Web application security flaws exposed

Today I participated in the "Hacking 101" event hosted by IBM in Miami. It was a half day seminar, hands-on lab. Very interesting and useful I must admit. They talked about what are the top security issues of web applications today based on the OWASP Top 10 document. The interesting part is that they actually demonstrated some of the security issues discussed. In order to showcase everything, they have a test (fictive) web site set up, namely http://www.testfire.net/ (you can access it from your own station at will). Let me go through some vulnerabilities covered during the session.

Cross-Site Scripting (XSS) - Number 1 in the Top 10 list.

XSS is basically script embedded into HTML returned from a trusted site. One of the implications is that session tokens can be stolen. Let's see how:

First I search for the string 'Mihai', which will change the browser URL to http://www.testfire.net/search.aspx?txtSearch=mihai, printing the result like shown below:

Next step is to change the query string to http://www.testfire.net/search.aspx?txtSearch=<script>alert(document.cookie)</script>, resulting in information related to your session being made available:

So the cookie is available to JavaScript. How do we exploit this? First, you need the Tamper Data Mozilla add-on. Once you have it installed, open in by choosing Tools -> Tamper Data. Going back to Firefox, in the search text box enter %3Cscript%3Edocument.write('. Looking into the Tamper Data UI, you can locate the request just made to evilsite, and see that your cookie has been sent to it.

To exploit this vulnerability, one can send an email to the user with a link that has the above script embedded in it. Once the user clicks on it, the request will be sent to www.testfire.net, with the script as input for the search text box. When the script is echoed back to the application, it will be executed by the browser and the user cookies will be sent to evilsite.

SQL Injection - Number 2 in Top 10 list.

With SQL Injection, the user input is directly embedded into a SQL statement. One of the implications is that we can access data in a database. Let's say we wanted to log in as administrators into our dummy web site. First step is to get a sense of how the SQL statement is formed. For that, we enter a ' as the user name, followed by anything as password:

The result of trying to log in will be an error page that will display information related to how the SQL statement involving the user name and password is constructed:

Once we know how the query looks like, we can write in the user name field the text ' or 1=1--:

with the results of being signed in as admin:

Other security vulnerabilities were covered, such as Malicious File Execution, Insecure Direct Object Reference, Information Leakage and Improper Error Handling, and Failure to Restrict URL Access.

Of course, IBM has a tool called AppScan that can help in detect all the vulnerabilities I mentioned in this blog. How it works, in a nutshell, is by scaning your web application (i.e. website), identifying the security issues based on some test policies, pointing out the problems , logging the issues, and recommending fixes. Below is a screenshot of AppScan in action (taken from the pdf presentation slides):

If you want to find out more about the event, get the slides, try everything out, go to http://www.ibm.com/developerworks/offers/techbriefings/details/hacking.html.

All in all, a very informative session!

Top 25 Most Dangerous Programming Errors

SANS Institute came out with a top 25 most dangerous programming errors, errors which can lead to serious security breaches.

"... experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale."

Controlled Chaos

In the 2007 December issue of IEEE Spectrum entitled Controlled Chaos, the authors describe a new generation of algorithms based on concepts related to the thermodynamic concept of entropy, which is a measure of how disordered a system is. By the fact that malicious code changes the flow of data in the network, the entropy of the network is thus altered. The new malicious threat, called Storm, uses different ways to be installed on the host machine, mostly through email attachments. Hot do we protect the networks? First step is to know how the network traffic moves around the network. Such collections of data from nodes in the network are possible because routers or servers are configured in such a way as to provide information about the network traffic in form of source and destination IPs, source and destination port numbers, the size of the packet transmitted, and the time elapsed between packets. Information regarding the routers themselves is also collected. Such information is used by the proposed algorithms to build a profile of the network’s normal behavior. It is stressed that the entire network is monitored, not just one single link in the network.

The principle behind the entropy-based algorithms is the fact that "Malicious network anomalies are created by humans, so they must affect the natural "randomness" or entropy that normal traffic has when left to its own devices. Detecting these shifts in entropy in turn detects anomalous traffic." When the network has established patterns, any outcome that is different from the normal states of the network can be easily detected. Even if the malicious code manifests by downloading pictures from the internet, the fingerprint of the network would look unusual, different from what is expected, from how the network was used. The authors make an interesting point, namely that Internet traffic has both uniformity and randomness. A worm will alter both, making the traffic either more random, or more structured. In case of the 2004 Sasser attack, the information entropy associated with the destination IP addresses rises suddenly, indicating an increase in randomness in traffic destinations due to the scanning initiated by the infected machines, as it looks for new victims. At the same time, the entropy associated with the source IP addresses suddenly drops, indicating a decrease in randomness as the already infected computers initiate a higher than normal number of connections. The conclusion is that the network goes into a new internal state unknown before, hence easily detectable.

The Storm worm I mentioned at the beginning works in some perspective similar to other worms, namely new code is placed on the computer (because the user clicks on some attachment), which will make it to join a botnet. However, there are distinct differences between old warms and Storm. One of them is the way it makes the user click the attachment, like using a clever subject line for the email, or attachment name, related to hot topics that are currently on the news, such as elections, hurricanes, major storms, etc. Most importantly, Storm hides its network activity. It first looks what ports and protocols a user is using. If it finds a P2P program, such as eMule, Kazaa, BitComet etc, it will use that program’s port and protocol to do its network scanning. Storm will also look at what IP addresses the P2P program communicated with, and will communicate with them, instead of new IP addresses, which would trigger its detection. Furthermore, Storm will not spread as fast as it can, because it has a dormant and a walking mode. It will gather information for a short period, then it will go quit. Very interesting that Storm actually tailors its behavior based on the pattern of the network usage. How to detect Storm? The worm will still alter the network entropy. For example, during its active period, the host computer will send many emails, which is unusually for normal use. In addition, the port used is not 25. All these are hints that something is wrong inside the network.

A great article! Nothing short of what I am used to expect from IEEE Spectrum.

International Internet Security Report

A report entitled Malicious Software (Malware): A Security Threat to the Internet Economy was released by the Organization for Economic Co-Operation and Development (OECD).

"After hearing descriptions of "spyware" and "adware", 43% of internet users, or about 59 million American adults, say they have had one of these programs on their home computer."

"A recent study by Google that examined several billion URLs and included an in-depth analysis of 4.5 million found that, of that sample, 700 000 seemed malicious and that 450 000 were capable of launching malicious downloads."

"in 2006, the Chinese National Computer Network Emergency Response Technical Team Coordination Center (CNCERT/CC) reported that 12 million IP addresses in China were controlled by botnets" where a "botnet is a group of malware infected computers also called “zombies” or bots that can be used remotely to carry out attacks against other computer systems."

"Microsoft reported an increase in the number of machines disinfected by its Malicious Software Removal Tool from less than 4 million at the beginning of 2005 to more than 10 million at the end of 2006".

"One association of banks in the United Kingdom estimated the direct losses caused by malware to its member organizations at GBP 12.2 M in 2004, GBP 23.2 M in 2005, and GBP 33.5 M in 2006, an increase of 90% from 2004 and 44% from 2005".

Because of malware, a survey estimated that "the annual loss to United States businesses at USD 67.2 billion".

Many other interesting and useful findings are presented in the report. This is a must read report for anybody concerned with internet security.

IEEE Spectrum June 2008 Issue

Some interesting articles in the June edition of IEEE Spectrum. One mentions transistors that could be built of graphene instead of silicon (or more recently carbon nanotubes). Some gains mentioned there are faster operation (100 times faster than the silicon-based one) and smaller in size (one atom thick by 10 to 50 atom wide).

Another article talks about Radiation Sensors that can monitor a tumor from within to detect for example how much radiation that tumor is getting. The challenging part in making the sensor was not the detector itself, which consist of a modified capacitor attached to an inductor, but making it small enough to fit inside a hypodermic needle (2 centimeters long).

Furthermore, you can learn new means of securing your laptop, using Yoggie Gatekeeper Pico, a USB stick to be used as a replacement for all the security software we have on our computer and which run under Windows. The Pico device runs Linux on an Intel processor, and all wired or wireless network traffic will first go through Pico. The author went one step further than me and actually tested the small device.

The central theme for this issue (encompassing several articles), and what I found to be truly interesting, is the human brain, how it creates the mind, about the singularity, a term I have heard of for the first time, about consciousness, the future of machine intelligence, efforts in mapping the human brain so that in the end we could re-create it. Remarkable information in each of these articles.