Botnets with SQL Injection tools

Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught.

Who knows some of them could be the same people clever enough to install SQL injection tools on bots as a copycat of the massive attacks going around. “The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks”. Bill Pennington lays out the future of botnet attacks leveraging custom web application vulnerabilities like XSS and CSRF. Bigger potential that SQLi. Get ready everyone! This is going to be an interesting year.

Does secure software really matter?

If you ask the average expert what organizations should do about Web security you’d almost universally hear what’s become like a religious commandment, “Thou shall add security as part of the application from the beginning. Blessed are those who develop secure code.” Amen. I am a loyal follower of security in the SLDC church. I’ll humbly try to ensure my code does what I preach others should also do. The problem is code security by itself will NOT deliver us unto to the pearly gates of Web security that many people wish for. There are other issues at play.

As an information security professional my responsibility is assisting organizations mitigate the risk of their website being compromised. If the process requires rewriting some insecure code, great, let’s do it. The responsibility also means being open to solutions such Web application firewalls, configuration hardening, patching, system decommissioning, obscurity, a lucky rabbits foot, etc. Anything and everything should be used to our advantage because the odds are stacked in the bad guys favor. Lest we forget the bad guys don’t need more than to exploit a single weakness.

At WhiteHat we assist the effort by rapidly identifying Web application vulnerabilities and helping to get them fixed before attackers exploit them. We also invest significant R&D analyzing website vulnerability data, matching them up to publicized incidents, measuring the benefits of various security strategies, and ascertaining what best practices provide the most bang for the buck in a given situation. And software security proves to be one of those things that’s difficult to measure, however there are a few thing we do know for sure about it.

Important as it is the SDLC processes can't always take into consideration unknown attack techniques, current techniques we don’t fully appreciate and ignore, or the massive amounts of old insecure code we depend upon already in circulation. Think 165 million websites and mountains of new code being piled on top all the time. How do we defend our code against attacks that don’t yet exist? And once these the techniques are disclosed its obvious we can’t instantaneously update all the world’s Web-based code (far far from it). As an industry we fail to realize these SLDC limitations, as a result don’t prepare for them, and inevitably pay a heavy price. Sin of omission.

Only a short time ago we didn’t know that integer and heap overflows were exploitable and were something to worry about. Code inspected and declared clean all of a sudden was vulnerable even though not a single line changed. The same happened in the webappsec with Cross-Site Scripting (XSS), ignored for years until the bad guys loudly demonstrated its potential. The same is happening with Cross-Site Request Forgery (CSRF), HTTP Response Splitting, and hundreds of other attack variants. Now the vultures are circling null pointers attacks. Secure code is only secure, if there is such a thing, for a period of time impossible to predict. We can’t future-proof our code and I’ll guarantee new attack techniques are on the way with the existing ones often becoming ever more powerful.

On the horizon are clever and evilly lucrative uses for timing attacks, passive intelligence gathering, application DoS, CSRF, and several other rarely explored examples I plan to present at Black Hat USA (if accepted). And that’s not to mention vulnerabilities that have nothing at all to do with the code. Crossdomain.xml, Predictable Resource Location, Abuse of Functionality, and a dozen other issues. Lately I’ve also been noticing in our data a link between a website’s security posture and when it was actually launched/built - equally or more so than the technology in use. Newer websites developed after an attack class became mainstream appears to stand a higher chance of being immune. If true this would make a lot of sense to me, more than developers suddenly having learned the virtue of input validation.

Secure coding best practices even if implemented perfectly mostly only account for the attack techniques we’re currently aware of, but once something new comes up, we got a big problem because of the scale of the Web. That’s why XSS, SQL Injection, and CSRF are biting us in ass so hard. For years we really didn’t fully understand what they could do or effectively get the message out where anyone would care. Now significant portions of the Web are vulnerable, we just don’t know where exactly, and even if we did are we really going to go back line-by-line? Now we’re in a spot where hundred of thousands of pages are being infected with JavaScript malware. I don’t expect this to end anytime soon, get worse if anything because the bad guys have a lot of green field to work with.

My point is we need to look at Web security in a new way and accept that code (or developers) will never be perfect or even close to it. To compensate we need solutions, including Web application firewalls (virtual patches), wrapped around our code to protect it. Some might call this approach a band-aid or a short-term solution. Whatever, I call it realistic. Just ask those who are actually responsible for securing a website and they’ll tell you the same thing. We need nimble solutions/products/strategies that help us identify emerging threats, react faster to them, and adapt better to a constantly changing landscape. Now when a vulnerability or new attack class shows up IT Security should have a fourth option for the business to consider giving the developers time to fix the code:

1. Take the website off-line
2. Revert to older code (known to be secure)
3. Leave the known vulnerable code online
4. Vulnerability Mitigation (“virtual patch”)

Crossdomain.xml Invites Cross-site Mayhem

Update 05.14.2008: Figured I'd make available the list active crossdomain.xml websites I've found. Enjoy! *hat tip to RSnake for the bandwidth*

This week I took a renewed interest in crossdomain.xml. For those unfamiliar this is Flash’s opt-in policy file that extends the same-origin policy to include more sites in the circle of trust. Normally client-side code (JavaScript, Flash, Java, etc.) is limited to reading data only from the website (hostname) in which it was loaded. Attempting to read data from other domains is met with security exceptions.

With crossdomain.xml a site owner may configure a policy to stating which off-domain sites are allowed to read its data (or parts thereof) and the client, Flash in this case, is responsible for enforcement. This feature paves the way for more rich client-side applications. Crossdomain.xml policies are also extremely flexible allowing websites to be defined by IP, domain, subdomain, or everyone (*) under the sun. And this is one area where we potentially run into trouble.

When a hostname is included in the circle of trust you allow them to read all data on the site that the user has access to, this includes any (authenticated) content and (session) cookies. So should a malicious attacker or website owner gain control of a website in the circle of trust (via a server hack or XSS), then they feasibly can compromise user data off that domain. This could easily leads to privacy violations, account takeovers, theft of sensitive data, and bypassing of CSRF protections (grabbing the key ahead of time).

With this understood I was curious just how many prominent websites are actively using crossdomain.xml and generally how they are configured. For sampling I combined the “www” hostnames of fortune 500 with the Global Alexa 500. Of the 961 unique websites in all (and keeping the results to myself for now)…

• 28% have a crossdomain.xml policy file of some type.
• 7% have unrestricted crossdomain.xml policy files.
• 11% have *.domain.com restricted crossdomain.xml policy files.

I was quite surprised by the penetration, but not as much as how many possessed unrestricted policies. Meaning any website can pull any data from them that they want. It's not just so much that they allow this, many are just brochure-ware so who cares, but others we’re talking very sensitive data here. Then of course domain restricted percentages were higher still. That would mean if a user should get XSS’ed ANYWHERE on the domain (or other *’d domain), easy enough to do, an attacker could load up a flash payload on pilfer the data that way. Ouch. Another thing I noticed was a noticeable amount of intranet (development) hostnames being leaked publicly, weird.

Now if I may take things just one step further because these types attacks can scale far easier and become more damaging that it might first appear. We've already seen several cases where Flash-based advertising is poisoned through an upstream CDN provider eventually leading to the exploitation of users browsers. These attacks are spotted because they take advantage of a well-known vulnerability, load malware detectable by A/V signatures, and detectably compromise a machine. But let's say they didn't do that and instead attempted something subtle.

What an attacker could do is purchase some flash-based advertising delivered anywhere on a domain inside a circle of trust (*.domain.com). Instead of using traditional malware exploits they’d force an innocent looking and invisible cross-domain request on behalf of the user. This request could easily steal session cookies, read your Web email, spam email for that matter, access your social network, and the list goes on and on. Not only would this be inexpensive, but also extremely difficult to detect because everything would appear legit. As I say this, I can’t help but wonder if it hasn’t happened already and we just haven’t realized it. We’re all so used to blaming online account compromises on trojan horse, that we haven’t stopped to consider or investigate other possibilities.


thanks to Russ McRee for blog title and content assistance.

Trifecta of WebAppSec Posts

I remember a time not so long ago where good web application security content was extremely rare and difficult to come by. These days it seems every week something new is posted that’s worth taking the time to read. It’s hard to keep up with all of it and analyzing the details, so I’ll post what I can.

1) Dancho Danchev is masterful at noticing and analyzing what nefarious bag guys are up to, especially in the web security environment. In his most recent post, Stealing Sensitive Databases Online - the SQL Style, he talks about economies of scale in the recent massive SQL injection hacks. Essentially he asks rather opening if these massive attacks are attempts to pull smaller data sources together or generally just leverage them as a mass platform for attack. Good question, could go either way in my opinion.

2) C. Warren Axelrod posted something rather interesting, Metrics Revisited – Application Security Metrics, where he comes right out and says:

“I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones.”

Then check out his next question...

“One application has 100 inherent vulnerabilities, of which 10 are discovered and patched. Another application has 1000 inherent vulnerabilities, of which 900 are known and fixed. The former has 90 residual vulnerabilities, and there are 100 remaining in the latter application. Which application is more secure?”

A damn fine question and an answer he digs into.

3) Ready to rip into PCI-DSS 6.6? If you haven’t done so already or have an still don't know what to do -- WhiteHat’s own Trey Ford posts Deconstructing PCI 6.6 inside SC Magazine. Trey takes the “Find, fix, prove(n)” model which really makes things simple.

“With a clear understanding of PCI Requirement 6.6, compliance is not only achievable, but can provide great value to web application owners and users. This requirement creates a need for visibility into the lifecycle for vulnerability detection and correction, and will serve to mature web application security. Applying metrics to the efficiency of detection, the cost of producing vulnerable code, and the associated costs of correction will only serve to advance the goal of total web application security.”

A pair of podcast interviews

1) In the Security Bites podcast with Rob Vamosi (transcript) of C-Net I describe what’s new and interesting about the recent malicious mass scale SQL Injection attack. This is where website DBs are loaded up with malicious JavaScript exploiting browser based vulnerabilities, the so-called drive-by-downloads. Reports are saying 600,000 or so pages are infected with several high provide targets (UN, DHS, USAToday, etc.) on the hit list.

2) During RSA I spent some time with Help Net Security guys answering question about my favorite infosec conferences and what they have to offer. Of course each has a different focus for the content and the audience, so it just depends on what you are into.

Cisco announces a Web Application Firewall

Cisco has jumped into the WAF game with their recently announced Cisco ACE Web Application Firewall. A full proxy device with HTTP(s) and XML policy enforcement, web-based/shell management interfaces, solid performance metrics, and support for both black and white list rules. Apparently Cisco sees a sizable market for WAFs and PCI 6.6 as a driver by reading their overview literature (video). So now most big players have a stake in webappsec. This should make things interesting. With Cisco’s brand reputation and reach, people might be willing to get over their initial trust issues with WAFs and do quite well. Should customers demand, perhaps another device we can integrate Sentinel with for virtual patching purposes. The interest has been quite impressive.

Blue Hat 2008

I don’t recall drinking any Kool-aid while in Redmon, but I can’t deny something about my first trip to Blue Hat (Microsoft’s bi-annual internal security conference) affected me. The only thing I can think of is those crafty people over at MS security must have piped something in the air ducts or put something in the eggplant parmesan, because well, I was impressed -- influenced even. Andrew Cushman, MSRC Director (among other things), managed to convince me to attend, even though I thought I knew what the event all about.

Well, my precognitive abilities failed me. There we no underground chambers, secret member handshakes, career limiting NDAs, or endless interrogation by the brainwashed hordes hunting for 0-day. Apparently I also wasn’t even there to be recruited away from WhiteHat or at least convinced to give up my MacBook. To test the theory I brandished it in hopes it might start some kind of scene, but to no avail, no one really cared. What Blue Hat had did have is a technically kickass speaker/topic line-up, better than most infosec conferences I’ve attended. I also got to opportunity to hang out with Billy Rios, Nitesh Dhanjani, Nate “stolen laptop” McFeters, Kuza55, Fukami, Adam Shostack, and several others.

The attendees were mostly MS software engineers looking to learn about the latest security goings on. What struck me in when conversation with them was their openness. Not “open” in a sense that they were willing to share all their secrets, but more that they genuinely eager to listen to the thoughts and ideas of others. No arrogance detected and truly wanted to make their products better. By contrast there is much general animosity towards Apple now amongst the security researchers within the community. While many of the bad guys are searching for their precious Windows 0-day, the good guys are focusing attention on OS X now mostly out of spite (or at least to win a MacBook).

My role at Blue Hat was to participate on Vulnerability Economics Panel, the name describes it all. The other panelists definitely had some interesting things to share. Including Windows XP SP2 and IE 6 vulnerabilities come at a premium over Vista due to market share factors and well above OS X. Also interesting is the rose colored view of the world that the security community still tends to have in believing that reverse engineers won’t be influenced by money. Yah, like we all work for free or something. Their thinking is that 0-day work product will continue to flow like it has to software vendors or intermediaries (TippingPoint / iDefense) even if the potential payout on the black market (or other venues) is orders of magnitude higher. I hold onto no such illusions.

Some mental notes I made to myself, which not all the panelists agree with are:

• As MS reduces the number of externally found 0-days, their black market street value goes up. Maybe into the high 6 or even 7 figure range over the next 2-3 years.
• iDefense and TippingPoint 0-day payouts are getting larger, now often in the 5 figure range having already purchased 300 or so issues.
• As the black market 0-day payouts rise, “freely” disclosing issues to MS will seem less attractive to freelance security researchers.
• Microsoft vulnerability metrics will continue to decline as they clean up their software, hired most good reverse engineers as employees or contractors (taking those issues off the market), and those who remain considering their options for profit potential.
• Third-party applications will come under heavily increased scrutiny.
• Increase likelihood of vulnerabilities being purposely introduced into MS code by insider threats looking for a big payout.
• 3-5 year prediction, the US Government regulates the sale of 0-days, much like encryption, likely stimulated by the a major incident resulting from a sale.

Overall, I had a really good time and hope to be back for the next one.

The Dubai Experience

I had some ideas of what Dubai would be like before going. I’d heard they had a lot of money and were building the country at an extremely fast pace. Well, let me tell you they weren’t kidding! The scale of what’s going on there is extremely difficult to describe. I’ll do my best to capture the opulence, glamour, and pride that seem to define all aspects of the country.

My first clue was the Dubai airport itself, which resembled a 5-star mall rather than a terminal. Everything was high-end and immaculate top to bottom. If you wanted something they probably had it somewhere in there, including a McArabia (flatbread and falafel) at the McDonalds. Any notion that you are smack dab in the middle of a desert is immediately shattered. That was until a brief moment where I stepped out of the cab at the hotel at experienced the heat. OMG.

The discomfort was short lived because the Sheraton Dubai Creek (HiTB venue) is a stunning hotel in every respect. I was whisked in by the doormen and immediately taken care of. Lavish rooms and extremely attentive staff were just the start. Parked outside my room window lining the Dubai Creek, great for morning walks, were about a dozen expensive looking yachts. I got to have a look around.



Spent the weekend walking around the city, including in some areas I probably should not have been in. All the locals were staring because I’m guessing I was on streets where tourists aren’t normally found. Or maybe because I look Pakistani and was dressed in american garb. Who knows. I mentioned it was HOT right? I don’t know what the mercury read, but I was concerned that my bright orange Phil Zimmerman fan boy shirt might spontaneously combust. Hawaii ain’t got nothing on this place when it comes to heat. Air conditioning is more for life support than comfort.



The picture is of me in front of the self-proclaimed worlds only 7-star hotel. I didn’t find the time to go in, but from what I’ve heard about it, it would be hard to disagree with their assessment. I mean they have a bay carved out so if you want to roll up in your yacht you can. Or maybe you have a helicopter that brought you from the airport so they have landing pad outcropping. Convenient. It’s quite clear that they exist at a whole other level in this place. Can this actually be sustained?



The beach was VERY nice, probably one the best outside of Hawaii I’ve been to. Bermuda was kick ass as well. Warm water (a little salty), white sand, and they even had heated showers - a first for me. To bad there aren’t any waves to be spoken of, but I wasn’t complaining. Getting a chance to chill and swim around in the ocean has been all too rare for me lately. I could have stayed for days. Dang, skimboarding would have been awesome. Next time.



One of the things I had to do was a desert safari. So I spent the latter half of a day bashing around the dunes in a 4x4 (WAY COOL), did a little light sandboarding, and finished the night in an encampment eating BBQ (Mmmmm), watching belly dancing, and puffing on a hookah (apple flavor). I even got the chance to ride a camel for a little while, interesting. :) Sometime during the night a few big black scorpions invaded the campsite and all the drivers scurried around trying to kill them. That added some excitement. I really enjoyed being out in the desert, it was quite and peaceful and something I’d definitely do again.



Before I talk about the Emirates Mall, let me tell about the freeway getting there. We’re talking an eight lane freeway in the middle of the desert lined by I kid you not, probably 50 new giant high rises simultaneously in construction. Then the cab driver says, “Oh by the way, the tallest building in the world just over there.” All I was thinking was the heck do you construct any building on top of SAND!? Before I forget, the cabbies over there drive crazy. If there were rules of the road, I couldn’t tell.

The Emirates Mall must have had every store and restaurant in there I have ever seen or heard about, including hotel every bit as nice as the one I stayed in built in. 3 levels, hundreds of stores, and even a gigantic indoor ski slope. I really wanted to give it a shot, but it appeared to be more like a kids thing and I just couldn’t bring myself to jump in and make a fool of myself. Something which I normally I have no problem doing. I’ll work up the courage for next time.



The best way I can describe Dubai to Americans is imagine Las Vegas, where money is ABSOLUTELY no object, and trying to be built by next year. It seems if Vegas is where Americans go to play, Dubai is where the Europeans go. I overheard so many different languages being spoken, no way I could even pick them out. Americans were few and far between. At the end though, I was ready to get out of there. It’s an amazing cool place to visit and spend a week.

(IN)SECURE Magazine #16

(IN)SECURE Magazine #16 has been released. For those unfamiliar, its a PDF with no DRM, and always has excellent infosec content. Definitely my favorite online mag and always well worth the read.