James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John...
-
date post
19-Dec-2015 -
Category
Documents
-
view
219 -
download
0
Transcript of James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John...
Impact of Plugins on Web Application Security
James Walden, Maureen DoyleNorthern Kentucky University
Students: Andrew Plunkett, Rob Lenhof, John Murray
IMI Security Symposium 2010
1. Web Application Security2. Plugins3. Plugin Vulnerabilities4. Comparing Core and Plugin
Security5. Vulnerabilities by Category6. Conclusions
Topics
2
IMI Security Symposium 2010
Firewalls don’t protect web apps
Firewall
Port 80HTTP Traffic
WebClient
WebServer
Application
Application
DatabaseServer
telnet
ftp
5
History of Web Security
Year Technology Security
1993 CGI Firewalls, SSL
1995 PHP, Javascript Firewalls, SSL
1997 ASP, JSP Firewalls, SSL
2000 REST, SOA Firewalls, SSL
2006 AJAX Firewalls, SSL
IMI Security Symposium 2010 6
9IMI Security Symposium 2010
SQL Injection
1. App sends form to user.2. Attacker submits form
with SQL exploit data.3. Application builds string
with exploit data.4. Application sends SQL
query to DB.5. DB executes query,
including exploit, sends data back to application.
6. Application returns data to user.
Attacker
Web Server
DB Server
Firewall
User
Pass ‘ or 1=1--
IMI Security Symposium 2010
SQL Injection in PHP
$link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());
mysql_select_db($DB_DATABASE);$query = "select count(*) from users where
username = '$username' and password = '$password'";
$result = mysql_query($query);
10
IMI Security Symposium 2010
SQL Injection Attack #1
Unauthorized Access Attempt:password = ’ or 1=1 --
SQL statement becomes:select count(*) from users where username =
‘user’ and password = ‘’ or 1=1 --Checks if password is empty OR 1=1, which is
always true, permitting access.
11
IMI Security Symposium 2010
SQL Injection Attack #2
Database Modification Attack:password = foo’; delete from table users
where username like ‘%
DB executes two SQL statements:select count(*) from users where username
= ‘user’ and password = ‘foo’delete from table users where username
like ‘%’
12
IMI Security Symposium 2010
Real Estate Site Hacking
www.website.com/fullnews.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,char(58),password),4,5/**/FROM/**/admin/*
Exploit against http://phprealestatescript.com/
14
IMI Security Symposium 2010
Cross-Site Scripting (XSS)Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.XSS used to obtain session ID for◦ Bank site (transfer money to attacker)◦ Shopping site (buy goods for attacker)◦ E-mail
Key ideas◦ Attacker sends malicious code to server.◦ Victim’s browser loads code from server and
runs it.15
IMI Security Symposium 2010
Anatomy of an XSS Attack
1. Login
2.
Cookie
Web Server
3. XSS Attack
AttackerUser
4. User clicks on XSS link.
5. XSS URL
7. Browser runs injected code.
Evil site saves ID.
8. Attacker hijacks user session.
6. Page with injected code.
16
IMI Security Symposium 2010
Add features to apps: Advertising E-commerce Media Security Site Navigation Statistics Themes User Management
Web Application Plugins
19
IMI Security Symposium 2010
Is it the core code or core code + plugins? Some apps are almost always deployed with plugins. Plugins are written by non-core developers. Core site may or may not track plugin security.
Some apps are packaged in distributions with plugins such as Drupal which has:
OpenAtrium (Development Seed) Acquia Drupal OpenPublish Pressflow (Four Kitchens)
What makes up a web application?
20
IMI Security Symposium 2010
Research Objective
Goal: Identify differences between security of core code and plugins for web applications.
Research questions:1. Are plugins less secure than core code?2. How are vulnerabilities distributed
across plugins?3. How do different applications compare
in terms of plugin security?
21
IMI Security Symposium 2010
Open Source◦ Evaluate source code that has no barriers to
access◦ 85% of businesses use open source software◦ Probably all if embedded open source is counted,
such as printers, routers, projectors, etc.
PHP is most widely used language for OS web◦ 35.3% of web apps on Freshmeat are PHP, 14%
Java◦ Most popular apps written in PHP: Drupal, Joomla,
Mediawiki, phpBB, PhpMyAdmin, WordPress
Open Source and PHP Security
22
IMI Security Symposium 2010
Open Source Web Applications
Selection process PHP web applications from freshmeat.net. A central plugin repository. Automatable downloads. At least 10 plugins.
Why PHP? Most popular web applications written in PHP. Can compare applications evenly.
Range of projects 12 projects met selection criteria. 13,535 plugins for these applications. Plugins per app ranged from 10 to 8989
plugins.
24
IMI Security Symposium 2010
Reported Vulnerabilities in NVD or OSVD◦ Coarse-grained time evolution.◦ Difficult to correlate with revision.◦ Undercounts actual vulnerabilities.
Dynamic Analysis◦ Expensive.◦ False positives and negatives.◦ Must install and execute application.
Static Analysis◦ Expensive.◦ False positives and negatives.◦ Requires application installation
Measuring Vulnerabilities
25
IMI Security Symposium 2010
Number of vulnerabilities found by a static analysis tool per 1000 lines of source code.
Fortify SourceAnalyzer 5.8.0
Aggregate SAVD Use aggregate of source code for all
plugins. Total vulnerabilities / Total KSLOC
Average SAVD Compute SAVD for each plugin individually. Average individual plugin SAVD values.
Static Analysis Vulnerability Density
29
IMI Security Symposium 2010
Aggregate vs. Average SAVD
phpw
ebsite
achi
evo
galle
ry
drup
al
man
tisbt
roun
dcub
emai
l
know
ledg
etre
e
squi
rrelm
ail
dotp
roje
ct
mod
x
wordp
ress
smar
ty0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
18.00
20.00
1.281.75
2.32 2.32
4.04
6.49
4.32
11.95 12.1213.16
16.42
19.91
1.41 3.26 2.48 2.47 7.38 14.69 3.55 11.73 8.69 12.04 25.81 25.75
aggregate avg
SA
VD
30
IMI Security Symposium 2010
Core code developed by small core team. Team experienced with core code over years. May or may not be paid full-time developers. Most sites have some form of security
information.
Plugins developed by many people. Wide variety of programming experience. Few develop more than one plugin and so
have little experience with application compared to core team.
Few plugins mention security unless a vulnerability has been previously reported.
Do plugins make a site less secure?
31
IMI Security Symposium 2010
Drupal tracked both core and plugin vulns since 2006.
Most popular CMS with 1.58% of web sites including whitehouse.gov
Drupal Core vs. Plugins
www.drupalsecurityreport.org
Secure coding documentation. XSS Filter API. DB API to handle SQLi attacks. Input validation API.
33
IMI Security Symposium 2010
Mapped SCA categories to OWASP Top 10 2010.◦ SCA 5.8 reports 73
categories, only 25 in this code.
◦ 18 of 25 categories mapped to 5 of OWASP Top 10.
◦ 7 remaining categories did not map to Top 10.
Vulnerability Categories SCA → Top 10
36
IMI Security Symposium 2010
Conclusions
Plugins slightly less secure than core. Plugins made up 91% of 11.7 MLOC. Contained 92% of 135,907 vulnerabilities.
Plugin SAVD correlates with code size. ρ = 0.91 (strong correlation) Larger plugins are more likely to have
vulnerabilities.
Core SAVD does not correlate w/ code size.
40