Is Your Website Hackable? Is Your Website Hackable? Why you Need to Worry? Why you Need to Worry? Alliance Technology Partners U.S. Preferred Partner
Is Your Website Hackable?Is Your Website Hackable?Why you Need to Worry?Why you Need to Worry?
Alliance Technology Partners
U.S. Preferred Partner
AgendaAgenda• A Holistic View of Security – Web
Applications In Danger• Web Application Security Issues• Is your Website Hackable? Why
Organizations Need to Worry• An Introduction to Hacking• Protecting Yourself: Web Vulnerability
Scanning• Acunetix Web Vulnerability Scanner
A Holistic View of SecurityA Holistic View of Security
Web Applications in Danger
What are Web What are Web Applications?Applications?
• Login forms, search forms, blogs and forums, shopping carts, newsletter submit fields
• Easy, seamless and immediate retrieval and submission of data through a web browser.
• Updated and maintained without distributing and installing software on client computers.
• Immensely popular.• Web applications as business drivers.• AJAX applications – the next generation.
The Web Application ModelThe Web Application Model
For this model to function efficientlyFor this model to function efficientlythe Web Application has direct and the Web Application has direct and open access to the database.open access to the database.
Needed to churn the contentNeeded to churn the contentrequested by visitors to the websiterequested by visitors to the website
Web Apps = Database Ports Web Apps = Database Ports OpenOpen
Shield aroundNetwork AssetsIncluding Database andWeb Servers
No direct accessto database
SSL
Web Application Web Application Security IssuesSecurity Issues
Web App Security ConcernsWeb App Security Concerns• Bring grave security risks:
– Available 24x7x365 – Publicly available for legitimate users
and hackers– Direct access to backend databases– Most web applications are custom-made – These custom applications are the most
susceptible to attack.– Lack of awareness equating web
security to network security.
Layers to SecurityLayers to Security
Nine MythsNine Myths: Eyes Wide : Eyes Wide Shut?Shut?
1. Network security scanners protect the application layer.
2. Application vulnerabilities = network and system vulnerabilities.
3. Firewalls protect the application layer.4. IPS/IDS defeat application attacks5. Network devices understand application context6. SSL secures the application. 7. Vulnerability scanners protect the web –
matching vulnerability signatures will do the trick.8. Annual or quarterly vulnerability assessment are
enough.9. Patch Management is immediate and satisfactory.
The Jeffrey Rubin StoryThe Jeffrey Rubin Story• Network Security is Not Enough
Syracuse University School of Information StudiesPresident of Internet Consulting Services “Review: Web Vulnerability Scanners”, SOAPipeline, September 2005.
• Network security is not enough as web applications require port 80 to be open to communicate with the database to deliver the function it was designed for
Eric S. RaymondEric S. Raymond• ESR is a well known figure in the
hacker community and maintains the “Hacker’s Dictionary”.
• A famous quote in response to “how long will it take me to learn to hack?”:
• “…if you are a real hacker, you will spend the rest of your life learning and perfecting your craft”.
Have you been hacked?Have you been hacked?• Have you been hacked?
– Are you certain?– If web applications are not secure….– …then your entire database of sensitive
information is at serious risk.
Is your Website Hackable?Is your Website Hackable?
Why Organizations Need to Worry
Who’s Being Hacked?Who’s Being Hacked?• Choice Point Inc ($15m)• University of Southern California ($140k +)• Microsoft (Website defacement)• PayPal (Account information stolen; cost
unknown)• Victoria’s Secret ($50k fine)• Hotmail (XSS detected – not fixed)• Amazon (XSS detected – not fixed)• Petco (credit cards of 500k customers
stolen)
TJX Companies IncTJX Companies Inc• 40 million customer cards stolen
– USA, Hong Kong, Sweden, UK and Ireland.• Lawsuits to date account for about
US$ 5 to 10 million• Government of Canada launching an
investigation• Breach probably started in 2003 and
discovered in December 2006.
Web Security Hard Cold Web Security Hard Cold FactsFacts
• Gartner: – 75% of Website hacks happen at the web application level.
• Cisco:– 95% of web applications have serious flaws,
• 80% of which are vulnerable to Cross Site Scripting• Acunetix Research through Free Audits (published):
– 70% of sites scanned have medium to high risk vulnerabilities including:
• SQL Injection• XSS• Source Code Disclosure
• Our competition show similar statistics:– Jeremiah Grossman (Whitehat) states our figure is
conservative.
Free Audit Statistics (1)Free Audit Statistics (1)
Free Audit Statistics (2)Free Audit Statistics (2)
Free Audit Statistics (3)Free Audit Statistics (3)
Free Audit Statistics (4)Free Audit Statistics (4)
Free Audit Statistics (5)Free Audit Statistics (5)
What Motivates Hackers? What Motivates Hackers? Data!Data!
• The Privacy Clearing House reports some startling data:1.Total number of records stolen over the
period Feb 2005 to July 2006 = 88,931,69288,931,6922.Total number of records stolen over the
period Feb 2005 to Feb 2006 = 101,070,850101,070,850• 13% increase in just 7 months13% increase in just 7 months• Monthly average of 4.2 m records stolenMonthly average of 4.2 m records stolen
3.Total Number of records stolen due to Hack Attacks approximately 82m82m
The Cost of being HackedThe Cost of being Hacked• Closure.• Lost Customer confidence, trust and
reputation. • Lost Brand equity.• Downtime.• Lost revenues and profits.• Ban on processing credit cards.• Repair the damage.• New security policies.• Legal implications including fines and
damages.
An Introduction to An Introduction to HackingHacking
What a Hacker will DoWhat a Hacker will Do
Shield aroundNetwork AssetsIncluding Database andWeb Servers IS IN PLACE IS IN PLACE but DOES but DOES NOT STOP NOT STOP HACK HACK ATTACKATTACK
How do Hackers Work? (1)How do Hackers Work? (1)• First step towards deploying a web security
infrastructure.• Always steps ahead• Wide repertoire of hacking techniques they
will throw at custom web applications.• Very close knit community that keeps itself
abreast to propagate further hacking.– Check out sla.ckers.org and slashdot.
• Systematic plan of action that entails four steps.
How do Hackers Work? (2)How do Hackers Work? (2)• Step 1: Analyse the server infrastructure
• Step 2: Survey the Website
• Step 3: Check for Input Validation Errors
• Step 4: Mount the Attack
Popular Hacking Popular Hacking TechniquesTechniques
• Static Methods – the ‘Known’:– Known exploits
– Directory Enumeration
– Web Server Exploits
• Dynamic Methods – the ‘Unknown’:– SQL Injection– Cross-site Scripting– Directory and Link Traversal– Source Code Disclosure– Common File Checks– Parameter Manipulation or
Passing– Hidden Web Paths– Extension and Backup
Checking– Path Truncation– Java Applet reverse
engineering– Session Hijacking– Authentication Attacks– Google Hacking Database
Launched againstknown applications
and servers
Typically Launched againstNon-standard applications
SQL InjectionSQL Injection• SQL is a database query language for
data storage, manipulation and retrieval.
• Standard for all web applications to interact with their databases be they Oracle, My SQL, MS Access…
• SELECT, DROP, INSERT, DELETE• SQL Injection is when a hacker is able
to inject SQL syntax in an input field to gain access to the database
SQL Injection DemoSQL Injection Demo• http://testasp.acunetix.com/• Example of a forum that requires
login for posting informationSELECT idFROM loginsWHERE username = ‘I-am-a-hacker'AND password = anything' or 'x'='x
• This is a simple example.
Protecting yourself:Protecting yourself:Web Vulnerability Web Vulnerability
ScanningScanning
Preventing Hack AttacksPreventing Hack Attacks• Audit your web applications for
exploitable vulnerabilities regularly and consistently.
• Web Vulnerability Scanners Web Vulnerability Scanners introduce web security.introduce web security.
Types of Web Vulnerability Types of Web Vulnerability ScannersScanners
• Web Vulnerability Scanners– Signature Matching Approach (Standard
Web Vulnerability Scanners)– Heuristic Methodology Approach
(Intelligent Web Vulnerability Scanners)• Automated v. Manual Scans
– The importance of automation– Nothing beats the human touch
Signature MatchingSignature Matching• The majority of Vulnerability Scanners are
ineffective because they look for weaknesses based on signature matching.
• Similar to anti-virus software.• Almost perfect for all popular systems and
widely deployed applications:– Effective against Known (Static) Vulnerabilities– Ineffective against Unknown (Dynamic)
Vulnerabilities and for Custom Applications.
Heuristic Scanning Heuristic Scanning MethodologyMethodology
• Hacks are not based on signature-file.• Custom web applications are a honey pot.• Logic of the “heuristic methodology” is:
– Proactive v. Reactive– Acts like a hacker– Focuses on the arsenal of hacking methods
rather than the vulnerabilities themselves.• Web vulnerability scanning depends on:
– (a) how well your site is crawled, and – (b) on the ability to test the various hacking
methods and techniques against web applications.
Protecting yourself:Protecting yourself: Acunetix Web Vulnerability Acunetix Web Vulnerability
Scanner (WVS)Scanner (WVS)
Acunetix WVSAcunetix WVS• Organisation has been around for 3 years
and founded by ex-founder/CEO GFI (LanGuard)
• Easy-to-use Heuristic Methodology Scanner with Non-destructive on-destructive automatic and manual audits.
• Acunetix WVS is an essential tool to find holes in your web security.
How Acunetix WVS WorksHow Acunetix WVS Works• Discovery or Crawling Process Stage• Automated Scan Stage• Alert Node Stage• Reporting Stage
The User InterfaceThe User Interface
Audit ReportAudit Report
Compliance ReportCompliance Report
Audited Hacking Audited Hacking Vulnerabilities and Attacks Vulnerabilities and Attacks
• Automated Checks and Attacks– Version Check– CGI Testing– Parameter Manipulation (SQL Injection, XSS, …)– MultiRequest Parameter Manipulation– File Checks– Directory Checks– Text Search– Google Hacking Database
• Manual Checks and Attacks– Input Validation– Authentication Attacks– Buffer Overflows
Some Features at a GlanceSome Features at a Glance• JavaScript / AJAX Support – Client Script Analyzer (CSA)• Scheduler• Command Line• URL Rewrite Support• Detects Google Hacking Vulnerabilities• Extend Attacks with the HTTP Editor & Sniffer• In-depth Testing with the HTTP Fuzzer• Login Sequence Recorder for Protected Areas • Automatic HTML Form-filler• Crawl Flash Files• Test Password Strength Of Login Pages• Vulnerability Editor• Supports all Major Web Technologies• Scanning Profiles• Report Generator• Compare Scans and Find Differences• Easily Re-Audit Website Changes• …and more
Acunetix Version 5Acunetix Version 5• New Features:
– Scanning and automation engine– Enhanced ClientScript Analyzer for AJAX
and related applications– Web Services Scanner– Password Protection– Assistance in finding CSRF– Unique compliance reporting application
Licensing OptionsLicensing Options• One-year or perpetual licensing• Annual maintenance• 1 or unlimited URLs• Consultant Edition• Pricing starts at $1445 for Single
User Single URL Perpetual License
CustomersCustomers• Over 5000 sites scanned in one year
(2008)• Global network of resellers • Strong in the USA• End-users include US Government, US
Military, IBM, France Telecom, Telstra, Unisys, F.A. Premier League, Bank of China, Dae Woo, Fujitsu, CMP and many more.
Thank youThank you
Please contact Please contact Alliance Technology PartnersAlliance Technology Partners
For More InformationFor More Information
www.alliancetechpartners.com
888-891-8885888-891-8885