Is Your Website Hackable Why you Need to Worry

1
Is Your Website Hackable?Why you Need to Worry?

• Alliance Technology Partners
• U.S. Preferred Partner

2
Agenda

• A Holistic View of Security Web Applications In
  Danger
• Web Application Security Issues
• Is your Website Hackable? Why Organizations Need
  to Worry
• An Introduction to Hacking
• Protecting Yourself Web Vulnerability Scanning
• Acunetix Web Vulnerability Scanner

3
A Holistic View of Security

• Web Applications in Danger

4
What are Web Applications?

• Login forms, search forms, blogs and forums,
  shopping carts, newsletter submit fields
• Easy, seamless and immediate retrieval and
  submission of data through a web browser.
• Updated and maintained without distributing and
  installing software on client computers.
• Immensely popular.
• Web applications as business drivers.
• AJAX applications the next generation.

5
The Web Application Model
For this model to function efficiently the Web
Application has direct and open access to the
database. Needed to churn the content requested
by visitors to the website
6
Web Apps Database Ports Open
Shield around Network Assets Including Database
and Web Servers
SSL
No direct access to database
7
Web Application Security Issues
8
Web App Security Concerns

• Bring grave security risks
• Available 24x7x365
• Publicly available for legitimate users and
  hackers
• Direct access to backend databases
• Most web applications are custom-made
• These custom applications are the most
  susceptible to attack.
• Lack of awareness equating web security to
  network security.

9
Layers to Security
10
Nine Myths Eyes Wide Shut?

• Network security scanners protect the application
  layer.
• Application vulnerabilities network and system
  vulnerabilities.
• Firewalls protect the application layer.
• IPS/IDS defeat application attacks
• Network devices understand application context
• SSL secures the application.
• Vulnerability scanners protect the web matching
  vulnerability signatures will do the trick.
• Annual or quarterly vulnerability assessment are
  enough.
• Patch Management is immediate and satisfactory.

11
The Jeffrey Rubin Story

• Network Security is Not EnoughSyracuse
  University School of Information
  StudiesPresident of Internet Consulting Services
  Review Web Vulnerability Scanners,
  SOAPipeline, September 2005.
• Network security is not enough as web
  applications require port 80 to be open to
  communicate with the database to deliver the
  function it was designed for

12
Eric S. Raymond

• ESR is a well known figure in the hacker
  community and maintains the Hackers
  Dictionary.
• A famous quote in response to how long will it
  take me to learn to hack?
• if you are a real hacker, you will spend the
  rest of your life learning and perfecting your
  craft.

13
Have you been hacked?

• Have you been hacked?
• Are you certain?
• If web applications are not secure.
• then your entire database of sensitive
  information is at serious risk.

14
Is your Website Hackable?
Why Organizations Need to Worry
15
Whos Being Hacked?

• Choice Point Inc (15m)
• University of Southern California (140k )
• Microsoft (Website defacement)
• PayPal (Account information stolen cost unknown)
• Victorias Secret (50k fine)
• Hotmail (XSS detected not fixed)
• Amazon (XSS detected not fixed)
• Petco (credit cards of 500k customers stolen)

16
TJX Companies Inc

• 40 million customer cards stolen
• USA, Hong Kong, Sweden, UK and Ireland.
• Lawsuits to date account for about US 5 to 10
  million
• Government of Canada launching an investigation
• Breach probably started in 2003 and discovered in
  December 2006.

17
Web Security Hard Cold Facts

• Gartner
• 75 of Website hacks happen at the web
  application level.
• Cisco
• 95 of web applications have serious flaws,
• 80 of which are vulnerable to Cross Site
  Scripting
• Acunetix Research through Free Audits
  (published)
• 70 of sites scanned have medium to high risk
  vulnerabilities including
• SQL Injection
• XSS
• Source Code Disclosure
• Our competition show similar statistics
• Jeremiah Grossman (Whitehat) states our figure is
  conservative.

18
Free Audit Statistics (1)
19
Free Audit Statistics (2)
20
Free Audit Statistics (3)
21
Free Audit Statistics (4)
22
Free Audit Statistics (5)
23
What Motivates Hackers? Data!

• The Privacy Clearing House reports some startling
  data
• Total number of records stolen over the period
  Feb 2005 to July 2006 88,931,692
• Total number of records stolen over the period
  Feb 2005 to Feb 2006 101,070,850
• 13 increase in just 7 months
• Monthly average of 4.2 m records stolen
• Total Number of records stolen due to Hack
  Attacks approximately 82m

24
The Cost of being Hacked

• Closure.
• Lost Customer confidence, trust and reputation.
• Lost Brand equity.
• Downtime.
• Lost revenues and profits.
• Ban on processing credit cards.
• Repair the damage.
• New security policies.
• Legal implications including fines and damages.

25
An Introduction to Hacking
26
What a Hacker will Do
27
How do Hackers Work? (1)

• First step towards deploying a web security
  infrastructure.
• Always steps ahead
• Wide repertoire of hacking techniques they will
  throw at custom web applications.
• Very close knit community that keeps itself
  abreast to propagate further hacking.
• Check out sla.ckers.org and slashdot.
• Systematic plan of action that entails four steps.

28
How do Hackers Work? (2)

• Step 1 Analyse the server infrastructure
• Step 2 Survey the Website
• Step 3 Check for Input Validation Errors
• Step 4 Mount the Attack

29
Popular Hacking Techniques

• Static Methods the Known
• Known exploits
• Directory Enumeration
• Web Server Exploits

• Dynamic Methods the Unknown
• SQL Injection
• Cross-site Scripting
• Directory and Link Traversal
• Source Code Disclosure
• Common File Checks
• Parameter Manipulation or Passing
• Hidden Web Paths
• Extension and Backup Checking
• Path Truncation
• Java Applet reverse engineering
• Session Hijacking
• Authentication Attacks
• Google Hacking Database

Launched against known applications and servers
Typically Launched against Non-standard
applications
30
SQL Injection

• SQL is a database query language for data
  storage, manipulation and retrieval.
• Standard for all web applications to interact
  with their databases be they Oracle, My SQL, MS
  Access
• SELECT, DROP, INSERT, DELETE
• SQL Injection is when a hacker is able to inject
  SQL syntax in an input field to gain access to
  the database

31
SQL Injection Demo

• http//testasp.acunetix.com/
• Example of a forum that requires login for
  posting information
• SELECT idFROM loginsWHERE username
  I-am-a-hacker'AND password anything' or
  'x''x
• This is a simple example.

32
Protecting yourselfWeb Vulnerability Scanning
33
Preventing Hack Attacks

• Audit your web applications for exploitable
  vulnerabilities regularly and consistently.
• Web Vulnerability Scanners introduce web security.

34
Types of Web Vulnerability Scanners

• Web Vulnerability Scanners
• Signature Matching Approach (Standard Web
  Vulnerability Scanners)
• Heuristic Methodology Approach (Intelligent Web
  Vulnerability Scanners)
• Automated v. Manual Scans
• The importance of automation
• Nothing beats the human touch

35
Signature Matching

• The majority of Vulnerability Scanners are
  ineffective because they look for weaknesses
  based on signature matching.
• Similar to anti-virus software.
• Almost perfect for all popular systems and widely
  deployed applications
• Effective against Known (Static) Vulnerabilities
• Ineffective against Unknown (Dynamic)
  Vulnerabilities and for Custom Applications.

36
Heuristic Scanning Methodology

• Hacks are not based on signature-file.
• Custom web applications are a honey pot.
• Logic of the heuristic methodology is
• Proactive v. Reactive
• Acts like a hacker
• Focuses on the arsenal of hacking methods rather
  than the vulnerabilities themselves.
• Web vulnerability scanning depends on
• (a) how well your site is crawled, and
• (b) on the ability to test the various hacking
  methods and techniques against web applications.

37
Protecting yourself Acunetix Web Vulnerability
Scanner (WVS)
38
Acunetix WVS

• Organisation has been around for 3 years and
  founded by ex-founder/CEO GFI (LanGuard)
• Easy-to-use Heuristic Methodology Scanner with
  Non-destructive automatic and manual audits.
• Acunetix WVS is an essential tool to find holes
  in your web security.

39
How Acunetix WVS Works

• Discovery or Crawling Process Stage
• Automated Scan Stage
• Alert Node Stage
• Reporting Stage

40
The User Interface
41
Audit Report
42
Compliance Report
43
Audited Hacking Vulnerabilities and Attacks

• Automated Checks and Attacks
• Version Check
• CGI Testing
• Parameter Manipulation (SQL Injection, XSS, )
• MultiRequest Parameter Manipulation
• File Checks
• Directory Checks
• Text Search
• Google Hacking Database
• Manual Checks and Attacks
• Input Validation
• Authentication Attacks
• Buffer Overflows

44
Some Features at a Glance

• JavaScript / AJAX Support Client Script
  Analyzer (CSA)
• Scheduler
• Command Line
• URL Rewrite Support
• Detects Google Hacking Vulnerabilities
• Extend Attacks with the HTTP Editor Sniffer
• In-depth Testing with the HTTP Fuzzer
• Login Sequence Recorder for Protected Areas
• Automatic HTML Form-filler
• Crawl Flash Files
• Test Password Strength Of Login Pages
• Vulnerability Editor
• Supports all Major Web Technologies
• Scanning Profiles
• Report Generator
• Compare Scans and Find Differences
• Easily Re-Audit Website Changes
• and more

45
Acunetix Version 5

• New Features
• Scanning and automation engine
• Enhanced ClientScript Analyzer for AJAX and
  related applications
• Web Services Scanner
• Password Protection
• Assistance in finding CSRF
• Unique compliance reporting application

46
Licensing Options

• One-year or perpetual licensing
• Annual maintenance
• 1 or unlimited URLs
• Consultant Edition
• Pricing starts at 1445 for Single User Single
  URL Perpetual License

47
Customers

• Over 5000 sites scanned in one year (2008)
• Global network of resellers
• Strong in the USA
• End-users include US Government, US Military,
  IBM, France Telecom, Telstra, Unisys, F.A.
  Premier League, Bank of China, Dae Woo, Fujitsu,
  CMP and many more.

48
Thank youPlease contact Alliance Technology
PartnersFor More Informationwww.alliancetechpar
tners.com888-891-8885