There is not only a plethora of Web sites out there, but a host of vulnerabilities.
Increasingly, important software and the things people use their computers for are Web-based. Cyber crime costs businesses and individuals billions of dollars each year, and the vast majority of cyber crime losses occur in the Web-based world.
With this in mind, Jeremiah Grossman, founder and CTO of White Hat Security, shared some of the top Web hacks of 2009 with the audience at ITWeb's recent Security Summit in Sandton. He explored their impact on Web security, the business risks posed, and which are likely to be used maliciously.
Number five on his list was DNS rebinding attacks, which subvert the same-origin policy and convert browsers (and plug-ins, such as Flash Player and Java) into open network proxies. Attacks can circumvent firewalls to access internal documents and services, be used to scrape Web content on a mass scale, monitor users' online behaviour, and suchlike.
He said, according to research conducted by Stanford on Web security, by spending less than $100 on advertising, an attacker can hijack 100 000 unique IP addresses to send spam, commit click fraud, or otherwise misuse as open network proxies.
The research findings also suggest nearly 90% of Web browsers are vulnerable to rebinding attacks that only require a few hundreds of milliseconds to conduct.
“Why do cyber criminals find this useful?” he asked. “Firstly, for spamming and scraping. Scraping is where Web spammers want content to steal and targets to attack, so they scrape search engines by sending massive amounts of traffic. Secondly, for session fixation, or an attempt to exploit the vulnerability of a system which allows one person to fixate another person's session identifier.”
Coming in at number four was RFC1918, or non publicly-routable IP address space caching security issues. Intranets are supposed to be secured from the outside by firewalls and other networking devices. Unfortunately, Grossman said, there has been a move towards non publicly-routable address space as a method of protection, rather than other methods of protecting private IP space, well-known non publicly-routable IP address spaces.
With RFC1918, a number of flaws exist, including some Web-related ones that can be exploited by a cyber criminal because of the use of well-known non publicly-routable IP address spaces. “There are a number of potential attacks that are possible, and many of them reside around trust relationships people have with third parties.”
Thirdly, he talked about exploiting unexploitable XSS, or cross-site scripting. “XSS vulnerabilities are protected by CSRF tokens, or other mitigating factors, and are often considered of limited exploitability. However, under some real-world conditions, it may be possible to exploit 'unexploitable' XSS, including on Google and Twitter.” He said similar techniques could apply to other Web sites as well.
Next, Grossman mentioned HTTP parameter pollution, which he said gives new insight into the area of Web application attacks. For example, if an attacker were to submit multiple input parameters such as query string, post data, cookies, and similar of the same name, the application may react in unexpected ways and open up new avenues of server-side and client-side exploitation.
First place on the 2009 list was creating a rogue Certification Authority (CA) certificate. “By taking advantage of a weakness in the message-digest algorithm 5 (MD5) hash function, it is possible to demonstrate a practical attack that successfully created a rogue CA certificate trusted by all common Web browsers, he explained.
These rogue certificates allowed an attacker to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
In conclusion, Grossman said systemic weaknesses are prevalent. “Encryption implementation issues are impacting Web security, more so than in years past. The intranet is very accessible from the outside world.”
Many of these new attack techniques, and ones that have been around for a while, have not been fixed. Some are perhaps even unfixable, or the solutions have undesirable consequences.”
Share
