SAN FRANCISCO -- The majority of Web sites are subject to serious flaws, advised Joe Walker and Jeremiah Grossman during their presentation on advanced Web application security at last week's Ajax Experience conference.
Grossman, founder and CTO WhiteHat Security, said that his company regularly checks the security of about 600 different Web sites a month and concluded that 80% have significant security flaws. "These are not just small mom-and-pop sites, these are large e-commerce sites," he said. "The Web is incredibly riddled with vulnerabilities."
Joe Walker, creator of DWR, said that IT managers, when confronted with the fact that firewalls don't solve the problem tend to go through five "emotional phases" -- denial, anger, bargaining (for better security), depression and, finally, acceptance.
When Grossman started looking at the mechanisms of these vulnerabilities two years ago, no one had any idea what he was talking about, he said. It was not until the Samy worm tore through MySpace.com that people started to take him seriously. (See the "Web worms" description below for more information on Samy.)
Grossman pointed out that although the Samy worm was relatively benign, there is potential for worms to be malicious. Attackers now have more channels for feeding tags into browsers, including Flash ActionScript, SVG, .htc files, and XML data islands.
This exploit is painfully easy to execute and hard to defend against. CSRF looks like a valid user request to the Web site. "This is an important feature that needs to be looked at because you can force a user to make a request they did not send," Walker said.
According to Walker, DWR has developed a relatively simple solution that reduces the security risks associated with CSRF. It involves doubly submitting cookies in both the body and header of a request, making it harder for malicious hackers to submit bogus cookies. Grossman added that CSRF would probably be the most commonly discussed form of attack over the next year.
2006 was a pretty big year for Web security research. Researchers were able to track about seventy new types of attacks, said Grossman. He discussed the top six threats:
- Hacking RSS readers
- Web worms
- Backdooring media files
- History stealing
- Anti-DNS pinning
- Intranet hacking
Hacking RSS readers
While you might trust the company that is distributing the feed, do you trust their security? "How secure can a Web counter company really be?" Grossman asked. "If someone hacks that code, it will filter through the chain," he continued.
These same sorts of attacks could also emanate from an advertiser or a distributor of feeds. Grossman noted, "I recently noticed a hotel had set up a WiFi network that was sending out HTML ads from other people's pages. They were giving out access to everyone's cookies."
"Imagine what could be done with a million browsers all directed to a site at the same time," said Walker.
Backdooring media files
History stealing can be used to identify where a user banks and shops, providing information for subsequent attacks.
Another way to steal history is to force a user to load into a script source tag/ Then the application gets two different messages depending on whether or not the user is logged in to a service such as Gmail.
This attack forces the browser to look up the IP for a site and then breaks that tie to the DNS address. This allows the hacker to read and write the local intranet from their Web site.
Once the browser has access to the internal environment, the attacker can log onto a local router and test out various default user names and passwords. The attacker can reprogram the router to feed spoofed DNS addresses to all the browsers located on the network. This could enable an attacker to misdirect a user to a spoofed bank Web page, for example, to retrieve a user's name and password.
Of the 80 programmers in the audience, only 15 actually changed the passwords on their routers, an informal survey revealed. Among non-programmers, the number is likely to be far lower. "You are not the people I am attacking," Walker warned his audience. "Your moms are."