SlideShare uma empresa Scribd logo

Lessons Learned From the Yahoo! Hack

Imperva
Imperva

The document summarizes a report on a SQL injection attack on Yahoo! in December 2012 by an Egyptian hacker. The hacker was able to access Yahoo! databases by exploiting a SQL injection vulnerability in a third-party astrology application hosted on Yahoo!'s domain. While Yahoo! was not responsible for developing the vulnerable code, it was still responsible for securing customer data. The report recommends that companies protect third-party applications with web application firewalls to prevent such attacks.

Tecnologia
1 de 8
Baixar para ler offline
January 2013 Hacker Intelligence Initiative, Monthly Trend Report #15 Lessons Learned From the Yahoo! Hack How SQL Injection Vulnerabilities in Third-Party Code Can Make for Security Cloudy 1. Executive Summary On December 2012, an Egyptian hacker who calls himself ViruS_HimA, claimed to have breached Yahoo!’s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server for that domain. Technically, we found that the hacker was able to determine the allegedly vulnerable Yahoo! application and the exact attack method – error message based SQL injection for the MSSQL (Microsoft SQL Server) database (DB). From a business perspective, this attack underscores the security problem posed by hosting third-party code – as is often done with cloud-based services. In fact, according to a survey from PricewaterhouseCoopers, 23.6% of respondents say that cloud computing has increased vulnerabilities, and the largest perceived risk is the uncertain ability to enforce provider security policies.1 In the Yahoo! incident, the vulnerable application was probably not coded by the Yahoo! team, and not even hosted on Yahoo!’s server farm. This left Yahoo! with full responsibility for securing the application on one hand, and a very limited capability to actually control the code, on the other hand. This episode underscores technical and business urgencies: Technically, security teams should: › Protect third-party Web applications against SQL injection and other Web attacks: Incorporate security into the software development life cycle, perform penetration tests and vulnerability assessments on the application, and deploy the application behind a Web Application Firewall (WAF). › Harden your system: When the application is promoted from development to production, the system configuration must be hardened to disable any irrelevant parts that may help the attacker. In the hardening process detailed error messages should be disabled, excessive file and directory permissions should be restricted, source code leftovers should be deleted, and so on. From a business standpoint, executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – contains serious vulnerabilities. Although our technical recommendations take precedence, we recommend: › Put in place legal requirements in a contract for what you will and will not accept from a security perspective. › Incorporate security due diligence for any merger or acquisition activity. › Require coding standards and security requirements in every specification between you and the third party. › Demand metric reports for security of the vendor’s code that are repeatable and verifiable. › Require that all security requirements are met prior to the first time the code is executed in your environment. › Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services. › Require a report specifying security issues and measures taken to address them for every task and deliverable from the vendor. PwC 2012 Global State of Information Security Survey 1
Hacker Intelligence Initiative, Monthly Trend Report 2. Detailed Attack Analysis The hacker has released the following screenshot as an evidence for the successful hacking Figure 1 The hacker’s hack evidence screenshot In this section, the technical details of the attack that were revealed by this screenshot are analyzed. Note: We have covered the topic of SQL injection (SQLi) in previous HII reports; however we include a brief primer to SQL injection in section 2.1 to make this report self-contained.2 If you are already familiar with the subject, you can start with section 2.2. 2.1 SQL injection 101 In a SQL Injection attack, attackers exploit Web application vulnerability in order to access the organization’s data in an unauthorized manner. For laypeople, this means typing computer code in the fields of a Website’s form. For example, instead of typing in a credit card number or a last name, a hacker types in something technical that looks like ‘x’=’x’. When clever code is used, this action tricks the Website into coughing up sensitive data. In geek speak, SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. The potential results can be disastrous. For example, attackers may be able to retrieve the organization’s intellectual property, customer account information, and other sensitive data. A successful SQLi attack may also allow the attacker to steal the site’s administrator password, giving the attacker full control over the Web application. Other times, a compromised site can host an attacker’s code which may lead site visitors to download malware (aka “Drive- by Downloads”). SQLi attacks also allow the manipulation of data, enabling – for example – the defacement of the Website. http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf 2 Report #15, January 2013 2
Hacker Intelligence Initiative, Monthly Trend Report A SQLi attack usually starts with identifying weaknesses in the applications where unchecked users’ input is transformed into database queries. Goal-oriented attacks continue with abusing these weaknesses in a repetitious trial and error process in order to discover the exact structure of the application’s database. The aim is to discover what sensitive and valuable information is stored in the database and how to extract it. In practice, this tedious process is usually automated and often based on widely-known tools that let an attacker quickly and effortlessly identify and exploit applications’ vulnerabilities. 2.2 Analyzing the Attack Method: MSSQL Injection with Conversion Errors Hackers often abuse a SQL injection (SQLi) vulnerability in a Web application resource to steal data from a data base. A popular target within the database would be the tables that contain personally identifiable information (PII) (users, customers, patients, transactions) such as names, addresses, e-mail and passwords or even credit card details. The attack is facilitated by the injection of a SQL SELECT statement, which allows hackers to query the database for its content. However, even when the application is vulnerable to SQLi and executes an arbitrary SQL statement, it does not necessarily display the results back. To overcome this obstacle, hackers are using the “MSSQL with conversion errors” SQLi variant. As a matter of fact, the “MSSQL with conversion errors” method is an old trick in the hackers’ book. In order to use that method, the following preconditions must exist: › The application is vulnerable to SQL injection. › The application is using an MSSQL database. › The application server is misconfigured to send a verbose error message. The attackers abuse the application server misconfiguration to invoke an error page that contains the desired data retrieved using SQLi. In the Yahoo! case, the hacker used a conversion error to generate the error page. According to the screenshot, the hacker’s attack vector was “‘ and 1 = convert (int,(select top 1 table name from x)”.3 The hacker tells the database to retrieve data about table names and to convert it to an integer. Since the returned data is a character string (nvarchar in DB terminology) and not an integer, a detailed error message is generated that contains the value of the character string that could not be converted – in this case, the table name (“product_section_Master_dir”). Displaying this error message to the user might be very helpful when the application is being developed and tested, but it is a bad idea to have it on production systems, as the result of hackers’ injected query is now sent back to them. Figure 2 MSSQL with conversion error attack results It’s important to note that the attacker does not have to be an experienced hacker in order to use this specific variant of SQLi with MSSQL errors. There are some free “point and click” automatic SQLi abuse tools that enable anyone who knows how to operate a Windows application to do just that. One such tool is the very popular Iranian tool, Havij, which has an explicit support for extracting data from MSSQL Server using the error-based methods.4 3 The text is url decoded for readability. Text in red is a replacement for text blackened in the original hacker screenshot. 4 http://blog.imperva.com/2012/03/havij-101.html Report #15, January 2013 3
Hacker Intelligence Initiative, Monthly Trend Report Figure 3 Havij implements the MSSQL with errors SQLi attack 2.3 Leveraging MSSQL SQL Injection Vulnerability to Command Execution The attacker claimed the SQL injection led to having full access on the server. This was probably done by using MSSQL’s “XP_ CMDSHELL” system-stored procedure. Many administrative activities in MSSQL DB can be performed through system stored procedures.5 The XP_CMDSHELL executes a given command string as an operating-system command shell and returns any output as rows of text. Therefore, a SQL injection vulnerability in an application using MSSQL DB enables the hacker to execute shell commands and take over the server. In order to exploit it, the hacker only needs to modify the aforementioned injected SQL code from the SELECT statement used to extract data to the EXEC statement used to execute stored procedure that will execute the “XP_CMDSHELL” system stored procedure.6 So instead of “‘ and 1 = convert (int,(select top 1 table name from x))” the attack vector will be something like “‘; EXEC xp_cmdshell ‘some command’“. Once more, exploiting MSSQL SQLi vulnerability for command execution is supported in automatic SQLi tools such as Havij, which means a vulnerability can be exploited relatively easily. 3. Protecting Third-Party Code 3.1 Identifying the Vulnerable Application Analyzing the screenshot above, appearing in the previous section, we can find certain clues to help us reveal the nature of a vulnerable site: › Host name from address bar: Although blackened by the attacker, some of the host’s domain name is visible and we can determine two of its features: • It ends in “yle.yahoo.net”: Although Yahoo! hosts many applications, almost all of them are hosted under the yahoo. com domain name. • It has a relatively long host name. › The application is powered by ASP.NET as can be determined by the distinct error message and not by PHP as do most of Yahoo! applications, which further shortens the list of the possibly vulnerable Yahoo! applications. › The error message reveals that the application source file resides on C:webcorp[blackened by hacker]p YahooV2app_code. 5 http://msdn.microsoft.com/en-us/library/aa260689(v=sql.80).aspx 6 http://msdn.microsoft.com/en-us/library/aa260689(v=sql.80).aspx Report #15, January 2013 4
Hacker Intelligence Initiative, Monthly Trend Report Using all these hints with some Google search has led to a single candidate for that exploited application: “in.horoscopes. lifestyle.yahoo.net” an Indian astrology Web application. › Host name is relatively long and ends with “yle.yahoo.net” › Examining the HTTP headers reveals that the astrology application is powered by the ASP.NET technology › Trying to directly access the “app_code” directory on that server (“forceful browsing”) yields the following error message: Report #15, January 2013 5
Hacker Intelligence Initiative, Monthly Trend Report This error message tells us: • The “app_code” directory exists on the server, although we are not allowed to view its content as it resides on a “hidden segment.” • The physical path of this directory (C:webcorpastroyogi.com_newastroyogi_revampYahooV2 app_code) conforms with our hint on the source file location. Although we cannot be absolutely sure that this is indeed the application reported as hacked by the hackers, in the face of such evidence, we feel confident to assume with a great deal of certainty that it is. 3.2 Understanding the Relationship Between Yahoo! and AstroYogi.com As the clues suggested, the vulnerable application was not developed by Yahoo! programmers, but by AstroYogi.com developers. AstroYogi.com is, as stated on its Website, “the leading astrology portal in India...formed co-branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google amongst others.”7 Figure 4 AstroYogi.com about page In fact, not only that the code was not developed by Yahoo! programmers, the application itself is not even hosted on Yahoo! servers, but on the Indian Website servers. Figure 5 DNS Query results for in.horoscopes.lifestyle.yahoo.net The routing of users from Yahoo! to Astroyogi.com is achieved by using a DNS alias. When the user wants to browse “in. horoscopes.lifestyle.yahoo.net” a DNS query is sent. When a DNS server looks up the application name on yahoo.net records and finds it is actually an alias, it replaces the name with the canonical name (in this case “yahoo.astroyogi.com”) and looks up the new name. http://www.astroyogi.com/aboutus.aspx 7 Report #15, January 2013 6
Hacker Intelligence Initiative, Monthly Trend Report Figure 6 the application’s physical location according to its IP address 3.3 Protecting Third-Party Code This is not the first time Yahoo! has been struggling with security issues on third-party code. Last July, a decommissioned part of Yahoo! Voices was breached, and approximately 450,000 users’ credentials were exposed.8 According to the hackers, the breach was enabled by a SQL injection vulnerability (union-based SQLi). Yahoo! Voices is an online publishing application that was developed by Associated Content and later acquired by Yahoo!.9 The problem of third-party code is not limited to Yahoo! of course. Almost every Web application includes some components that were not developed by the application programmers. Even when the application is completely home brewed, surely its Web server and operating system are coded elsewhere. The Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6 provides two options for Web applications protection.10 The first is to conduct a vulnerability assessment and incorporate the assessments into the software development life cycle (SDLC). The other is to deploy a Web Application Firewall (WAF) in front of the Web application. Naturally, where all the options are available, the best protection is achieved by combining all of them together. However, with third party code, the ability to incorporate the assessments into the software development life cycle (SDLC), or simply put fixing the code, is virtually nonexistent. Therefore, the only viable way to protect third-party code is by putting it behind a WAF. In this case of the third party astrology application, Yahoo! could have directed user traffic to AstroYogi.com not via DNS alias, but with a WAF, deployed on Yahoo! environment or on the cloud as a reverse proxy and shield the application. That way, the application would have been protected from the hacking, and Yahoo! would have spared the bad PR and the possible abuse of its users’ privacy. 8 http://www.bbc.co.uk/news/technology-18811300 9 http://blog.imperva.com/2012/07/how-the-yahoo-voices-breach-went-down.html 10 https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf Report #15, January 2013 7
Hacker Intelligence Initiative, Monthly Trend Report 4. Summary and Conclusions SQL injection is still very relevant – even after a decade of Web application development and Web application security awareness, SQL injection vulnerability exploitation is still very relevant and continues to take a major role in Web application hacking. A successful SQLi attack may lead to sensitive data disclosure, sensitive data manipulation, and full server takeover. Whether you are outsourcing development, services, or maintenance, the bottom line is that if you are allowing others to create code and run services that your customers will perceive as coming from you – meaning that you are responsible for any functional problems or security breaches. To mitigate SQL injection and other Web attacks from third party code, application owners and security officers should read our guide on stopping SQL injection: http://blog.imperva.com/2012/01/sql-injection.html. When it comes to third-party code, protecting applications with a Web Application Firewall is essential. With third-party code, you are not able to fix the code and WAF is the only relevant protection option. From a business standpoint, executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – is vulnerable. Appropriate legal and technical precautions should be applied when engaging in activities such as partnerships or acquisitions. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2013, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-JANUARY#15-2013-0113rev1

Recomendados

IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET Journal
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018Editor IJCATR
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Intrusion detection architecture for different network attacks
Intrusion detection architecture for different network attacksIntrusion detection architecture for different network attacks
Intrusion detection architecture for different network attackseSAT Journals
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 

Recomendados

IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET Journal
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018Editor IJCATR
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Intrusion detection architecture for different network attacks
Intrusion detection architecture for different network attacksIntrusion detection architecture for different network attacks
Intrusion detection architecture for different network attackseSAT Journals
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
1738 1742
1738 17421738 1742
1738 1742Editor IJARCET
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
 
Ijeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationIjeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationKumar Goud
 
A Study of Database Protection Techniques
A Study of Database Protection TechniquesA Study of Database Protection Techniques
A Study of Database Protection TechniquesIJSRED
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Detect sqli attacks in web apps using nvs
Detect sqli attacks in web apps using nvsDetect sqli attacks in web apps using nvs
Detect sqli attacks in web apps using nvsijcseit
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessLucas Hendrich
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerceijceronline
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...IJECEIAES
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataTELKOMNIKA JOURNAL
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
The Value of Shared Threat Intelligence
The Value of Shared Threat IntelligenceThe Value of Shared Threat Intelligence
The Value of Shared Threat IntelligenceImperva
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment SpamImperva
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised InsiderImperva
 

Mais conteúdo relacionado

Mais procurados

IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
 
Ijeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationIjeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationKumar Goud
 
A Study of Database Protection Techniques
A Study of Database Protection TechniquesA Study of Database Protection Techniques
A Study of Database Protection TechniquesIJSRED
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Detect sqli attacks in web apps using nvs
Detect sqli attacks in web apps using nvsDetect sqli attacks in web apps using nvs
Detect sqli attacks in web apps using nvsijcseit
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerceijceronline
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...IJECEIAES
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataTELKOMNIKA JOURNAL
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 

Mais procurados (18)

IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation Vulnerabilities
 
1738 1742
1738 17421738 1742
1738 1742
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
 
Ijeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationIjeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web application
 
A Study of Database Protection Techniques
A Study of Database Protection TechniquesA Study of Database Protection Techniques
A Study of Database Protection Techniques
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
 
Detect sqli attacks in web apps using nvs
Detect sqli attacks in web apps using nvsDetect sqli attacks in web apps using nvs
Detect sqli attacks in web apps using nvs
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerce
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
C01461422
C01461422C01461422
C01461422
 

Destaque

The Value of Shared Threat Intelligence
The Value of Shared Threat IntelligenceThe Value of Shared Threat Intelligence
The Value of Shared Threat IntelligenceImperva
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment SpamImperva
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised InsiderImperva
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
Is Your Business Safe From Malware And Targeted Attacks
Is Your Business Safe From Malware And Targeted AttacksIs Your Business Safe From Malware And Targeted Attacks
Is Your Business Safe From Malware And Targeted AttacksImperva
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Imperva
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.Imperva
 
Database monitoring - First and Last Line of Defense
Database monitoring - First and Last Line of Defense Database monitoring - First and Last Line of Defense
Database monitoring - First and Last Line of Defense Imperva
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksImperva
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
Automation of Web Application Attacks
Automation of Web Application AttacksAutomation of Web Application Attacks
Automation of Web Application AttacksImperva
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackAn Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackImperva
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackImperva
 
Web Applications Under Attack: Why Network Security Solutions Leave You Exposed
Web Applications Under Attack: Why Network Security Solutions Leave You ExposedWeb Applications Under Attack: Why Network Security Solutions Leave You Exposed
Web Applications Under Attack: Why Network Security Solutions Leave You ExposedImperva
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 

Destaque (20)

The Value of Shared Threat Intelligence
The Value of Shared Threat IntelligenceThe Value of Shared Threat Intelligence
The Value of Shared Threat Intelligence
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment Spam
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
Is Your Business Safe From Malware And Targeted Attacks
Is Your Business Safe From Malware And Targeted AttacksIs Your Business Safe From Malware And Targeted Attacks
Is Your Business Safe From Malware And Targeted Attacks
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.
 
Database monitoring - First and Last Line of Defense
Database monitoring - First and Last Line of Defense Database monitoring - First and Last Line of Defense
Database monitoring - First and Last Line of Defense
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 
Automation of Web Application Attacks
Automation of Web Application AttacksAutomation of Web Application Attacks
Automation of Web Application Attacks
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackAn Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
 
Web Applications Under Attack: Why Network Security Solutions Leave You Exposed
Web Applications Under Attack: Why Network Security Solutions Leave You ExposedWeb Applications Under Attack: Why Network Security Solutions Leave You Exposed
Web Applications Under Attack: Why Network Security Solutions Leave You Exposed
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public Cloud
 

Semelhante a Lessons Learned From the Yahoo! Hack

Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsInsecureLab
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review pptRana sing
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxvrickens
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedJennifer Campbell
 

Semelhante a Lessons Learned From the Yahoo! Hack (20)

Op2423922398
Op2423922398Op2423922398
Op2423922398
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
E017131924
E017131924E017131924
E017131924
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the Threats
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Sql
SqlSql
Sql
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docx
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
T04505103106
T04505103106T04505103106
T04505103106
 
Cryptoghaphy
CryptoghaphyCryptoghaphy
Cryptoghaphy
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
 
A26001006
A26001006A26001006
A26001006
 

Mais de Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

Mais de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Lessons Learned From the Yahoo! Hack

  • 1. January 2013 Hacker Intelligence Initiative, Monthly Trend Report #15 Lessons Learned From the Yahoo! Hack How SQL Injection Vulnerabilities in Third-Party Code Can Make for Security Cloudy 1. Executive Summary On December 2012, an Egyptian hacker who calls himself ViruS_HimA, claimed to have breached Yahoo!’s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server for that domain. Technically, we found that the hacker was able to determine the allegedly vulnerable Yahoo! application and the exact attack method – error message based SQL injection for the MSSQL (Microsoft SQL Server) database (DB). From a business perspective, this attack underscores the security problem posed by hosting third-party code – as is often done with cloud-based services. In fact, according to a survey from PricewaterhouseCoopers, 23.6% of respondents say that cloud computing has increased vulnerabilities, and the largest perceived risk is the uncertain ability to enforce provider security policies.1 In the Yahoo! incident, the vulnerable application was probably not coded by the Yahoo! team, and not even hosted on Yahoo!’s server farm. This left Yahoo! with full responsibility for securing the application on one hand, and a very limited capability to actually control the code, on the other hand. This episode underscores technical and business urgencies: Technically, security teams should: › Protect third-party Web applications against SQL injection and other Web attacks: Incorporate security into the software development life cycle, perform penetration tests and vulnerability assessments on the application, and deploy the application behind a Web Application Firewall (WAF). › Harden your system: When the application is promoted from development to production, the system configuration must be hardened to disable any irrelevant parts that may help the attacker. In the hardening process detailed error messages should be disabled, excessive file and directory permissions should be restricted, source code leftovers should be deleted, and so on. From a business standpoint, executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – contains serious vulnerabilities. Although our technical recommendations take precedence, we recommend: › Put in place legal requirements in a contract for what you will and will not accept from a security perspective. › Incorporate security due diligence for any merger or acquisition activity. › Require coding standards and security requirements in every specification between you and the third party. › Demand metric reports for security of the vendor’s code that are repeatable and verifiable. › Require that all security requirements are met prior to the first time the code is executed in your environment. › Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services. › Require a report specifying security issues and measures taken to address them for every task and deliverable from the vendor. PwC 2012 Global State of Information Security Survey 1
  • 2. Hacker Intelligence Initiative, Monthly Trend Report 2. Detailed Attack Analysis The hacker has released the following screenshot as an evidence for the successful hacking Figure 1 The hacker’s hack evidence screenshot In this section, the technical details of the attack that were revealed by this screenshot are analyzed. Note: We have covered the topic of SQL injection (SQLi) in previous HII reports; however we include a brief primer to SQL injection in section 2.1 to make this report self-contained.2 If you are already familiar with the subject, you can start with section 2.2. 2.1 SQL injection 101 In a SQL Injection attack, attackers exploit Web application vulnerability in order to access the organization’s data in an unauthorized manner. For laypeople, this means typing computer code in the fields of a Website’s form. For example, instead of typing in a credit card number or a last name, a hacker types in something technical that looks like ‘x’=’x’. When clever code is used, this action tricks the Website into coughing up sensitive data. In geek speak, SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. The potential results can be disastrous. For example, attackers may be able to retrieve the organization’s intellectual property, customer account information, and other sensitive data. A successful SQLi attack may also allow the attacker to steal the site’s administrator password, giving the attacker full control over the Web application. Other times, a compromised site can host an attacker’s code which may lead site visitors to download malware (aka “Drive- by Downloads”). SQLi attacks also allow the manipulation of data, enabling – for example – the defacement of the Website. http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf 2 Report #15, January 2013 2
  • 3. Hacker Intelligence Initiative, Monthly Trend Report A SQLi attack usually starts with identifying weaknesses in the applications where unchecked users’ input is transformed into database queries. Goal-oriented attacks continue with abusing these weaknesses in a repetitious trial and error process in order to discover the exact structure of the application’s database. The aim is to discover what sensitive and valuable information is stored in the database and how to extract it. In practice, this tedious process is usually automated and often based on widely-known tools that let an attacker quickly and effortlessly identify and exploit applications’ vulnerabilities. 2.2 Analyzing the Attack Method: MSSQL Injection with Conversion Errors Hackers often abuse a SQL injection (SQLi) vulnerability in a Web application resource to steal data from a data base. A popular target within the database would be the tables that contain personally identifiable information (PII) (users, customers, patients, transactions) such as names, addresses, e-mail and passwords or even credit card details. The attack is facilitated by the injection of a SQL SELECT statement, which allows hackers to query the database for its content. However, even when the application is vulnerable to SQLi and executes an arbitrary SQL statement, it does not necessarily display the results back. To overcome this obstacle, hackers are using the “MSSQL with conversion errors” SQLi variant. As a matter of fact, the “MSSQL with conversion errors” method is an old trick in the hackers’ book. In order to use that method, the following preconditions must exist: › The application is vulnerable to SQL injection. › The application is using an MSSQL database. › The application server is misconfigured to send a verbose error message. The attackers abuse the application server misconfiguration to invoke an error page that contains the desired data retrieved using SQLi. In the Yahoo! case, the hacker used a conversion error to generate the error page. According to the screenshot, the hacker’s attack vector was “‘ and 1 = convert (int,(select top 1 table name from x)”.3 The hacker tells the database to retrieve data about table names and to convert it to an integer. Since the returned data is a character string (nvarchar in DB terminology) and not an integer, a detailed error message is generated that contains the value of the character string that could not be converted – in this case, the table name (“product_section_Master_dir”). Displaying this error message to the user might be very helpful when the application is being developed and tested, but it is a bad idea to have it on production systems, as the result of hackers’ injected query is now sent back to them. Figure 2 MSSQL with conversion error attack results It’s important to note that the attacker does not have to be an experienced hacker in order to use this specific variant of SQLi with MSSQL errors. There are some free “point and click” automatic SQLi abuse tools that enable anyone who knows how to operate a Windows application to do just that. One such tool is the very popular Iranian tool, Havij, which has an explicit support for extracting data from MSSQL Server using the error-based methods.4 3 The text is url decoded for readability. Text in red is a replacement for text blackened in the original hacker screenshot. 4 http://blog.imperva.com/2012/03/havij-101.html Report #15, January 2013 3
  • 4. Hacker Intelligence Initiative, Monthly Trend Report Figure 3 Havij implements the MSSQL with errors SQLi attack 2.3 Leveraging MSSQL SQL Injection Vulnerability to Command Execution The attacker claimed the SQL injection led to having full access on the server. This was probably done by using MSSQL’s “XP_ CMDSHELL” system-stored procedure. Many administrative activities in MSSQL DB can be performed through system stored procedures.5 The XP_CMDSHELL executes a given command string as an operating-system command shell and returns any output as rows of text. Therefore, a SQL injection vulnerability in an application using MSSQL DB enables the hacker to execute shell commands and take over the server. In order to exploit it, the hacker only needs to modify the aforementioned injected SQL code from the SELECT statement used to extract data to the EXEC statement used to execute stored procedure that will execute the “XP_CMDSHELL” system stored procedure.6 So instead of “‘ and 1 = convert (int,(select top 1 table name from x))” the attack vector will be something like “‘; EXEC xp_cmdshell ‘some command’“. Once more, exploiting MSSQL SQLi vulnerability for command execution is supported in automatic SQLi tools such as Havij, which means a vulnerability can be exploited relatively easily. 3. Protecting Third-Party Code 3.1 Identifying the Vulnerable Application Analyzing the screenshot above, appearing in the previous section, we can find certain clues to help us reveal the nature of a vulnerable site: › Host name from address bar: Although blackened by the attacker, some of the host’s domain name is visible and we can determine two of its features: • It ends in “yle.yahoo.net”: Although Yahoo! hosts many applications, almost all of them are hosted under the yahoo. com domain name. • It has a relatively long host name. › The application is powered by ASP.NET as can be determined by the distinct error message and not by PHP as do most of Yahoo! applications, which further shortens the list of the possibly vulnerable Yahoo! applications. › The error message reveals that the application source file resides on C:webcorp[blackened by hacker]p YahooV2app_code. 5 http://msdn.microsoft.com/en-us/library/aa260689(v=sql.80).aspx 6 http://msdn.microsoft.com/en-us/library/aa260689(v=sql.80).aspx Report #15, January 2013 4
  • 5. Hacker Intelligence Initiative, Monthly Trend Report Using all these hints with some Google search has led to a single candidate for that exploited application: “in.horoscopes. lifestyle.yahoo.net” an Indian astrology Web application. › Host name is relatively long and ends with “yle.yahoo.net” › Examining the HTTP headers reveals that the astrology application is powered by the ASP.NET technology › Trying to directly access the “app_code” directory on that server (“forceful browsing”) yields the following error message: Report #15, January 2013 5
  • 6. Hacker Intelligence Initiative, Monthly Trend Report This error message tells us: • The “app_code” directory exists on the server, although we are not allowed to view its content as it resides on a “hidden segment.” • The physical path of this directory (C:webcorpastroyogi.com_newastroyogi_revampYahooV2 app_code) conforms with our hint on the source file location. Although we cannot be absolutely sure that this is indeed the application reported as hacked by the hackers, in the face of such evidence, we feel confident to assume with a great deal of certainty that it is. 3.2 Understanding the Relationship Between Yahoo! and AstroYogi.com As the clues suggested, the vulnerable application was not developed by Yahoo! programmers, but by AstroYogi.com developers. AstroYogi.com is, as stated on its Website, “the leading astrology portal in India...formed co-branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google amongst others.”7 Figure 4 AstroYogi.com about page In fact, not only that the code was not developed by Yahoo! programmers, the application itself is not even hosted on Yahoo! servers, but on the Indian Website servers. Figure 5 DNS Query results for in.horoscopes.lifestyle.yahoo.net The routing of users from Yahoo! to Astroyogi.com is achieved by using a DNS alias. When the user wants to browse “in. horoscopes.lifestyle.yahoo.net” a DNS query is sent. When a DNS server looks up the application name on yahoo.net records and finds it is actually an alias, it replaces the name with the canonical name (in this case “yahoo.astroyogi.com”) and looks up the new name. http://www.astroyogi.com/aboutus.aspx 7 Report #15, January 2013 6
  • 7. Hacker Intelligence Initiative, Monthly Trend Report Figure 6 the application’s physical location according to its IP address 3.3 Protecting Third-Party Code This is not the first time Yahoo! has been struggling with security issues on third-party code. Last July, a decommissioned part of Yahoo! Voices was breached, and approximately 450,000 users’ credentials were exposed.8 According to the hackers, the breach was enabled by a SQL injection vulnerability (union-based SQLi). Yahoo! Voices is an online publishing application that was developed by Associated Content and later acquired by Yahoo!.9 The problem of third-party code is not limited to Yahoo! of course. Almost every Web application includes some components that were not developed by the application programmers. Even when the application is completely home brewed, surely its Web server and operating system are coded elsewhere. The Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6 provides two options for Web applications protection.10 The first is to conduct a vulnerability assessment and incorporate the assessments into the software development life cycle (SDLC). The other is to deploy a Web Application Firewall (WAF) in front of the Web application. Naturally, where all the options are available, the best protection is achieved by combining all of them together. However, with third party code, the ability to incorporate the assessments into the software development life cycle (SDLC), or simply put fixing the code, is virtually nonexistent. Therefore, the only viable way to protect third-party code is by putting it behind a WAF. In this case of the third party astrology application, Yahoo! could have directed user traffic to AstroYogi.com not via DNS alias, but with a WAF, deployed on Yahoo! environment or on the cloud as a reverse proxy and shield the application. That way, the application would have been protected from the hacking, and Yahoo! would have spared the bad PR and the possible abuse of its users’ privacy. 8 http://www.bbc.co.uk/news/technology-18811300 9 http://blog.imperva.com/2012/07/how-the-yahoo-voices-breach-went-down.html 10 https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf Report #15, January 2013 7
  • 8. Hacker Intelligence Initiative, Monthly Trend Report 4. Summary and Conclusions SQL injection is still very relevant – even after a decade of Web application development and Web application security awareness, SQL injection vulnerability exploitation is still very relevant and continues to take a major role in Web application hacking. A successful SQLi attack may lead to sensitive data disclosure, sensitive data manipulation, and full server takeover. Whether you are outsourcing development, services, or maintenance, the bottom line is that if you are allowing others to create code and run services that your customers will perceive as coming from you – meaning that you are responsible for any functional problems or security breaches. To mitigate SQL injection and other Web attacks from third party code, application owners and security officers should read our guide on stopping SQL injection: http://blog.imperva.com/2012/01/sql-injection.html. When it comes to third-party code, protecting applications with a Web Application Firewall is essential. With third-party code, you are not able to fix the code and WAF is the only relevant protection option. From a business standpoint, executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – is vulnerable. Appropriate legal and technical precautions should be applied when engaging in activities such as partnerships or acquisitions. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2013, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-JANUARY#15-2013-0113rev1