trends in web vulnerabilities
play

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction - PowerPoint PPT Presentation

Oct 05, 2023 •274 likes •907 views

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

  1. TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND

  2. Introduction Agenda • Introduction – Session Goals – Presenter and Trustwave SpiderLabs background • Analysis Overview – Data Source – Most frequently found SEVERE vulnerabilities – Most frequently found OVERALL vulnerabilities • About the Vulnerabilities – What are they? – How to fix them – Why you should care • Conclusion

  3. Introduction Session Goals • Provide an overall sense of the state of web application vulnerabilities that are commonly found by professional penetration testers • Provide you with the tools to identify overlooked areas in your web applications. • Help you determine where to focus your efforts in order to help your organization

  4. Introduction About the Presenter • Michel “Mike” Chamberland , MSc • North America Practice Lead with Trustwave SpiderLabs • CISSP, OSCP, OSWP. CEH, CHFI, CCSK, MCP, GIAC G2700, MCTS, Security+, etc. • Grew up in Sherbrooke, Qc and now lives in Sarasota, FL • Works closely with all USA and Canada based SpiderLabs resources

  5. Introduction About Trustwave SpiderLabs • A division within Trustwave • Consists of 150+ specialized security experts • Focuses on penetration testing, research and incident respons e • Performed millions of scans and thousands of penetration tests • Over 9 million web application attacks researched last year • 97% of applications tested by Trustwave had one or more vulnerability

  6. Analysis Overview

  7. Analysis Overview Data Source • Based on an analysis of vulnerabilities found by the Trustwave SpiderLabs team over the last few years • Will cover both most frequently found overall as well as most frequently found severe vulnerabilities. • Vulnerabilities will be grouped based on similarities and then discussed in further details • Statistics on vulnerabilities and vulnerability groups will be explored

  8. Analysis Overview Data Source • Vulnerability data collected from thousands of web application security assessments performed • All data collected is anonymous and not associated with any specific organizations • Trustwave serves over 3 million customers in 96 countries • The customer base is spread across all verticals • Many of these customers are in the educational sector

  9. What is a Severe Finding Types of Severe Findings • What is defined as severe : – Critical – High • Combined, they make up approximately 10% of findings

  10. What is a Severe Finding Critical Severity Findings • The attack scenario tested in this exercise succeeded, and resulted in a systems compromise • Exploitation is trivial • Exploitation requires no authentication , or authentication is available to a member of the public with minimal effort • Exploitation results in a large-scale loss of sensitive information or tangible assets • A strong need for immediate corrective measures exists

  11. What is a Severe Finding High Severity Findings • The attack scenario tested in this exercise succeeded, and resulted in a systems compromise • The attack can only be performed by an authenticated user • Technical vulnerability details and/or exploit code are publicly available • An additional attack vector may be needed to craft a successful attack using this exploit, but that vector is trivial • Exploitation of the vulnerability (1) may result in the costly loss of sensitive data or tangible assets , or (2) may significantly violate, harm, or impede the organization’s mission, reputation, or interest . • A strong need for corrective measures exists

  14. The Vulnerabilities

  15. The Vulnerabilities • The Rock Stars • The Heavy Hitters • Forgotten Killers • The Misunderstood • The Personal Problems

  16. The Rock Stars

  17. The Rock Stars Description • These are the vulnerabilities everyone knows about and almost always result in a severe impact • Used to be found systemically • SQL Injection – Allows an attacker to insert arbitrary commands into a database query or statement. • Cross-site Scripting – Occurs when web applications do not properly validate user- supplied inputs before including them in dynamic web pages.

  19. The Rock Stars Why they matter • Cross-Site Scripting – Session hijacking – Can be used to virtually deface web applications – Social engineering (login prompts, fake updates, payment form, etc.) – Redirect users to another site – Tunneling and network discovery – Log user’s keystrokes • SQL Injection – Exfiltration or tampering of data – Get operating system level access – Escalate privileges

  20. The Rock Stars Mitigation • Define a solid application architecture – Don’t fix each instances individually • Sanitize user input • Prefer a white listing approach • Use prepared statements and stored procedures for all SQL operations • Validate input on both client and server side • Escape output before storing in database or rendering in web browser

  21. The Heavy Hitters

  22. The Heavy Hitters Description • Caused by poor authentication and authorization controls • These are vulnerabilities that are often overlooked but almost always result in a severe impact • Today’s tools do not do a good job at finding these types of vulnerabilities • Authentication Bypass – Valid session identifier is not required to access resources • Vertical Privilege Escalation – Authorization controls are not properly enforced, allowing unauthorized access to resources or functions • Horizontal Privilege Escalation – Ability to view, delete or modify other user’s data

  24. The Heavy Hitters Why they matter • Almost always lead to a severe impact • Overlooked by automated tools • Often overlooked by traditional application testing – Focused on UI • Your firewall, IDS, IPS and/or WAF will not help you • Requires little technical skill to exploit

  25. The Heavy Hitters Mitigation • Fixed at the architecture level • Difficult to successfully implement from scratch – Leverage existing frameworks • These authentication and authorization frameworks should: – Ensure a proper session identifier is associated with each request – Ensure the user’s role and permissions allow the requested action • Ensure roles and permissions are defined and tested • Review release management/deployment procedures

  26. The Forgotten Killers

  27. The Forgotten Killers Description • Very frequently found and overlooked • Trivial to exploit • Insecure Password Policy – Having a weak password policy in place – Often associated with insecure password storage • Cross-site Request Forgery (CSRF) – Processing requests that where not sourced from the application

  29. Insecure Password Policy • Why is an insecure password policy and insecure password storage bad? • Let’s review some examples…

  30. Adobe – 153 Million Accounts (2013) • Username, password and password hint compromised • Improper password storage • Most passwords cracked within days and made publicly available

  31. Bell Canada – 22 Thousand Accounts (2014) • Affected Bell small business customers • Email, username, password credit card data compromised • Improper password storage

  32. Comcast – 590 Thousand Accounts (2015) • Data was being sold on the underground market • Email and passwords compromised • Improper password storage

  33. Last.fm – 43 Million Accounts (2012) • Full extent was not known publicly until 2016 • Email, username and passwords were compromised • Passwords hashed with MD5 and not salted • Most passwords were easily cracked • Most used password: “123456”

  34. LinkedIn – 164 Million Accounts (2012) • Hacked in 2012 but found on a dark market in 2016 • Email and passwords were compromised • Hashed with SHA1 and no salt • Most passwords were easily cracked

  35. Cross-Site Request Forgery • Why is cross-site request forgery bad? • Let’s review some examples…

  36. PayPal CSRF • Affected account management • Allowed the attacker to add/remove/confirm email, change security questions, add full privilege users to business accounts, etc. • Publicly disclosed in 2014

  37. Go Daddy CSRF • Affected domain registrations • Allowed an attacker to hijack a victim’s domain • Publicly disclosed in 2015

  38. Hilton CSRF • Affected the Hilton Honors loyalty program • Allowed an attacker to hijack a victim’s account • Publicly disclosed in 2015

  39. Too Many Network Device Affected by CSRF • Examples: – Netgear Routers – Cisco Residential Gateway – Siemens Ruggedcom NMS – Huawei 3G Router – Ubiquiti Networking Products • Impact is often full control and administration of the device • Often used for botnets

  40. Xzeres CSRF • Affects 442SR Wind Turbine • Allows an attacker to cut off power to ALL attached systems • Publicly disclosed in 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Mobile Security Trends and Emerging Threats Sandra J.H. Rolnicki ForenSecure April 28, 2017

Mobile Security Trends and Emerging Threats Sandra J.H. Rolnicki ForenSecure April 28, 2017

Mobile Security Trends and Emerging Threats Sandra J.H. Rolnicki ForenSecure April 28, 2017 Agenda (1) Macro- and Micro-Trends Impacting Mobile (2) Vulnerabilities in the Mobile Ecosystem (3) Threat Actors and Emerging Threats (4) Mobile

244 views • 11 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept.,

Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept.,

Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept., Politecnico di Torino, Italy ! !"#$%&''()*++,(-./0121,(3*4*54)*++( Outline ! GNSS vulnerabilities ! Classification of interfering

970 views • 50 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com> Vulnerabilities are important because fixing them costs a lot of money (2005

1.9k views • 73 slides
Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design

Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design

Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design Acknowledged signalling vulnerabilities The root problem Mitigation The signaling band-aid A new class

787 views • 54 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS BUSINESS TRENDS P AYMENTS RETURNS SOCIAL TRENDS LAST MILE SOLUTION BUSINESS TRENDS THE MIXER E-TRENDS INCLUDE MIXED DATA FROM : SHOP AND SHIP

925 views • 28 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton

E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton

E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton derek.crabtree@merton.gov.uk E-SAFETY E -Safety isn't all about your technical skills. It's about behaviour and parenting! Really no different to what

459 views • 24 slides
International Computer Association July 27 th , 2017 Leveraging Artificial Intelligence to detect

International Computer Association July 27 th , 2017 Leveraging Artificial Intelligence to detect

International Computer Association July 27 th , 2017 Leveraging Artificial Intelligence to detect New, Emerging Cyber Threats in Realtime John Kirch Regional Director - North Asia ICA Darktrace : Background & Growth Founded by

583 views • 25 slides
on Tomcat and ITEXT Ramanathan Perinkolam Tata Consultancy Services Date of Presentation

on Tomcat and ITEXT Ramanathan Perinkolam Tata Consultancy Services Date of Presentation

COBOL VSAM Reporting using Java on Tomcat and ITEXT Ramanathan Perinkolam Tata Consultancy Services Date of Presentation (12-March 2012) Session Number (10982) Agenda Objective and Scope Technical Environment JZ/OS, ITEXT,

433 views • 29 slides
Cyber Security And For Business Seminar Enter your business card for an opportunity to win the

Cyber Security And For Business Seminar Enter your business card for an opportunity to win the

Cyber Security And For Business Seminar Enter your business card for an opportunity to win the most productivity tool for your business worth over $200 Cyber Security And For Business Seminar How Cyber Criminals Are Targeting Small

459 views • 30 slides
Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November

Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November

Intelligent Transportation Systems (ITS) Joint Program Office (JPO) Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November & December 2013 1 Commercial Vehicle & Freight Applications of

545 views • 36 slides
Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation

Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation

Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation For <Name> Date Location Special thanks to Your Speaker Bob Weiss MCSE, A+, CEH Senior Cybersecurity Engineer at CIT

718 views • 55 slides
Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)

659 views • 28 slides
The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What

The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What

The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What is CDBS? A set of makefile fragments to include into debian/rules Makes packaging complex packages easier. Makes packaging simple packages harder.

449 views • 27 slides

More recommend