Mais conteúdo relacionado Semelhante a CMS Hacking (20) CMS Hacking 1. CMS Hacking
Analyzing the Risk with 3rd Party Applications
Barry Shteiman – Director of Security Strategy
11/7/2013
1
© 2013 Imperva, Inc. All rights reserved.
Confidential
2. Agenda
CMS defined
Risks and trends
Recent incidents
Into the details
• An attack campaign
• Industrialized attack campaign
Reclaiming security
2
© 2013 Imperva, Inc. All rights reserved.
Confidential
3. Today’s Speaker - Barry Shteiman
Director of Security Strategy
Security Researcher working
with the CTO office
Author of several application
security tools, including HULK
Open source security projects
code contributor
Twitter @bshteiman
3
© 2013 Imperva, Inc. All rights reserved.
Confidential
5. What is a CMS?
A content management system (CMS) is a computer program
that allows publishing, editing and modifying content as well as
maintenance from a central interface.
Source: https://en.wikipedia.org/wiki/Content_management_system
5
© 2013 Imperva, Inc. All rights reserved.
Confidential
9. OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
9
© 2013 Imperva, Inc. All rights reserved.
Confidential
10. 3rd Party
According to Veracode:
• “Up to 70% of internally developed code originates outside of the
development team”
• 28% of assessed applications are identified as created by a 3rd
party
10
© 2013 Imperva, Inc. All rights reserved.
Confidential
11. When a 3rd Party Brings its Friends
More than 20% of the 50 most popular WordPress plugins are
vulnerable to web attacks
7 out of top 10 most popular e-commerce plugins are vulnerable to
common Web attacks
-- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013
You can’t fix code you don’t own, even if you
host your own, that code has third party
components in it.
11
© 2013 Imperva, Inc. All rights reserved.
Confidential
12. Attack Surface
In a research conducted by BSI in Germany, ~20% of the
vulnerabilities discovered were found in the CMS core, ~80%
in plugins and extensions.
Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html
BSI is Germany's federal office for information security
12
© 2013 Imperva, Inc. All rights reserved.
Confidential
13. Classic Web Site Hacking
Single Site Attack
Hacking
1.
2.
3.
13
© 2013 Imperva, Inc. All rights reserved.
Identify Target
Find Vulnerability
Exploit
Confidential
14. Classic Web Site Hacking
Multiple Site Attacks
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
14
© 2013 Imperva, Inc. All rights reserved.
Identify Target
Find Vulnerability
Exploit
Confidential
15. CMS Hacking
CMS Targeting Attack
Hacking
1.
2.
3.
15
Identify CMS
Find Vulnerability
Exploit
© 2013 Imperva, Inc. All rights reserved.
Confidential
17. 3rd Party Code Driven Incidents
Breached via 3rd party application on Drupal.org own servers.
17
© 2013 Imperva, Inc. All rights reserved.
Confidential
18. 3rd Party Code Driven Incidents
3rd party service provider hacked, customer data affected.
18
© 2013 Imperva, Inc. All rights reserved.
Confidential
19. 3rd Party Code Driven Incidents
Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.
HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
19
© 2013 Imperva, Inc. All rights reserved.
Confidential
21. Into the Details
How a CMS Attack Campaign Might Look
21
© 2013 Imperva, Inc. All rights reserved.
Confidential
23. CMS Mass Hacking
Step 1: Find a vulnerability in a CMS platform
Source: www.exploit-db.com
Even public vulnerability databases, contain thousands
of CMS related vulnerabilities.
23
© 2013 Imperva, Inc. All rights reserved.
Confidential
24. CMS Gone Wild(card)
Step 2: Identify a fingerprint in a relevant CMS-based site
A fingerprint can be
• Image
• URL
• Tag
• Object Reference
• Response to a query
• etc..
24
© 2013 Imperva, Inc. All rights reserved.
Confidential
25. Fingerprinted
Tag based
The code will usually contain fingerprints (unless obfuscated) of
the CMS in use.
25
© 2013 Imperva, Inc. All rights reserved.
Confidential
27. Google Dork for the Masses
Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)
Results: 144,000
27
© 2013 Imperva, Inc. All rights reserved.
Confidential
28. Google Dork for the Masses
In our case: Database Host, User and Password Exposed
28
© 2013 Imperva, Inc. All rights reserved.
Confidential
29. Botnets Targeting Your CMS
Recently Observed:
• Botnets Scan websites for
vulnerabilities
• Inject Hijack/Drive-by code to
vulnerable systems
• Onboarding hijacked
systems into the Botnet
29
© 2013 Imperva, Inc. All rights reserved.
Confidential
30. From a Botnet Communication
Google Dork
Botnet operator uses zombies to
scan sites for vulnerabilities
* As observed by Imperva’s ADC Research Team
30
© 2013 Imperva, Inc. All rights reserved.
Confidential
31. From a Botnet Communication
Botnet exploits vulnerabilities and
absorbs victim servers
* As observed by Imperva’s ADC Research Team
31
© 2013 Imperva, Inc. All rights reserved.
Confidential
33. Analyzing the Attack Surface
Certain vulnerabilities in 3rd party applications, can only be properly fixed
using Web Application Firewalls.
Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html
BSI is Germany's federal office for information security
33
© 2013 Imperva, Inc. All rights reserved.
Confidential
34. Deployment Matters
Imperva Incapsula
Cloud
On premise deployment
Cloud based deployment
Applications and 3rd party code
deployed in your virtual/physical
data center.
34
© 2013 Imperva, Inc. All rights reserved.
Hosted applications and B2B
services.
Confidential
35. Recommendations
When a company builds its security model it usually does
not take into account elements that are not in control,
which creates the security hole.
Companies should:
Implement policies both on the legal and technical
aspects to control data access and data usage.
Require third party applications to accept your security
policies and put proper controls in place
Monitor.
35
© 2013 Imperva, Inc. All rights reserved.
Confidential
36. Technical Recommendations
Assume third-party code – coming from partners,
vendors, or mergers and acquisitions – contains
serious vulnerabilities
Pen test before deployment to identify these issues
Deploy the application behind a WAF to
• Virtually patch pen test findings
• Mitigate new risks (unknown on the pen test time)
• Mitigate issues the pen tester missed
• Use cloud WAF for remotely hosted applications
Virtually patch newly discovered CVEs
• Requires a robust security update service
36
© 2013 Imperva, Inc. All rights reserved.
Confidential
Notas do Editor Popularity > less dev more results, consistency, ease of use and time-to-deliver Wordpress 6.3 M sitesJoomla 1.7 M sitesDrupal 400k sites Organizations choose to outsource code knowingly or unknowinglyUsing 3rd party code means faster development lifecycle, sometimes more matureNOT more secure The threat landscape is rich and full of different vulnerabilitiesCMSs and their plugins are like petri dishes for vulnerabilities Hackers have spread thin but effectively. Hackers have spread thin but effectively. Hackers have spread thin but effectively.