic Storage
1
0
8 Failure to Restrict URL Access
9 Insecure Transport Layer Protection
Unvalidated Redirects and Forwards
WHID Top 10
Insufficient Anti-Automation (Brute Force and DoS)
Improper Output Handling (XSS and Planting of
Malware)
Improper Input Handling (SQL Injection)
Application Misconfiguration (Detailed error messages)
Insufficient Authentication (Stolen
Credentials/Banking Trojans)
Insufficient Process Validation (CSRF and DNS
Hijacking)
Insufficient Authorization (Predictable Resource
Location/Forceful Browsing)
Abuse of Functionality (CSRF/Click-Fraud)
Insufficient Password Recovery (Brute Force)
Improper Filesystem Permissions (info Leakages)
Confidential Copyright Trustwave 2010

Denial of Service
Copyright Trustwave 2010 Confidential

Layer 4 DDoS Attacks
Copyright Trustwave 2010 Confidential

Layer 4 DDoS Attacks - Botnets
 Reach bandwidth or connection limits of hosts or networking equipment .
 Fortunately, current anti-
DDOS solutions are effective in handling Layer
4 DDOS attacks.
Copyright Trustwave 2010 http://www.cert.org/reports/dsit_workshop.pdf
34
Confidential

Layer 7 DDoS Attacks
Copyright Trustwave 2010 Confidential

Layer 7 DDoS Attacks
 Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity.
 Requires lesser number of connections => higher efficiency.
 Reach resource limits of services.
Can deny services regardless of hardware capabilities of host => higher lethality.
 We will focus on protocol weaknesses of HTTP or HTTPS.
 HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu,
RSnake (Slowloris)
 HTTP POST => Wong Onn Chee
Confidential Copyright Trustwave 2010

Copyright Trustwave 2010 http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
Confidential

Copyright Trustwave 2010 Confidential

Copyright Trustwave 2010 Confidential

Application Performance Monitoring Dashboard
Copyright Trustwave 2010 Confidential

Excessive Access Rate Detection
Copyright Trustwave 2010 Confidential

Copyright Trustwave 2010 Confidential

Cross-site Scripting (XSS) Defense
Copyright Trustwave 2010 Confidential

Banking Trojans
Copyright Trustwave 2010 Confidential

Questions?