- Category: March - April 2009
IBM’s recently released X-Force Trend report reveals that Web applications remain the Achilles heel for the security industry. According to the study, more than half of vulnerabilities disclosed in 2008 were Web application based.
Certain types of corporate applications, namely custom-built software like Web applications remain a highly-profitable and inexpensive target for criminal attackers. The sheer number of new vulnerabilities, the majority of which have no available patch, coupled with the hundreds of thousands of custom Web applications that are also vulnerable (but never subject to a vulnerability disclosure, much less a patch), have become the chink in the armor of corporate security. Attackers continue to target Web application vulnerabilities, especially SQL injection, to plant malware on unsuspecting users that visit vulnerable Websites.
2008 has become the first year with over 7,000 total vulnerability disclosures (a 13.5 percent increase from 2007). From 2001 to 2006, the average annual vulnerability disclosure percentage growth was a robust 36.5 percent, largely due to the skyrocketing of Web application vulnerabilities, emergence of new Web technologies, and methods and tools of exploitation.
Although the introduction of new technologies or changes in vendor adoption of secure software practices might change this trend, for the moment at least, it appears as if vulnerability disclosures have reached a permanently high plateau.
Web Application Vulnerabilities
The most prevalent type of vulnerability affecting servers today is unquestionably vulnerabilities related to Web applications. In fact, the number of vulnerabilities affecting Web applications has grown at a staggering rate. In 2008, vulnerabilities affecting Web server applications accounted for 54 percent of all vulnerability disclosures and were one of the primary factors in the overall growth of vulnerability disclosures during the year.
Web Application Vulnerabilities by Attack Categories
The predominant types of vulnerabilities affecting Web applications are cross-site scripting (XSS), SQL injection, and file include vulnerabilities.
In 2008, SQL injection replaced cross-site scripting as the predominant Web application vulnerability. In fact, the overall increase of 2008 Web application vulnerabilities can be attributed to a huge spike in SQL injection vulnerabilities, which was up a staggering 134 percent from 2007.
Although cross-site scripting issues are also easy to discover, they are not as valuable to an attacker. They usually result in cookie theft, which provides the attacker with access to a victim’s account on the vulnerable Website. SQL injection, on the other hand, is often used to redirect the visitors from the vulnerable Website to the attacker’s Website where remote code execution exploits can be launched against the victim’s browser. So, the financial profile for the average cross-site scripting vulnerability is different than for the average SQL injection vulnerability. The value of controlling a user’s account on a particular Website depends on what that Website is used for. On the other hand, having complete control of the user’s computer and potentially all of that user’s accounts on every Website they visit is always valuable, no matter how important the initial, vulnerable Website was.
SQL injection vulnerabilities are also related to improper validation of user input, and they occur when this input (from a form field, for example), is allowed to dynamically include SQL statements that are then executed by a database. Access to a back-end database may allow attackers to read, delete, and modify sensitive information, and in some cases execute arbitrary code. In addition to exposing confidential customer information (like credit card data), SQL injection vulnerabilities can also allow attackers to embed other attacks inside the database that can then be used against visitors to the Web site.
SQL injection vulnerabilities are plentiful and easily discovered. It also possible to use Web search engines such as Google to find sites running vulnerable applications, and there are many publicly available tools that can test for SQL injection, including some plug-ins for Firefox. It is not immediately clear whether SQL injection vulnerabilities increased because Web application vendors were releasing products with more vulnerabilities, or if there simply were more researchers testing for those vulnerabilities, although it is likely a combination of the two. What is clear is that major vendors took notice in 2008. For example, SQL injection attacks against Microsoft ASP and ASP.NET technologies prompted Microsoft to release a major security advisory on June 24 (Microsoft Security Advisory 954462).
Active Exploitation & Automated SQL Injection Attacks in 2008
In the past, most Web server compromises had been one-off, targeted exploitation attempts that steal information or manipulate an application in a way that is beneficial to the attacker. In the fist half of 2008, X-Force began tracking mass Web site exploitation using automated SQL injection attacks. Instead of leveraging SQL injection to steal data, this attack updated the application’s back-end data to include iFrames to redirect visitors to malicious Web pages. These attacks targeted many well-known and trusted Web sites and were also integrated into the ASPROX exploit toolkit. Soon after, the number of attacks and sources of attacks began to explode.
Cross-site scripting vulnerabilities occur when Web applications do not properly validate user input from form fields, the syntax of URLs, etc. These vulnerabilities allow attackers to embed their own script into a page the user is visiting, manipulating the behavior or appearance of the page. These page changes can be used to steal sensitive information, manipulate the Web application in a malicious way, or embed more content on the page that exploits other vulnerabilities. The attacker first has to create a specially-crafted Web link, and then entice the victim into clicking it (through spam, user forums, etc.) The user is more likely to be tricked clicking the link, because the domain name of the URL is a trusted or familiar company. The attack attempt may appear to the user to come from the trusted organization itself, and not the attacker that compromised the organization’s vulnerability.
File Include Vulnerabilities
File Include vulnerabilities (typically found in PHP applications) occur when the application retrieves code from a remote source to be executed in the local application. Oftentimes, the remote source is not validated for authenticity, which allows an attacker to use the Web application to remotely execute malicious code.
This category includes some denial-of-service attacks and miscellaneous techniques that allow attackers to view or obtain unauthorized information, change files, directories, user information or other components of Web applications.
Lack of Patches
According to the IBM report, an incredible number of vulnerabilities in Web applications have no vendor-supplied patch to fix the issue. Out of all the disclosures in 2008, 74 percent had no patch by the end of 2008. However, this figure does not take into account custom-developed Web applications that may not have had any vulnerability testing and may never see a public vulnerability disclosure to notify the developer of a Web site about vulnerability issues and potential exploitation.
Good Websites Using Bad ActiveX Controls
One common practice that is evident in a detailed analysis of Web browser attacks is that many non-malicious Websites are continuing to propagate the use of known, vulnerable ActiveX controls. This practice has several downsides.
First, from a customer and employee perspective, the user may be required to install the vulnerable ActiveX control. Although there are ways to redirect users to a fixed version of the control, the redirect will not work unless they are running an updated version of Internet Explorer or other ActiveX-enabled software that tracks and blocks these known vulnerable controls. If they do load the vulnerable control, and then browse to a malicious Website that uses an exploit for that control, they will be exploited without the normal prompt asking if they would like to install something new. If the control is already there, then they simply have no chance.
From a protection perspective, the use of these known vulnerable controls on non-malicious Websites creates a lot of “noise” that can mask real, malicious activity.
The good news when it comes to browser and plug-in vulnerabilities, IBM reports that Active-X disclosures declined for the first time in 2008, which was the predominant factor behind the overall decline in browser-related disclosures.
Unfortunately, the decline in ActiveX disclosures does not appear to be making an impact on exploitation. As with other browser-related vulnerabilities, attackers rely upon users who do not keep their browsers currently patched.
Although Microsoft has made great strides in preventing ActiveX exploitation through changes to Microsoft Internet Explorer, exploitation remains an issue along with the continued usage of known vulnerable ActiveX controls from non-malicious Websites.
Exploitation Targets: From the OS to the Browser and Beyond
Web Browser Exploitation Trends
During 2008, it became clear that lone Web browser exploits in the wild were dying out and being replaced by the organized use of Web exploit toolkits. These toolkits can deliver all of the exploits at once to Web site visitors, or the toolkit can select specific exploits based on data, such as:
- Browser cookie set by the toolkit
- Browser agent used by the victim
- Geographic location derived from the victim’s IP address
- Referrer URL (the URL that directed the victim to the Web site)
In many instances, these toolkits provide easy-to-use management interfaces. Deployments of exploit toolkits are in some cases financially supported by multiple attackers who are credited by an id number associated in their attack URLs, which is interesting because it allows attackers to get a piece of the action with a smaller initial investment. Nevertheless, it is not known how many toolkit installations are actually purchased versus leased or pirated.
Exploits from Malicious Websites
The number of malicious URLs hosting exploits in Q4 2008 alone was 50 percent more than the number seen over the entire year of 2007. This trend is partially due to a technique used by some attackers to set up the same Website using many different URL names.
In 2007, malicious Websites hosting client exploits primarily focused on exploiting Web browsers or their plug-ins. Less than 1% of these Websites included attacks related to documents or multimedia applications. In 2008, multimedia exploits and document-related exploits also took a much stronger presence.
In 2008, China took over took over the dubious honor from the US as the country hosting the most malicious Websites.
Web-Related Security Threats of 2008:
- The number of new malicious Web sites in the fourth quarter of 2008 alone surpassed the number seen in the entirety of 2007 by 50 percent. Last year, China replaced the US as the most prolific host of malicious Web sites.
- Even good Web sites are facing more issues. Web applications, in particular, are increasingly vulnerable and highly profitable targets for helping the criminal underground build botnet armies
- Spammers are turning to the Web. URL spam (a spam email with little more than a link to a Web page that delivers the spam message) took the lead as the main type of Spam this year, and Spammers are increasingly using familiar domain names like news and blogging Web sites to host their content.
- Web applications in general have become the Achilles heel of Corporate IT Security. Nearly 55% of all vulnerability disclosures in 2008 affect Web applications, and this number does not include custom-developed Web applications (only off-the-shelf packages). 74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of 2008.
- Last year, SQL injection jumped 134 percent and replaced cross-site scripting as the predominant type of Web application vulnerability.
- Exploitation of Websites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008.
- In addition to these vulnerabilities, many Web sites request the use of known vulnerable ActiveX controls, which leave Web site visitors who do not have updated browsers in a compromised position.
- Although the number of vulnerabilities affecting Web browsers went down in comparison to 2007, they continue to be the main target of exploitation. New categories of threats affecting clients are on the rise, specifically in the areas of malicious documents, multimedia applications, and potentially Java applications which are easy to host on the Web.
According to IBM, many of the web vulnerabilities listed above can be prevented or avoided by taking a preemptive approach to security. IBM Rational AppScan for example, enables companies to test Web 2.0-based applications to identify security vulnerabilities on a frequent basis, helping to make the Web experiences they provide to customers more secure from hackers. In addition, new features enhance customers’ abilities to address regulatory mandates and meet business policies.
By Shanti Anne Morais