James Walden, Maureen Doyle

conditioninspiredInternet and Web Development

Dec 4, 2013 (3 years and 11 months ago)

99 views

James Walden, Maureen Doyle

Northern Kentucky University


Students: Andrew Plunkett, Rob
Lenhof
, John Murray

1.
Web
Application Security

2.
Plugins

3.
Plugin

Vulnerabilities

4.
Comparing Core and Plugin
Security

5.
Vulnerabilities by Category

6.
Conclusions


IMI Security Symposium 2010

2

IMI Security Symposium 2010

3

IMI Security Symposium 2010

4

IMI Security Symposium 2010

Firewall

Port 80

HTTP Traffic

Web

Client

Web

Server

Application

Application

Database

Server

telnet

ftp

5

Year

Technology

Security

1993

CGI

Firewalls, SSL

1995

PHP, Javascript

Firewalls, SSL

1997

ASP, JSP

Firewalls, SSL

2000

REST, SOA

Firewalls, SSL

2006

AJAX

Firewalls, SSL

IMI Security Symposium 2010

6

IMI Security Symposium 2010

7

IMI Security Symposium 2010

8

IMI Security Symposium 2010

1.
App sends form to user.

2.
Attacker submits form
with SQL exploit data.

3.
Application builds
string with exploit data.

4.
Application sends SQL
query to DB.

5.
DB executes query,
including exploit, sends
data back to
application.

6.
Application returns data
to user.

Attacker

Web Server

DB Server

Firewall

User

Pass

‘ or 1=1
--

9

IMI Security Symposium 2010

$link =
mysql_connect
($DB_HOST,
$DB_USERNAME, $DB_PASSWORD) or die
("Couldn't connect: " .
mysql_error
());

mysql_select_db
($DB_DATABASE);

$query = "select count(*) from users where
username = '$username' and password =
'$password'";

$result =
mysql_query
($query);

10

IMI Security Symposium 2010

Unauthorized Access Attempt:

password =

’ or 1=1
--

SQL statement becomes:

select count(*) from
users
where
username = ‘user’
and

password = ‘’
or 1=1
--

Checks if password is empty OR 1=1, which is
always true, permitting access.


11

IMI Security Symposium 2010

Database Modification Attack:

password =

foo
’;
delete from table

users

where

username

like

‘%

DB executes
two

SQL statements:

select count(*) from
users
where
username =
‘user’
and

password = ‘
foo


delete from table

users

where

username

like

‘%’

12

IMI Security Symposium 2010

http://www.xkcd.com/327/

13

IMI Security Symposium 2010

www.website.com/fullnews.php?id=
-
1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,
char(58),password),4,5/**/FROM/**/admin/*

Exploit against http://phprealestatescript.com/

14

IMI Security Symposium 2010


Attacker causes a legitimate web server to
send user executable content (
Javascript
,
Flash
ActiveScript
) of attacker’s choosing.


XSS used to obtain session ID for


Bank site (transfer money to attacker)


Shopping site (buy goods for attacker)


E
-
mail


Key ideas


Attacker sends malicious code to server.


Victim’s browser loads code from server and
runs it.

15

IMI Security Symposium 2010

Web Server

3. XSS Attack

Attacker

User

4. User clicks on XSS link.

7. Browser runs


injected code.

Evil site saves ID.


16

IMI Security Symposium 2010

17

IMI Security Symposium 2010

18

Add features to apps:


Advertising


E
-
commerce


Media


Security


Site Navigation


Statistics


Themes


User Management

IMI Security Symposium 2010

19


Is it the core code or core code + plugins?


Some apps are almost always deployed with plugins.


Plugins are written by non
-
core developers.


Core site may or may not track plugin security.


Some apps are packaged in distributions
with plugins such as Drupal which has:


OpenAtrium

(Development Seed)


Acquia

Drupal


OpenPublish


Pressflow

(Four Kitchens)

IMI Security Symposium 2010

20


Goal
: Identify
differences between security of
core code and plugins for web applications.



Research

questions
:

1.
Are plugins less secure than core code?

2.
How are vulnerabilities distributed across
plugins?

3.
How do different applications compare in
terms of plugin security?

IMI Security Symposium 2010

21

Open Source


Evaluate source code that has no barriers to access


85% of businesses use open source software


Probably all if embedded open source is counted,
such as printers, routers, projectors, etc.

PHP is most widely used language for OS web


35.3% of web apps on
Freshmeat

are PHP, 14% Java


Most popular apps written in PHP:
Drupal
,
Joomla
,
Mediawiki
,
phpBB
,
PhpMyAdmin
,
WordPress

IMI Security Symposium 2010

22

IMI Security Symposium 2010

23

Selection process


PHP web applications from freshmeat.net
.


A central plugin repository.


Automatable downloads.


At least 10 plugins.

Why PHP?


Most popular web applications written in PHP.


Can compare applications
evenly.

Range of projects


12
projects met selection criteria
.


13,535 plugins for these applications.


Plugins per app ranged from 10 to 8989 plugins.

IMI Security Symposium 2010

24

Reported Vulnerabilities in
NVD
or
OSVD


Coarse
-
grained time evolution.


Difficult to correlate with revision.


Undercounts actual vulnerabilities.

Dynamic Analysis


Expensive.


False positives and negatives.


Must
install

and
execute

application
.

Static Analysis


Expensive.


False positives and negatives.


Requires application
installation


IMI Security Symposium 2010

25

IMI Security Symposium 2010

26

IMI Security Symposium 2010

27

IMI Security Symposium 2010

28


Number of vulnerabilities found by a
static analysis tool per 1000 lines of
source code.


Fortify
SourceAnalyzer

5.8.0


Aggregate SAVD


Use aggregate of source code for all
plugins.


Total vulnerabilities / Total KSLOC


Average SAVD


Compute SAVD for each plugin individually.


Average individual plugin SAVD values.

IMI Security Symposium 2010

29

1.28

1.75

2.32

2.32

4.04

6.49

4.32

11.95

12.12

13.16

16.42

19.91

1.41

3.26

2.48

2.47

7.38

14.69

3.55

11.73

8.69

12.04

25.81

25.75

0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
18.00
20.00
SAVD

aggregate
avg
IMI Security Symposium 2010

30

Core code developed by small core team.


Team experienced with core code over years.


May or may not be paid full
-
time developers.


Most sites have some form of security
information.

Plugins developed by many people.


Wide variety of programming experience.


Few develop more than one plugin and so have
little experience with application compared to
core team.


Few plugins mention security unless a
vulnerability has been previously reported.

IMI Security Symposium 2010

31

IMI Security Symposium 2010

32


Drupal tracked
both core and
plugin
vulns

since 2006.



Most popular
CMS with 1.58%
of web sites
including
whitehouse.gov

www.drupalsecurityreport.org



Secure coding documentation.



XSS Filter API.



DB API to handle
SQLi

attacks.



Input validation API.

IMI Security Symposium 2010

33

IMI Security Symposium 2010

34

IMI Security Symposium 2010

35


Mapped SCA
categories to OWASP
Top 10 2010.


SCA 5.8 reports 73
categories, only 25 in
this code.


18 of 25 categories
mapped to 5 of OWASP
Top 10.


7 remaining categories
did not map to Top 10.













IMI Security Symposium 2010

36

IMI Security Symposium 2010

37

www.drupalsecurityreport.org

IMI Security Symposium 2010

38

IMI Security Symposium 2010

39

Plugins slightly less secure than core.


Plugins made up 91% of 11.7 MLOC.


Contained 92% of 135,907 vulnerabilities.

Plugin SAVD correlates with code size.


ρ = 0.91

(strong correlation)


Larger plugins are more likely to have
vulnerabilities.

Core SAVD does not correlate w/ code size.


IMI Security Symposium 2010

40

IMI Security Symposium 2010

41

2006

2008

IMI Security Symposium 2010

42

IMI Security Symposium 2010

43

IMI Security Symposium 2010

44

IMI Security Symposium 2010

45

IMI Security Symposium 2010

46

IMI Security Symposium 2010

47