Most web sites today use one form or another to generate their web site content. Some utilize the “offline” database back-ended approach, where pages are generated every so-often but the web site itself is made of static pages (HTML). Others utilize the “on-line” database back-ended approach, where pages are generated on-the-fly whenever a user requests them.
It is considered harder to hack an “offline” database back-ended web site, as you have no direct way to influence the content displayed by the web site if you send the web site malformed data. However as most webmasters would tell you the “offline” approach is harder to maintain, is slower to adapt to changes in content and requires greater thought into what is placed on-line - as content can take several minutes to hours to propagate into the static web site, that is why most of today’s web sites use the “on-line” approach.
This comes at a price - I will skip the hardware and software aspects - security wise of course. As the web site is built according to user provided data, this opens up the opportunity for the user in this case malicious in nature to manipulate the results returned by the server.
How common is it to see a web site get defaced via an IIS/Apache vulnerability? not very, and it usually occurs due to some newly discovered vulnerability in the mentioned products. How common it is to see a web site get defaced via a Windows/Linux vulnerability, it is roughly the same as seeing an IIS/Apache web site get defaced because of use of an old version of the software.
What is more common? web sites that get defaced due to improper usage of user provided data. These vulnerabilities are usually divided to the following categories:
Cross Site Scripting
SQL Injection
Code Execution
Would it be difficult to detect these vulnerabilities? no, would it be difficult to avoid having them in the first place? no.
Therefore why are these vulnerabilities still present in high profile web sites? I could name a few such web sites, major news agencies and broadcasting networks, but it won’t help the end-user or the web site’s owner. Everyone knows there are numerous solutions of preventing, detecting and stopping these vulnerabilities from happening, so why isn’t it happening?
Are web site vulnerabilities, such as those caused by bad usage of user provided data, considered low risk vulnerabilities? I don’t think these vulnerabilities can be regarded as low risk.
Take this example, I was able in a few minutes of wandering through one of these news agency, which utilizes the unbreakable Oracle database, to discover the complete structure of their articles table/schema as well as read any entry present in the table by utilizing columns such as author, date, priority and keywords - that would be otherwise impossible to use through their normal web access interface.
The next logical step for a hacker discovering this would be to insert or modify an article found in the database, insert into it some form of malicious content - I can name a few: Ad-Ware installing page, fraud related “donation” button, etc. Does this sound factious? nope, it has been done and there is nothing stopping anyone from doing this again.
As history has taught us, these kind of vulnerabilities would go unnoticed until someone will write a worm that would exploit these vulnerabilities to skip from one server to another, which like CodeRed, will create enough havoc to create an understanding by the security community to the importance of addressing such vulnerabilities.
It’s not hard to find sites vulnerable but it is hard to notify those organisations.
I’ve come across sites where I could get full HDD read access but I couldn’t inform them about this as they didn’t have any email addresses to send anything to.
While it is true that professional web designers should be taught to secure the web pages they should also be told to have an email address to the webmaster easily visible.
Why are these flaws present in high profile website? Two reasons:1. Malicious hackers haven’t found the flaw yet2. There is no email address people like us can use to inform the organisation about the flaw or they don’t read/act on the emails.
I don’t know why their web developers were stupid in the first place, maybe the site was based on old code, coded back when security wasn’t that big an issue. Either way, these companies should be notified… until they read and act on the emails.
I don’t want them to have to learn the hard way.
There is another closely related problem regarding this. Not only do several high profile websites have security flaws but they have no way of reporting them. I’ve been to sites that (unintentionally) give read access to the entire HDD or easily exploitable SQL injection but don’t have a way for me to inform them abuot this. Either that or they don’t read any emails I send them.
Why are these vulnerabilities still present in high profile web sites? There could be a few reasons;1. A malicious hacker hasn’t yet taught them the hard way.2. They make it hard for people like us to report the issue3. The site was based on code from bygone days when web developers weren’t clued in on security4. The site was recently coded by old web developers who still think security isn’t an issue.
What can we do about this? Unless you design websites for large companies or know someone who does we can’t directly influence the companies. We can report flaws to every site that makes it easy to report flaws (if they have flaws of course). In the email describing the flaw you could suggest they do a full security audit.
Of course some websites make it hell to report anything, I have no dea what could be done in these cases. I know some people would do a small defacing letting them know about the issue, but I wouldn’t do something illegal to report that it’s possible to do something illegal to them.
if you know that there’s a sql injection bug, or any other bug that provides illegal access.. that means that you did some illegal acts. So I think you’re better to stop saying “oh but they don’t provide email addresses to say them they are vulnerable” (for free btw?! you’re so cute ). It’s like someone forcing (or even without forcing) access to enter your house and then saying “yo! I did it to prove I could enter your house! it’s not secure! congrats!” seriously… Another point, Noam, web based worms already exist. You’re talking about ‘informing security community with a redcode-like worm’, well, it’s funny as you didn’t know that web based worms already exist (example: http://isc.sans.org/diary.php?date=2004-12-21 the santy worm exploiting a phpbb bug), looks like you don’t know the security community. we, in the security community, already know for sql injections for a whiiiile.. When we do pentests (’Penetration Tests’) we always think about the webapplication and it is well scanned (checking for sql injection, path disclosures, code exec through escape to shell, etc).
No comments:
Post a Comment