CMS Hacking 101

© 2013 Imperva, Inc. All rights reserved.

CMS Hacking 101

Analyzing the Risk with 3rd Party Applications

Confidential 1

Barry Shteiman Senior Security Strategist


Agenda

Confidential 2

§ CMS defined § Risks and trends § Recent incidents §  Into the details

•  An attack campaign •  Industrialized attack campaign

§ Reclaiming security


Today’s Speaker - Barry Shteiman

Confidential 3

§ Senior Security Strategist § Security consultant working

with the CTO office § Author of several application

security tools § Open source security projects

code contributor §  Twitter @bshteiman


CMS Defined

Confidential 4

Content Management System


What is a CMS?

Confidential 5

A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface.

Source: https://en.wikipedia.org/wiki/Content_management_system


Deployment Distribution

Confidential 6

Source: http://trends.builtwith.com/cms


Enterprise Adoption

Confidential 7


Risks and Trends

Confidential 8

© 2013 Imperva, Inc. All rights reserved. 9

OWASP Top 10 – 2013 Update

New, A9 - Using Known Vulnerable Components

Confidential


3rd Party

According to Veracode: •  “Up to 70% of internally developed code originates outside of the

development team” •  28% of assessed applications are identified as created by a 3rd

party

Confidential


When a 3rd Party Brings its Friends

Confidential 11

§  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks

§  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks

-- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013

You can’t fix code you don’t own, even if you host your own, that code has third party components in it.


Attack Surface

Confidential 12

Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security

In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.


Classic Web Site Hacking

Confidential 13

Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Single Site Attack


Classic Web Site Hacking

Confidential 14

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking


Hacking


Hacking


Hacking


Multiple Site Attacks


CMS Hacking

Confidential 15

Hacking

1.  Identify CMS 2.  Find Vulnerability 3.  Exploit

CMS Targeting Attack


Recent Incidents

Confidential 16


3rd Party Code Driven Incidents

Confidential 17

Breached via 3rd party application on Drupal.org own servers.



Confidential 18

3rd party service provider hacked, customer data affected.



Confidential 19

Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.

HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf


CMS Related Incidents

Confidential 20


Into the Details

Confidential 21

How a CMS Attack Campaign Might Look


The Attacker’s Focus

Server Takeover

Direct Data Theft

Confidential


CMS Mass Hacking

Confidential 23

Source: www.exploit-db.com

Step 1: Find a vulnerability in a CMS platform

Even public vulnerability databases, contain thousands of CMS related vulnerabilities.


CMS Gone Wild(card)

Confidential 24

Step 2: Identify a fingerprint in a relevant CMS-based site

A fingerprint can be

•  Image

•  URL

•  Tag

•  Object Reference

•  Response to a query

•  etc..


Fingerprinted

Confidential 25

Tag based

The code will usually contain fingerprints (unless obfuscated) of the CMS in use.


Fingerprinted

Confidential 26

URL based

An administrator interface may be front facing, allowing detection and login attempts


Google Dork for the Masses

Confidential 27

§  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000


Google Dork for the Masses

Confidential 28

In our case: Database Host, User and Password Exposed


Botnets Targeting Your CMS

Confidential 29

Recently Observed: •  Botnets Scan websites for

vulnerabilities •  Inject Hijack/Drive-by code to

vulnerable systems •  Onboarding hijacked

systems into the Botnet


From a Botnet Communication

Confidential 30

Botnet operator uses zombies to scan sites for vulnerabilities

* As observed by Imperva’s ADC Research Team

Google Dork


From a Botnet Communication

Confidential 31

Botnet exploits vulnerabilities and absorbs victim servers

* As observed by Imperva’s ADC Research Team


Reclaiming Security

Confidential 32

Securing 3rd Party Applications


Analyzing the Attack Surface

Confidential 33

Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security

Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.


Deployment Matters

Confidential 34

Cloud based deployment On premise deployment

Applications and 3rd party code deployed in your virtual/physical data center.

Hosted applications and B2B services.

Imperva Incapsula Cloud


When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical

aspects to control data access and data usage. §  Require third party applications to accept your security

policies and put proper controls in place §  Monitor.

Recommendations

35 Confidential 35


§  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities

§  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to

•  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time)

•  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications

§  Virtually patch newly discovered CVEs •  Requires a robust security update service

Technical Recommendations

36 Confidential 36


Post-Webcast Discussions

Answers to Attendee Questions

Webcast Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

Presentation Materials

Confidential 37 37


www.imperva.com

38 Confidential

CMS Hacking 101

Technology

Transcript of CMS Hacking 101