Web Trends Stats and How To Defend

Web Hacking Incidents Revealed:
Trends, Stats and How to Defend

Ryan Barnett
Senior Security Researcher
SpiderLabs Research
Ryan Barnett - Background

Trustwave
Senior Security Researcher
Web application firewall research/development
Virtual patching for web applications
Member of the SpiderLabs Research Team

Web application firewall signature lead
ModSecurity Community Manager

Interface with the community on public mail-list
Steer the internal development of ModSecurity
Author
Preventing Web Attacks with Apache
Copyright Trustwave 2010
Confidential
Ryan Barnett Community Projects

Open Web Application Security Project (OWASP)
Speaker/Instructor
Project Leader, ModSecurity Core Rule Set
Project Contributor, OWASP Top 10
Project Contributor, AppSensor
Web Application Security Consortium (WASC)
Board Member
Project Leader, Web Hacking Incident Database
Project Leader, Distributed Open Proxy Honeypots
Project Contributor, Web Application Firewall Evaluation Criteria
Project Contributor, Threat Classification
The SANS Institute
Courseware Developer/Instructor
Project Contributor, CWE/SANS Top 25 Worst Programming Errors
Confidential
Session Outline
The Challenge of Risk Analysis for Web Applications
Risk Rating Methodology
How to quantify risk?
WASC Web Hacking Incident Database (WHID)
What is it?
Goals
Recent Project Changes and Updates
2010 Semiannual Report (July December)
Incidents By Attacked Entity Field
Incidents By Outcome
Incidents By Attack Methods
Incidents By Application Weakness
Comparing the OWASP Top 10 vs. the WHID Top 10
Incidents of Interest
Conclusion
Confidential
The Challenge of Risk Analysis for Web Application

Security
OWASP Risk Rating Methodology

#Step 1: Identifying a Risk
#Step 2: Factors for Estimating Likelihood
#Step 3: Factors for Estimating Impact
#Step 4: Determining Severity of the Risk
#Step 5: Deciding What to Fix
#Step 6: Customizing Your Risk Rating Model
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Confidential
OWASP Risk Rating Methodology
Confidential
The Challenge of
Risk Analysis for
Web Applications:
Analyzing Public Incidents
Risk Rating Problem
Instead of being concerned about

what CAN happen (theoretical
scenarios), perhaps we should first
be dealing with what IS happening
(analysis of real-world web
compromises)
Confidential
Publicly Quantifying Web Incidents is Challenging
Incidents are not detected

~156 day lapse between
compromise and detection*
Vast majority of cases the merchant
did not identify the intrusion a 3rd
party did based on fraud detection
(card brands and banks)*
Logging Issues - poor logging
and/or no one reviewing them for
signs of compromise
https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf
Confidential
Confidential
Publicly Quantifying Web Incidents is Challenging
Victims hide breaches

Defacement (visible) and information leakage
(regulated) are publicized more than other
breaches
Example - Banks are not forced to disclose
when individual customer funds are stolen
Confidential
Web Hacking
Incident Database
(WHID)
WASC Web Hacking Incident Database (WHID)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Confidential
Tracking Public Web Compromises
Confidential
WHID Goals
Raise awareness of real-world, web application security
incidents
Provide data for the following Risk Rating steps:
#Step 2: Factors for Estimating Likelihood
What application weaknesses are actively being
targeted?
#Step 3: Factors for Estimating Impact
What outcome are you worried about?
Prioritized listing of remediation issues
#Step 6: Customizing Your Risk Rating Model
Customized view based on your vertical-market
Confidential
WHID Data
Data Samples (statistically insignificant)

Focus on % rather than raw numbers
Inclusion Criteria
Only publicly disclosed, web related incidents
Incidents of interest
Defacements of High Profile sites are included
Ensure quality and correctness of incidents

Severely limits the number of incidents that get in
Confidential
WHID Data: Community Submittal Form

Community incident submission leverages
crowdsourcing
Project team validation ensures quality
http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident
Confidential
WHID Database Content

~222 incidents for 2010
Incidents since 1999
Each incident is classified
Attack type
Application Weakness
Outcome
Country of organization
attacked
Industry segment of
organization attacked
Country of origin of the
attack (if known)
Vulnerable Software
Additional information:
A unique identifier: WHID
200x-yy
Dates of occurrence and
reporting
Description
Internet references
Confidential
Real-Time Statistics
Browse real-time data
Drill down in to incident
details
Pivot on key variables
(year/vertical market)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Confidential
Real-time, Searchable DB
WHID data is available year-round
Useful for application developers and researchers
Search by
Attack method
Outcome
Source geography
and many more
http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase
Confidential
Geographic Views
Confidential
Monitoring WHID Updates
http://projects.webappsec.org/Web-Hacking-IncidentDatabase#RSSFeed
@wascwhid
Confidential
WHID 2010 Biannual

Status Report:
July-December
What Vertical Markets are Attacked Most Often?
Confidential
What are the Goals for Web Hacking?
Confidential
What Attack Methods do Hackers Use?
Confidential
Which Application Weaknesses are Exploited?
Confidential

Prioritized listing of remediation issues
OWASP vs. WHID Top 10

OWASP Top 10
WHID Top 10
Injection
Insufficient Anti-Automation (Brute Force and DoS)
Cross-site Scripting (XSS)
Improper Output Handling (XSS and Planting of

Malware)
Broken Authentication and Session

Management
Improper Input Handling (SQL Injection)
Insecure Direct Object Reference
Application Misconfiguration (Detailed error

messages)
CSRF
Insufficient Authentication (Stolen

Credentials/Banking Trojans)
Security Misconfiguration
Insufficient Process Validation (CSRF and DNS

Hijacking)
Insecure Cryptographic Storage
Insufficient Authorization (Predictable Resource

Location/Forceful Browsing)
Failure to Restrict URL Access
Abuse of Functionality (CSRF/Click-Fraud)
Insecure Transport Layer Protection
Insufficient Password Recovery (Brute Force)
1
0
Unvalidated Redirects and Forwards
Improper Filesystem Permissions (info Leakages)
Confidential
Top Trends
Denial of Service
Confidential
Layer 4 DDoS Attacks
Confidential
Layer 4 DDoS Attacks - Botnets

Reach bandwidth or
connection limits of
hosts or networking
equipment.
Fortunately, current antiDDOS solutions are
effective in handling Layer
4 DDOS attacks.
http://www.cert.org/reports/dsit_workshop.pdf
34
Confidential
Confidential

Legitimate TCP or UDP connections. Difficult to differentiate
from legitimate users => higher obscurity.
Requires lesser number of connections => higher efficiency.
Reach resource limits of services.
Can deny services regardless of hardware capabilities of
host => higher lethality.
We will focus on protocol weaknesses of HTTP or HTTPS.
HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu,
RSnake (Slowloris)
HTTP POST => Wong Onn Chee
Confidential
http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
Confidential
Confidential
Confidential
Application Performance Monitoring Dashboard
Confidential
Excessive Access Rate Detection
Confidential
Confidential
Cross-site Scripting (XSS) Defense
Confidential
Banking Trojans
Confidential
Questions?

Web Trends Stats and How To Defend

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Trends Stats and How To Defend

Uploaded by

Copyright:

Available Formats

Web Hacking Incidents Revealed:

Trends, Stats and How to Defend

Ryan Barnett - Background

Member of the SpiderLabs Research Team

ModSecurity Community Manager

Copyright Trustwave 2010

Ryan Barnett Community Projects

Copyright Trustwave 2010

The Challenge of Risk Analysis for Web Application

OWASP Risk Rating Methodology

OWASP Risk Rating Methodology

Copyright Trustwave 2010

Risk Rating Problem

Instead of being concerned about

Copyright Trustwave 2010

Publicly Quantifying Web Incidents is Challenging

Incidents are not detected

Copyright Trustwave 2010

Publicly Quantifying Web Incidents is Challenging

Victims hide breaches

Copyright Trustwave 2010

WASC Web Hacking Incident Database (WHID)

Tracking Public Web Compromises

Copyright Trustwave 2010

Data Samples (statistically insignificant)

Ensure quality and correctness of incidents

Copyright Trustwave 2010

WHID Data: Community Submittal Form

WHID Database Content

Copyright Trustwave 2010

Copyright Trustwave 2010

Monitoring WHID Updates

Copyright Trustwave 2010

WHID 2010 Biannual

What Vertical Markets are Attacked Most Often?

Copyright Trustwave 2010

What are the Goals for Web Hacking?

Copyright Trustwave 2010

What Attack Methods do Hackers Use?

Copyright Trustwave 2010

Which Application Weaknesses are Exploited?

Copyright Trustwave 2010

#Step 5: Deciding What to Fix

OWASP vs. WHID Top 10

Insufficient Anti-Automation (Brute Force and DoS)

Cross-site Scripting (XSS)

Improper Output Handling (XSS and Planting of

Broken Authentication and Session

Improper Input Handling (SQL Injection)

Insecure Direct Object Reference

Application Misconfiguration (Detailed error

Insufficient Authentication (Stolen

Insufficient Process Validation (CSRF and DNS

Insecure Cryptographic Storage

Insufficient Authorization (Predictable Resource

Failure to Restrict URL Access

Abuse of Functionality (CSRF/Click-Fraud)

Insecure Transport Layer Protection

Insufficient Password Recovery (Brute Force)

Unvalidated Redirects and Forwards

Improper Filesystem Permissions (info Leakages)

Copyright Trustwave 2010

Copyright Trustwave 2010