News Stay informed about the latest enterprise technology news and product updates.

Web sites vulnerable to a new generation of attacks

Web application security faces serious hurdles, experts warn. New attacks exploit XSS and CSRF vulnerabilities rampant among Web sites.

SAN FRANCISCO -- The majority of Web sites are subject to serious flaws, advised Joe Walker and Jeremiah Grossman during their presentation on advanced Web application security at last week's Ajax Experience conference.

Grossman, founder and CTO WhiteHat Security, said that his company regularly checks the security of about 600 different Web sites a month and concluded that 80% have significant security flaws. "These are not just small mom-and-pop sites, these are large e-commerce sites," he said. "The Web is incredibly riddled with vulnerabilities."

The Web is  riddled with vulnerabilities."
Jeremiah Grossman
CTO and founderWhiteHat Security

Joe Walker, creator of DWR, said that IT managers, when confronted with the fact that firewalls don't solve the problem tend to go through five "emotional phases" -- denial, anger, bargaining (for better security), depression and, finally, acceptance.

Some of the main building blocks in the new generation of attacks use cross-site scripting (XSS) and cross-site request forgery (CSRF).

When Grossman started looking at the mechanisms of these vulnerabilities two years ago, no one had any idea what he was talking about, he said. It was not until the Samy worm tore through that people started to take him seriously. (See the "Web worms" description below for more information on Samy.)

Grossman pointed out that although the Samy worm was relatively benign, there is potential for worms to be malicious. Attackers now have more channels for feeding tags into browsers, including Flash ActionScript, SVG, .htc files, and XML data islands.

CSRF attacks occur when an attacker hijacks the browser and sends out Web requests in the background without the user's knowledge. "If you are assuming that a cookie received was sent because the user wanted it sent, you have a problem, because cookies are eminently spoofable," said Walker.

This exploit is painfully easy to execute and hard to defend against. CSRF looks like a valid user request to the Web site. "This is an important feature that needs to be looked at because you can force a user to make a request they did not send," Walker said.

Web application security resources
Application security takes on greater importance in Web 2.0 

Cross-site request forgery: How this Web exploit works 

New chapter and verse on Ajax application security

According to Walker, DWR has developed a relatively simple solution that reduces the security risks associated with CSRF. It involves doubly submitting cookies in both the body and header of a request, making it harder for malicious hackers to submit bogus cookies. Grossman added that CSRF would probably be the most commonly discussed form of attack over the next year.

2006 was a pretty big year for Web security research. Researchers were able to track about seventy new types of attacks, said Grossman. He discussed the top six threats:

  1. Hacking RSS readers
  2. Web worms
  3. Backdooring media files
  4. History stealing
  5. Anti-DNS pinning
  6. Intranet hacking

Hacking RSS readers
The problem is that feed aggregators generally a send user's results from different domains. In some cases this can include JavaScript from many different sources. Grossman pointed out that when you are putting someone else's JavaScript on your Web site, you give the script potential access to everything the user sees and does.

While you might trust the company that is distributing the feed, do you trust their security? "How secure can a Web counter company really be?" Grossman asked. "If someone hacks that code, it will filter through the chain," he continued.

These same sorts of attacks could also emanate from an advertiser or a distributor of feeds. Grossman noted, "I recently noticed a hotel had set up a WiFi network that was sending out HTML ads from other people's pages. They were giving out access to everyone's cookies."

Web worms
The Samy worm was the first major worm that used XSS and CSRF together. The worm was created by a 19-year old man who discovered how to bypass the filter on MySpace and put JavaScript code in his profile. When a visitor viewed Samy's profile, the code would execute and add the visitor as a "friend." Within 24 hours Samy had acquired over one million "friends." The MySpace site had to completely shut down in order to eliminate the worm.

"Imagine what could be done with a million browsers all directed to a site at the same time," said Walker.

Backdooring media files
JavaScript is turning up in PDF, Flash, QuickTime Media, and Word Files. "We are used to dealing with user uploaded content in the form of text," said Walker. "But what happens with other content loaded back down to the user?" he asked.

History stealing
History stealing can be used to identify where a user banks and shops, providing information for subsequent attacks.

There are many ways to check a user's history. An attacker may guess a user's history by looking at the link color of pages displayed in the browser. Grossman demonstrated an attack on an application with three lines of code. When his team originally found hack a few years ago, people thought they could just turn off JavaScript. A paranoid person can turn off JavaScript in the toolbar, but this will not prevent someone from gaining access to that person's history. All the hacker has to do is put in a visited user class into the HTML.

Another way to steal history is to force a user to load into a script source tag/ Then the application gets two different messages depending on whether or not the user is logged in to a service such as Gmail.

Anti DNS-pinning
This attack forces the browser to look up the IP for a site and then breaks that tie to the DNS address. This allows the hacker to read and write the local intranet from their Web site.

Intranet hacking
Once the browser has access to the internal environment, the attacker can log onto a local router and test out various default user names and passwords. The attacker can reprogram the router to feed spoofed DNS addresses to all the browsers located on the network. This could enable an attacker to misdirect a user to a spoofed bank Web page, for example, to retrieve a user's name and password.

Of the 80 programmers in the audience, only 15 actually changed the passwords on their routers, an informal survey revealed. Among non-programmers, the number is likely to be far lower. "You are not the people I am attacking," Walker warned his audience. "Your moms are."

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.