Tuesday, February 20, 2007

Automated Scanners vs. Low-Hanging Fruit

Low-Hanging Fruit (LHF) are vulnerabilities that are easy to find and exploit. We certainly don't want these types of issues in our websites, especially if they can be quickly mitigated with a small amount of effort. In network security, scanning does the trick for LHF identification. Unfortunately, in website security, though scanning is absolutely vital, it’s not that simple or sufficient. That’s because LHF may fall into either technical vulnerabilities, which website vulnerability scanners can find, or business logic flaws, which they can't find much of any.

Technical vulnerabilities, including Cross-Site Scripting (XSS) and SQL Injection, can be found in large supply by scanners and usually can be classified as LHF. For instance, when a website echoes user-supplied HTML, that’s a dead giveaway of an XSS vulnerability. The same with SQL Injection and the notorious ODBC error messages dumping database statements. These instances are easy to spot and exploit. Though as common as these issues are, they’re not always classifiable as LHF.

New XSS issues in YahooMail, MySpace, Gmail, sla.ckers.org (heh) and other high profile websites have become significantly harder to come by because so many people already cherry picked the easy stuff. Discoveries often rely on clever filter-bypass tricks (XSS Cheat Sheet), complex input encoding techniques (UTF-7 or US-ASCII), or sophisticated combinations. SQL Injection exploits frequently have to be performed blind because helpful error messages are suppressed. These instances could be comfortably labeled Mid-tier or even (shall we say) Golden Apples since they reside far out of the reach of scanners, and most humans for that matter.

Then we have business logic flaws like Abuse of Functionality and Insufficient Authentication/Authorization. These mostly require humans (security experts) to uncover them even when classifiable as LHF. For example, during the MacWorld 2007 Expo, several people discovered an easy (LHF) way to obtain free Platinum Passes (a $1,695 value with a chance to see Apple's CEO Steve Jobs up close). By viewing the source code of the sign-up web page, they found "hidden" Priority (Discount) Codes freely usable during registration. Unlike humans, scanners wouldn’t recognize the significance of Priority Codes, how to use them, what the page looks like when they're accepted/denied, let alone being able to pick up the badge to verify the attack succeeded.

WhiteHat Security's engineers continually discover a wide variety LHF business logic flaws in a majority of the websites they assess. The more sophisticated the business logic flaw, the more expertise is required to identify the vulnerability and its remediation. Anyone can find one or two business logic flaws, but it takes a team of experts to try to find them all, all of the time. That’s a big reason why good, complete website vulnerability management is so hard to achieve.

From my experience, any class of attack can be LHF, Mid-tier, or Golden Apples. And, any vulnerability identifiable through a purely automated fashion (a scanner) can be classified as LHF – since anyone without much skill may buy/download a scanner, find a few technical vulnerabilities, and begin exploiting websites. Still, WhiteHat believes the goal of an effective website security program should be to find and manage all the vulnerabilities all the time. Weeding out the LHF can be a good first step. There’s no reason to make exploiting websites that easy for the bad guys.

9 comments:

.mario said...

sla.ckers.org? wow!

.mario said...

btw, there an xss in the 'Search FBN-Security Bloggers Network' banner.

greetings,
.mario

Jeremiah Grossman said...

Nice to see sla.ckers.org in the same sentence as those other big sites huh. :)

Show me the XSS!

.mario said...

LHF:

http://preview.tinyurl.com/yprqvq

Jeremiah Grossman said...

hehe, nice!

Jeremiah Grossman said...

I think that vuln belong to Lijit Networks though, not to Security Bloggers Network banner or Feedburner.

Anonymous said...

Can you show me the xss bug of sla.ckers ?

Ray said...

While you make a couple good points I think such a broad statement as "And, any vulnerability identifiable through a purely automated fashion (a scanner) can be classified as LHF – since anyone without much skill may buy/download a scanner, find a few technical vulnerabilities, and begin exploiting websites." is to harsh of an assessment. Automated scanners very often these days do find "Golden Apple" vulnerabilities. The scanners are improving and getting smarter every day. The important thing to take away from this is that automated scanners are tools, not replacements for experienced pen testers or security professionals. Scanners GREATLY reduce the time needed for manual assessments and can often find critical “Golden Apple” vulnerabilities (such as blind SQL injection, which automated scanners do find and with a high confidence level :)).

Jeremiah Grossman said...

Anonymous, thats the point, I don't know of any. :)

ray, thanks for the comment. I see what your saying, but the definition I gave for LHF was "vulnerabilities that are easy to find and exploit." I make no distinction for "how" they are found since it really doesn't matter. If you can push "go" and out pops vulns, that's easy enough for me. Your right though, everyting about a scanner should be designed to reduce the time it takes to complete an assessment. The problem is not everyone think the current products are doing that. Also, I don't think scanners are actually improving or keeping pace with with website technology, but thats a subject for a future blog post. :)