Is Your Website Hackable?Is Your Website Hackable?Why you Need to Worry?Why you Need to Worry?

Alliance Technology Partners

U.S. Preferred Partner

AgendaAgenda• A Holistic View of Security – Web

Applications In Danger• Web Application Security Issues• Is your Website Hackable? Why

Organizations Need to Worry• An Introduction to Hacking• Protecting Yourself: Web Vulnerability

Scanning• Acunetix Web Vulnerability Scanner

A Holistic View of SecurityA Holistic View of Security

Web Applications in Danger

What are Web What are Web Applications?Applications?

• Login forms, search forms, blogs and forums, shopping carts, newsletter submit fields

• Easy, seamless and immediate retrieval and submission of data through a web browser.

• Updated and maintained without distributing and installing software on client computers.

• Immensely popular.• Web applications as business drivers.• AJAX applications – the next generation.

The Web Application ModelThe Web Application Model

For this model to function efficientlyFor this model to function efficientlythe Web Application has direct and the Web Application has direct and open access to the database.open access to the database.

Needed to churn the contentNeeded to churn the contentrequested by visitors to the websiterequested by visitors to the website

Web Apps = Database Ports Web Apps = Database Ports OpenOpen

Shield aroundNetwork AssetsIncluding Database andWeb Servers

No direct accessto database

SSL

Web Application Web Application Security IssuesSecurity Issues

Web App Security ConcernsWeb App Security Concerns• Bring grave security risks:

– Available 24x7x365 – Publicly available for legitimate users

and hackers– Direct access to backend databases– Most web applications are custom-made – These custom applications are the most

susceptible to attack.– Lack of awareness equating web

security to network security.

Layers to SecurityLayers to Security

Nine MythsNine Myths: Eyes Wide : Eyes Wide Shut?Shut?

1. Network security scanners protect the application layer.

2. Application vulnerabilities = network and system vulnerabilities.

3. Firewalls protect the application layer.4. IPS/IDS defeat application attacks5. Network devices understand application context6. SSL secures the application. 7. Vulnerability scanners protect the web –

matching vulnerability signatures will do the trick.8. Annual or quarterly vulnerability assessment are

enough.9. Patch Management is immediate and satisfactory.

The Jeffrey Rubin StoryThe Jeffrey Rubin Story• Network Security is Not Enough

Syracuse University School of Information StudiesPresident of Internet Consulting Services “Review: Web Vulnerability Scanners”, SOAPipeline, September 2005.

• Network security is not enough as web applications require port 80 to be open to communicate with the database to deliver the function it was designed for

Eric S. RaymondEric S. Raymond• ESR is a well known figure in the

hacker community and maintains the “Hacker’s Dictionary”.

• A famous quote in response to “how long will it take me to learn to hack?”:

• “…if you are a real hacker, you will spend the rest of your life learning and perfecting your craft”.

Have you been hacked?Have you been hacked?• Have you been hacked?

– Are you certain?– If web applications are not secure….– …then your entire database of sensitive

information is at serious risk.

Is your Website Hackable?Is your Website Hackable?

Why Organizations Need to Worry

Who’s Being Hacked?Who’s Being Hacked?• Choice Point Inc ($15m)• University of Southern California ($140k +)• Microsoft (Website defacement)• PayPal (Account information stolen; cost

unknown)• Victoria’s Secret ($50k fine)• Hotmail (XSS detected – not fixed)• Amazon (XSS detected – not fixed)• Petco (credit cards of 500k customers

stolen)

TJX Companies IncTJX Companies Inc• 40 million customer cards stolen

– USA, Hong Kong, Sweden, UK and Ireland.• Lawsuits to date account for about

US$ 5 to 10 million• Government of Canada launching an

investigation• Breach probably started in 2003 and

discovered in December 2006.

Web Security Hard Cold Web Security Hard Cold FactsFacts

• Gartner: – 75% of Website hacks happen at the web application level.

• Cisco:– 95% of web applications have serious flaws,

• 80% of which are vulnerable to Cross Site Scripting• Acunetix Research through Free Audits (published):

– 70% of sites scanned have medium to high risk vulnerabilities including:

• SQL Injection• XSS• Source Code Disclosure

• Our competition show similar statistics:– Jeremiah Grossman (Whitehat) states our figure is

conservative.

Free Audit Statistics (1)Free Audit Statistics (1)

Free Audit Statistics (2)Free Audit Statistics (2)

Free Audit Statistics (3)Free Audit Statistics (3)

Free Audit Statistics (4)Free Audit Statistics (4)

Free Audit Statistics (5)Free Audit Statistics (5)

What Motivates Hackers? What Motivates Hackers? Data!Data!

• The Privacy Clearing House reports some startling data:1.Total number of records stolen over the

period Feb 2005 to July 2006 = 88,931,69288,931,6922.Total number of records stolen over the

period Feb 2005 to Feb 2006 = 101,070,850101,070,850• 13% increase in just 7 months13% increase in just 7 months• Monthly average of 4.2 m records stolenMonthly average of 4.2 m records stolen

3.Total Number of records stolen due to Hack Attacks approximately 82m82m

The Cost of being HackedThe Cost of being Hacked• Closure.• Lost Customer confidence, trust and

reputation. • Lost Brand equity.• Downtime.• Lost revenues and profits.• Ban on processing credit cards.• Repair the damage.• New security policies.• Legal implications including fines and

damages.

An Introduction to An Introduction to HackingHacking

What a Hacker will DoWhat a Hacker will Do

Shield aroundNetwork AssetsIncluding Database andWeb Servers IS IN PLACE IS IN PLACE but DOES but DOES NOT STOP NOT STOP HACK HACK ATTACKATTACK

How do Hackers Work? (1)How do Hackers Work? (1)• First step towards deploying a web security

infrastructure.• Always steps ahead• Wide repertoire of hacking techniques they

will throw at custom web applications.• Very close knit community that keeps itself

abreast to propagate further hacking.– Check out sla.ckers.org and slashdot.

• Systematic plan of action that entails four steps.

How do Hackers Work? (2)How do Hackers Work? (2)• Step 1: Analyse the server infrastructure

• Step 2: Survey the Website

• Step 3: Check for Input Validation Errors

• Step 4: Mount the Attack

Popular Hacking Popular Hacking TechniquesTechniques

• Static Methods – the ‘Known’:– Known exploits

– Directory Enumeration

– Web Server Exploits

• Dynamic Methods – the ‘Unknown’:– SQL Injection– Cross-site Scripting– Directory and Link Traversal– Source Code Disclosure– Common File Checks– Parameter Manipulation or

Passing– Hidden Web Paths– Extension and Backup

Checking– Path Truncation– Java Applet reverse

engineering– Session Hijacking– Authentication Attacks– Google Hacking Database

Launched againstknown applications

and servers

Typically Launched againstNon-standard applications

SQL InjectionSQL Injection• SQL is a database query language for

data storage, manipulation and retrieval.

• Standard for all web applications to interact with their databases be they Oracle, My SQL, MS Access…

• SELECT, DROP, INSERT, DELETE• SQL Injection is when a hacker is able

to inject SQL syntax in an input field to gain access to the database

SQL Injection DemoSQL Injection Demo• http://testasp.acunetix.com/• Example of a forum that requires

login for posting informationSELECT idFROM loginsWHERE username = ‘I-am-a-hacker'AND password = anything' or 'x'='x

• This is a simple example.

Protecting yourself:Protecting yourself:Web Vulnerability Web Vulnerability

ScanningScanning

Preventing Hack AttacksPreventing Hack Attacks• Audit your web applications for

exploitable vulnerabilities regularly and consistently.

• Web Vulnerability Scanners Web Vulnerability Scanners introduce web security.introduce web security.

Types of Web Vulnerability Types of Web Vulnerability ScannersScanners

• Web Vulnerability Scanners– Signature Matching Approach (Standard

Web Vulnerability Scanners)– Heuristic Methodology Approach

(Intelligent Web Vulnerability Scanners)• Automated v. Manual Scans

– The importance of automation– Nothing beats the human touch

Signature MatchingSignature Matching• The majority of Vulnerability Scanners are

ineffective because they look for weaknesses based on signature matching.

• Similar to anti-virus software.• Almost perfect for all popular systems and

widely deployed applications:– Effective against Known (Static) Vulnerabilities– Ineffective against Unknown (Dynamic)

Vulnerabilities and for Custom Applications.

Heuristic Scanning Heuristic Scanning MethodologyMethodology

• Hacks are not based on signature-file.• Custom web applications are a honey pot.• Logic of the “heuristic methodology” is:

– Proactive v. Reactive– Acts like a hacker– Focuses on the arsenal of hacking methods

rather than the vulnerabilities themselves.• Web vulnerability scanning depends on:

– (a) how well your site is crawled, and – (b) on the ability to test the various hacking

methods and techniques against web applications.

Protecting yourself:Protecting yourself: Acunetix Web Vulnerability Acunetix Web Vulnerability

Scanner (WVS)Scanner (WVS)

Acunetix WVSAcunetix WVS• Organisation has been around for 3 years

and founded by ex-founder/CEO GFI (LanGuard)

• Easy-to-use Heuristic Methodology Scanner with Non-destructive on-destructive automatic and manual audits.

• Acunetix WVS is an essential tool to find holes in your web security.

How Acunetix WVS WorksHow Acunetix WVS Works• Discovery or Crawling Process Stage• Automated Scan Stage• Alert Node Stage• Reporting Stage

The User InterfaceThe User Interface

Audit ReportAudit Report

Compliance ReportCompliance Report

Audited Hacking Audited Hacking Vulnerabilities and Attacks Vulnerabilities and Attacks

• Automated Checks and Attacks– Version Check– CGI Testing– Parameter Manipulation (SQL Injection, XSS, …)– MultiRequest Parameter Manipulation– File Checks– Directory Checks– Text Search– Google Hacking Database

• Manual Checks and Attacks– Input Validation– Authentication Attacks– Buffer Overflows

Some Features at a GlanceSome Features at a Glance• JavaScript / AJAX Support – Client Script Analyzer (CSA)• Scheduler• Command Line• URL Rewrite Support• Detects Google Hacking Vulnerabilities• Extend Attacks with the HTTP Editor & Sniffer• In-depth Testing with the HTTP Fuzzer• Login Sequence Recorder for Protected Areas • Automatic HTML Form-filler• Crawl Flash Files• Test Password Strength Of Login Pages• Vulnerability Editor• Supports all Major Web Technologies• Scanning Profiles• Report Generator• Compare Scans and Find Differences• Easily Re-Audit Website Changes• …and more

Acunetix Version 5Acunetix Version 5• New Features:

– Scanning and automation engine– Enhanced ClientScript Analyzer for AJAX

and related applications– Web Services Scanner– Password Protection– Assistance in finding CSRF– Unique compliance reporting application

Licensing OptionsLicensing Options• One-year or perpetual licensing• Annual maintenance• 1 or unlimited URLs• Consultant Edition• Pricing starts at $1445 for Single

User Single URL Perpetual License

CustomersCustomers• Over 5000 sites scanned in one year

(2008)• Global network of resellers • Strong in the USA• End-users include US Government, US

Military, IBM, France Telecom, Telstra, Unisys, F.A. Premier League, Bank of China, Dae Woo, Fujitsu, CMP and many more.

Thank youThank you

Please contact Please contact Alliance Technology PartnersAlliance Technology Partners

For More InformationFor More Information

www.alliancetechpartners.com

888-891-8885888-891-8885