Tuesday, January 27, 2009

Some unanswered questions

In the Web security industry there is a consistent flow of current events, many of which lead to the asking of thoughtful questions. Frequently good thoughtful questions are not easy to answer, with no guaranteed they’ll ever be answered satisfactorily. I like to collect these kinds of questions, gather as much relevant information as possible, talk to people in the know, and the results of which will eventually shape my opinions on the subject. Below are a couple of things that have been I’ve been tracking. Perhaps readers her might want to share their thought as well.
  1. Do people trust QSAs who consider PCI-DSS 6.6 met if their organization only uses a network vulnerability scanner with a few web application security checks?
  2. Do organizations with a more mature software security program tend to deploy Web Application Firewalls more often than those who don't?
  3. As a result of economic downturn, what notable security projects are being cut from last years budget?
  4. Will Cross-Site Request Forgery security features be adopted through HTTP standardization, ad-hoc by Web browser vendors, or left solely up to website owners?
  5. Will secure code purchasing standards lead to secure code?

Monday, January 26, 2009

Calling all Researchers! Send in the Top Web Hacking Techniques of 2008

It's time once again to create the Top Ten Web Hacking Techniques of the past year. Every year Web security produces a plethora of new and extremely clever hacking techniques (loosely defined, not specific incidents), many of which are published in hard to find locations. 2008 was no different. As we've done for the past two years, we're looking for the best of the best. This effort serves as a way to create a centralized community reference and recognize those exceptional researchers who have contributed to our collective knowledge.

This year is special, because the researcher who places #1 will not only receive praise amongst his peers, but also receive one free pass to attend the BlackHat USA Briefings 2009! Over $1,000 (US) value. Generously sponsored by BlackHat. Winners will be chosen by a panel of judges (Rich Mogull, Chris Hoff, HD Moore, Jeff Forristal) on the basis of novelty, impact, and pervasiveness.

We’re also going to need your help. Below we’re building the living list of everything found so far. If anything is missing, and we’re positive there is because last year had over 80, we’d appreciate it if you could post a comment containing the link. Thank you and good luck!

The List
  1. Cross-Site Printing (2007 issue)
  2. CUPS Detection
  3. CSRFing the uTorrent plugin
  4. Clickjacking / Videojacking
  5. Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  6. I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
  7. Safari Carpet Bomb
  8. Flash clipboard Hijack
  9. Flash Internet Explorer security model bug
  10. Frame Injection Fun
  11. Free MacWorld Platinum Pass? Yes in 2008!
  12. Diminutive Worm, 161 byte Web Worm
  13. SNMP XSS Attack (1)
  14. Res Timing File Enumeration Without JavaScript in IE7.0
  15. Stealing Basic Auth with Persistent XSS
  16. Smuggling SMTP through open HTTP proxies
  17. Collecting Lots of Free 'Micro-Deposits'
  18. Using your browser URL history to estimate gender
  19. Cross-site File Upload Attacks
  20. Same Origin Bypassing Using Image Dimensions
  21. HTTP Proxies Bypass Firewalls
  22. Join a Religion Via CSRF
  23. Cross-domain leaks of site logins via Authenticated CSS
  24. JavaScript Global Namespace Pollution
  25. GIFAR
  26. HTML/CSS Injections - Primitive Malicious Code
  27. Hacking Intranets Through Web Interfaces
  28. Cookie Path Traversal
  29. Racing to downgrade users to cookie-less authentication
  30. MySQL and SQL Column Truncation Vulnerabilities
  31. Building Subversive File Sharing With Client Side Applications
  32. Firefox XML injection into parse of remote XML
  33. Firefox cross-domain information theft (simple text strings, some CSV)
  34. Firefox 2 and WebKit nightly cross-domain image theft
  35. Browser's Ghost Busters
  36. Exploiting XSS vulnerabilities on cookies
  37. Breaking Google Gears' Cross-Origin Communication Model
  38. Flash Parameter Injection
  39. Cross Environment Hopping
  40. Exploiting Logged Out XSS Vulnerabilities
  41. Exploiting CSRF Protected XSS
  42. ActiveX Repurposing, (1, 2)
  43. Tunneling tcp over http over sql-injection
  44. Arbitrary TCP over uploaded pages
  45. Local DoS on CUPS to a remote exploit via specially-crafted webpage (1)
  46. JavaScript Code Flow Manipulation
  47. Common localhost dns misconfiguration can lead to "same site" scripting
  48. Pulling system32 out over blind SQL Injection
  49. Dialog Spoofing - Firefox Basic Authentication
  50. Skype cross-zone scripting vulnerability
  51. Safari pwns Internet Explorer
  52. IE "Print Table of Links" Cross-Zone Scripting Vulnerability
  53. A different Opera
  54. Abusing HTML 5 Structured Client-side Storage
  55. SSID Script Injection
  56. DHCP Script Injection
  57. File Download Injection
  58. Navigation Hijacking (Frame/Tab Injection Attacks)
  59. UPnP Hacking via Flash
  60. Total surveillance made easy with VoIP phone
  61. Social Networks Evil Twin Attacks
  62. Recursive File Include DoS
  63. Multi-pass filters bypass
  64. Session Extending
  65. Code Execution via XSS (1)
  66. Redirector’s hell
  67. Persistent SQL Injection
  68. JSON Hijacking with UTF-7
  69. SQL Smuggling
  70. Abusing PHP Sockets (1, 2)
  71. CSRF on Novell GroupWise WebAccess

Best-Practices are partly responsible for SQL Injection woes

Security Horizon invited me to contribute an article for their free Winter 2009 edition of Security Journal. I took the opportunity to discuss several very important aspects of SQL Injection, which are not well understood. For example, why certain best-practices may have contributed to the ongoing problem. How black and white box vulnerability testing is impacted. Why the good guys are at a substantial disadvantage to the bad guys. How the problem could potentially be solved and how much it might cost us. etc. Especially timely material considering the ongoing exploitation. Enjoy!

SQL Injection, Eye of the Storm
In 2008 SQL Injection became the leading method of malware distribution, infecting millions of Web pages and foisting browser-based exploits upon unsuspecting visitors. The ramifications to online businesses include data loss, PCI fines, downtime, recovery costs, brand damage, and revenue decline when search engines blacklist them. According to WhiteHat Security1, 16 percent of websites are vulnerable to SQL Injection. This is likely under-reported given that the statistics are largely based on top-tier Web properties that employ a website vulnerability management solution to identify the problem. The majority of websites do not and as such may be completely unaware of the extent of the issue. In addition, some recommended security best-practice have ironically benefited malicious hackers. Websense now reports that "60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008." Let’s examine the forces that have aligned to create the storm that allows SQL Injection to thrive.

Thursday, January 22, 2009

Alignment of Interests in Web Security

John Dean, former Chairman & CEO of Silicon Valley Bank and one of WhiteHat Security’s earliest investors, shared some wisdom with me years back that I rely upon every day. “Interests must be in alignment,” he said. Meaning that for an effort to be successful everyone must pull in the same direction and be incentivized accordingly. In sales for example, revenue quotas motivate personnel to achieve higher pay. Postal mail delivery deadlines reward drivers who complete their routes quickly by allowing them to go home early. Even software development groups sometimes have compensation tied to release dates or defect reduction. Failure to meet objectives may result in employee write-ups, missed promotions, or dismissal. Alignment-of-interests encourages stakeholders to work efficiently together towards a common goal. When approaching Web security, the landscape is littered with conflicts-of-interest. Before discussing a few of them lets briefly look at the current state through some recently published reports.

"82 percent of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.”

WhiteHat Security (Sixth Quarterly Website Security Statistics Report 2008)

"60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008."

Websense security Labs™ (State of internet security -Q1 – Q2, 2008)

"From 2006 to the first half of 2008, vulnerabilities affecting Web server applications accounted for 51 percent of all vulnerability disclosures."

IBM Internet Security Systems (X-Force® 2008 Mid-Year Trend Statistics)

“Invisible threats” (such as hard-to-detect infections of legitimate websites) are making common sense and many traditional security solutions ineffective."

Cisco (2008 Annual Security Report)

"As a result of these considerations, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity."

Symantec Internet Security Threat Report (Trends for July–December 07)

The poor state of Web security is well-known to industry insiders, security experts, academics, and malicious hackers. Scores of brilliant minds all over the world have spent their careers developing technology solutions, backed by hundreds of millions (billions?) of dollars in venture capital, only to witness the problem steadily worsen. Its not that we don’t know how to secure a website. We do! We know how to harden operating systems, lockdown Web servers, encrypt data transactions or disk storage, develop secure Web applications, and so on. We have been unsuccessful not because of a shortage of good security products, too few qualified professionals, ineffective standards, or the lack of a cabinet level cyber security czar. The culprit is a lack of business drivers. Those in the best position to provide security are not necessarily those who suffer the losses, and those who suffer the losses are often incapable of doing much to protect themselves.

For example, why isn’t every packet of Web traffic encrypted with SSL? Doing so would improve defenses against phishing scams, passwords being stolen, and online actions being spied upon. However, SSL adds performance overhead causing websites to slow down and negatively affecting the user experience. Solving these issues costs money. Not to mention the fact that SSL hinders governments and ISPs ability to monitor what we do online. So security, our security, is sacrificed for performance and surveillance. Removing or default-disabling IFRAME and a few other features from Web browsers would do a lot to slow or stop the spread of drive-by-downloads exploits, which are now a leading cause of malware propagation. However, browser vendors are quick to point out that doing so would “break the Web.” That is not exactly accurate. More precisely, it would break the multibillion dollar online advertising revenue model that relies upon IFRAMEs. So again security, our security, is sacrificed for banner ads and social network Web widgets.

As Bruce Schneier (CTO of BT Counterpane) has said, security is about tradeoffs. We may trade money, convenience, privacy, liberty, etc to obtain a certain level of security. The unfortunate thing about Web security though is the tradeoffs are made without the knowledge of the Web user who is largely and personally affected. For the most part they remain oblivious to the myriad of significant risks they are exposed to online, so tradeoffs are made on their behalf by the powers the be, often conflicting with their best interests. Imagine if they were aware that each website they visited, legitimate or otherwise, could uncover what other sites they’ve visited, where they are logged-in, could force them to criminally hack other websites or download illegal content, and spy on them by hijacking their webcam and microphone. Things all possible, if not easy, without the need to compromise their machine, which remained entirely likely. Web users are now beginning to realize something is up and this realization is having a business impact on the bottom-line.

Security compliance standards, such the Payment Card Industry’s Data Security Standard (PCI-DSS), attempt to bring interests into alignment by compelling business to implement certain safeguards or risk disciplinary action -- mostly fines or threats to halt operations. Security vendors love strongly enforced compliance standards as it frees up budget for their solutions, which may not reduce risk, but have to be purchased to satisfy a checkbox. While good at raising awareness, security standards also tend to be slow moving with a one size fits all approach. As such they are unable to efficiently address a fast changing threat landscape in which each constituent’s risk tolerance can be wildly different. Finally, standards can also be circumvented, especially when auditors with flexible ethics are incentivized to rubber stamp anything so they return another day to earn another buck. The U.S. mortgage industry faced an identical problem when credit rating agencies assign a good-as-gold “AAA” rating to high risk deals in order to receive large commissions. When interests are not in alignment we all can suffer.

How do we get the owners of 187 million websites, 17 million developers, browser vendors, universities, governments, ISPs, compliance auditors, and security researchers all to pull in the same direction towards a more secure Web? How do we get interests into alignment? This is the fundamental question we need to be asking ourselves. Admittedly, I have more questions than answers, but what I do know is all the stakeholders must be accountable to someone else for the system to work. Ultimately we have a software security problem and with proper accountability we’d be able to achieve alignment of interests to justify doing the things we already know work. Business would seek to procure software that has attained a certain level of security assurance before deployment. Organizations developing software would give preference to those with the skill set to do so. Software developers would seek to further there own education and increase their employment outlook through studying security principals. Education institutions would be compelled to add more and better security curriculum to attract more students. Alignment of interests is the answer.

Thursday, January 15, 2009

7 facts, OK I'll play long

Giorgio Maone chose to inflict some internet meme agony upon me. Normally I wouldn't, but I had a few minutes so figured why not...

The Rules:
  • 1. Link to your original tagger(s) and list these rules in your post.
  • 2. Share seven facts about yourself in the post.
  • 3. Tag seven people at the end of your post by leaving their names and the links to their blogs.
  • 4. Let them know they’ve been tagged.

The Facts:
  1. Reads regularly outside of information security, specifically about life sciences, entrepreneurialism, and astronomy. Also spent time with electronics, history, religion, economics, and whatever else appears interesting at the time.
  2. Rarely listens to music or watches TV, save for MMA fights. :) Last movie theatre outing must have to been two years or so ago.
  3. Close friends and family consider me antisocial. Non-social is probably more accurate since my preference is quiet solitude.
  4. Did not carry a cell phone until 2007 (I think). Would still prefer not to.
  5. Routinely asks questions that I already know the answers to because I’m more interested in what other people think about the subject.
  6. Never completed a college degree. A well-known silicon valley company offered me an amazing job and too much money to justify staying.
  7. I did not choose infosec as a profession, it chose me. Seriously. Someday I’ll get to choose.

7 people I'm tagging and why:

Jim Manico, bruddah representin' Hawaii!
Trey Ford, fearless defender of PCI-DSS.
Robert Auger, hardest working and least known person in all of Web security.
Arian Evans, he can stir the pot like no other.
Arshan Dabirsiaghi, I just gotta see what he has to say. :)
Jordan Wiens, a haxor that once convincingly played the role of journalist.
Barack Obama: Web 2.0 president-elect must play along too!

Wednesday, January 14, 2009

Builders, Breakers, and Malicious Hackers

There is a new meme in Web security that states we should focus the bulk of our attention on building secure software instead of breaking it. As Jeff Williams of Aspect Security says, we are not going to “hack our way secure.” For example, repeatedly crash-testing the same automobile without taking further action would not directly result in saving lives. However, what crashing cars and breaking software does provide is proof. Proof that seat belts and air bags are essential, just as integrating security controls within the software development life-cycle is. Without this proof, there would be no action because the costs could not be justified. At the same time, breaking things is much better at capturing headlines because its opposite, success in security, causes nothing unexpected to happen. “Nothing unexpected” obviously does not make for very interesting stories. In my view the Builder vs. Breaker meme isn’t necessarily wrong, only an oversimplification.

First its difficult, if not impossible, to future-proof software against attacks techniques that don’t yet exist. Secondly, very few organizations would justify expending resources to mitigate possible attacks they don’t respect. This was true for buffer overflows. Known for over 20 years (thanks to breakers) yet they remain an issue despite all the attention they received during the last ten. Also true for Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). These Web attacks, technically “known” since the late 90s, again thanks to breakers, but only a handful of researchers picked up on their potential early on. Back then few, including infosec insiders and software developers, truly understood how severe the repercussions would be down the road. All three issues and many others laying dormant are either unknown, unrespected, or unjustified to resolve -- ultimately leading to a lack of action. Fast forward ten years and one-hundred million websites, the Web security problems have become beyond pervasive and lay predominately unexploited until fairly recently.

In 2005 XSS first commanded respect when a not-so-malicious hacker released the first major Web Worm upon MySpace that infected over one million user profiles in under 24 hours. Now XSS attacks carrying JavaScript malware payloads, including extremely convincing Phishing w/ Superbait scams, are routine. SQL Injection, despite dozens of white papers and notable compromises, didn’t receive mainstream attention until late 2007 when malicious hackers used it to infect millions of websites with browser-based exploit code. What about CSRF, the sleeping giant that is every bit as pervasive as XSS? Well, we are still waiting and have no idea when CSRF will be taken seriously. Bank on the day, in the not-too-distant future, when widespread exploitation occurs. Lets also not forget about Clickjacking, made famous due to two breakers (Robert Hansen and yours truly) in 2008. Technically “known” years prior, Clickjacking, despite all the media attention, probably caused few builders to alter their design decisions. They will wait for the malicious hackers to force them take protective measures, likely sometime after another 100 million new websites are built.

In my opinion, we have too few skilled breakers to cover all the mature technologies let alone the new ones. It took the exceptional work of clever breaker Dan Kaminsky and the media to expose the dangerous flaws within DNS to stimulate a concerted effort towards resolution. Also recently, Alexander Sotirov and a team of researchers exposed why Certification Authorities should not be using MD5. They took a sophisticated attack technique known years prior and turned into a reality, and in doing so justified action now rather than later. The information security landscape is littered with such examples. Now emerging technologies such as Google Android and Apple iPhone applications, Web Widgets on Facebook/MySpace/etc, Web browser add-ons, Flash, Silverlight, and so on are popping up. Even with all the security resources invested by these companies, what expert or vendor in their right mind is going to claim security perfection? The reality is as long as software bugs and design flaws exist, this is how builders, breakers and malicious hackers will interoperate.

Builders build software, which gives breakers something to break. Breakers break software, a defensive sanity checking process, and provide insights into what attacks are theoretically possible. Notice I said possible, NOT probable. A slight, but extremely important distinction. This is why conferences like Black Hat and Defcon exist, to expose forward thinking people to the most cutting-edge issues that could possibly be used in the future, even without a guarantee of later exploitation. Then at some point malicious hackers hack said software, making what was previously possible probable. This probability justifies action to mitigate the issues, both immediately and proactively. I’m not saying this is the right way, the best way, or that we can’t do better. I’m saying this is how security of all kinds tends to work. Clearly if everyone knew back then what we know now about XSS, SQL Injection, CSRF, DNS, and MD5 we might have done something sooner. Hindsight is always 20/20. As its been said, "life can only be understood backward, but it must be lived forward."

Tuesday, January 13, 2009

The World of Web Security

Web security, application security, browser security, Web application security, Ajax security, etc. We have an environment of very terribly confusing nomenclature. I’m hoping with to use this diagram as visual aide to better describe the Web Security landscape. Hopefully this will also allow us to use terminology a little bit more accurately (of which I am an offender). Talk about a lot to know, there are worlds of data within each bubble.

WhiteHat visiting Miami and Houston (Feb 3 & 4)

We're continuing to crisscross the country visiting many cities across the U.S. helping to further the awareness of Web application security. One of the ways we do that is by organizing free lunch & learn events. We invite a small group of 15 - 30 enterprise infosec people from the area to join in some networking, learn a few things about Web security, and ask questions over a nice meal at hotel. It’s a lot of fun and not a bad way to spend an afternoon. Unfortunately I’m unable to make it to Miami and Houston, but our CEO (Stephanie Fohn) will be in attendance. For those interested the program, location, and registration details are below:

At this event, you will learn about advancements in protecting and securing Web applications from attacks. Stephanie Fohn, Chief Executive Officer, WhiteHat Security will open the program and discuss the myths surrounding Web application security. In addition, David Nester, Director of Solutions Architecture, WhiteHat Security, will present the sixth installment of the WhiteHat Website Security Statistics Report, providing a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. 

We will then present a live demonstration of a revolutionary new solution that closes the loop from Web application vulnerability detection to remediation – an integrated solution delivering TOTAL website security. F5 Networks Security Systems Architect, Ty Morton and WhiteHat Security Director of Solutions Architecture, David Nester will offer a first look at "virtual patching," an exciting new concept in website vulnerability management.

This solution:

  • Closes the loop from vulnerability detection to remediation
  • Increases security via WhiteHat's rapid identification and reporting of website vulnerabilities
  • Ensures highly targeted vulnerability remediation (virtual patching) via F5 BIG-IP®
  • Application Security Manager (ASM)
  • Delivers one-step PCI 6.6 Compliance

Welcome & Website Security Overview:
(Stephanie Fohn, Chief Executive Officer, WhiteHat Security)

Sixth Installment of the WhiteHat Website Statistics Report:

(David Nester, Director of Solutions Architecture, WhiteHat Security

Integrated Web Application Firewall Presentation and Demonstration:

(Ty Morton, F5 Networks Security Systems Architect

WhiteHat Security Director of Solutions Architecture, David Nester


February 3, 2009

The Westin Diplomat Resort and Spa

3555 South Ocean Drive

Hollywood, Florida, 33019

February 4, 2009

Intercontinental Houston
222 W. Loop-South

Houston, Texas, 77027


11:30 AM: Registration 

Noon: Lunch served 

Noon to 1:30 PM Program

Monday, January 12, 2009

Product reviews are dead, not so much pen-testing

Have to hand it to Brian Chess for stirring up a hornets nest about the death of pen-testing in 2009. First, don’t worry. Pen-testing is remarkably resilient, capable of adapting, and quick to find greener pastures. This is what I believe Brian was trying to get at. In its current form of late stage one-offs, he’s saying pen-testing is dead, and I’m not inclined to disagree. On the whole though no one in their right mind will predict that the pen-testing market will end, especially since annual revenue is increasing year over year. I’ll tell you what is dead though, something that could have significant impact, product reviews.

With the decline of traditional media in print and online channels, cutbacks have taken a heavy toll on technically oriented product reviews. To generate revenue, in depth product reviews been replaced by paid-for 5-star advertising focusing largely on marketing talking points supported by precious little need to know information. Head-to-head shootouts, forget about it. This is troubling because product reviews are an invaluable resources for helping prospective buyers make educated decisions without spending inordinate amount of time comparing a long list of products themselves.

As an end-user this means you now must rely more on customer referrals, analyst reports, and general online chatter. Ideally you’d want to focus of on taking advice from organization of similar size and marketing vertical solving a similar problem.

Friday, January 09, 2009

Twitter: 6 months, 500 followers, and 551 updates later

Most social applications I try out to are dumped rather quickly when they don’t serve any particular need I have. I joined Twitter out of curiosity to see what all the fuss was about as several infosec people spoke very highly of the system. I registered jeremiahg to give it a shot. A painless process. At first Twittering felt a little weird and awkward, with people “following” me feeling a bit creepy. Over time the value of the functionality became apparent and found myself consistently using the product. Twitter makes it easier to share thoughts and ideas quickly to get feedback from the crowd. Thats in addition to making it easier to track keywords of interest to others. Something blogs, email, and IM can't do proficiently on a personal network scale.

Email, RSS, IM, Twitter. Done.

Tuesday, January 06, 2009

Free Bay Area WebAppSec Workshops

For those in the Bay Area, WhiteHat is hosting FREE 3-hour Application Security Breakfast Workshops in San Jose and San Francisco this month. A lot of really good content will be covered during the sessions. Perfect for developers and InfoSec professionals looking to become more familiar with webappsec fundamentals in a question friendly environment. Attendance is limited so registered soon if you are interested. We'll be visiting several more cities throughout the year. Marketing blurb and registration links to follow:

Please join WhiteHat Security for our FREE Application Security Breakfast Workshops: "Understanding the Risk to your Web Environment" on either Wednesday, January 21st at the Hotel Montgomery, San Jose, CA or Thursday, January 22nd at the Le Meridien San Francisco Hotel.

Let's face it: Website security is a complex task and understanding the risk to your Web environment is absolutely critical. With the move to push your business applications to the Internet, it is important to understand how to assess and prioritize the security of your Web infrastructure. During this WhiteHat Security workshop, we will demonstrate how your organization can kick-start its security program and achieve success through an easy to use process.

Here's what you can expect to learn:

  • The state of Web application security
  • How to measure risk within your Web application infrastructure
  • Recommendations for remediation
  • Demonstration of common vulnerabilities including SQL Injection, Cross Site Scripting and more
Register for January 21, 2009
Hotel Montgomery

211 South First Street
San Jose, California 95113

Register for January 22, 2009

Le Meridien San Francisco Hotel
333 Battery Street
San Francisco, California 94111


8:30 AM: Registration & continental breakfast

9:00 AM: Program begins

11:30 AM: Q&A

12:00 PM: Program concludes