We have all seen the recent web related incidents such as Mpack that leverages compromised web sites. These tactics are gaining popularity in malware distribution. Web technologies have been advancing at sonic speed everyday, new technologies such as Web 2.0 mashup are getting attention from everybody. If not carefully deployed, these technologies will bite us back.
Some of the traditional (old school) security folks still thinks, if I patch all the vulnerabilities according to advisories released by the vendor, I would be safe. As we get more and more 0-day vulns with OSes and related software packages, this practice not acceptable anymore. On the web application front, this is totally unsafe. If you developed your own web application, no vendor will knock on your door to get the application fixed.
Some people may like to think the custom code written would be hard to mass-exploit (using a worm) and therefore unlikely to be attacked. The truth is - scanning for vulnerability (at least the common ones) is not difficult at all. Use XSS Assistant as example, it leverages Greasemonkey which is an add-on to Firefox, as you are surfing, you can click a few times and it will be able to tell you whether a site is vulnerable to Cross Site Scripting. Locating the vulnerability may be the easy part but exploiting it isn't hard either, there is exploitation framework like BeEF that can assist in creating damaging exploits. And that's just for XSS only, the other web related vulnerabilities are all getting their share of tools to ease attack process.
A few persistent people might still think web site compromised, no big deal, just web site getting defaced.... Wrong! There is a whole lot more than that when a web site get compromised, deploying malware distribution point like Mpack is one possibility but it could easily cause a serious threat to the overall network security as well. SQL injection, in its more serious form can easily get binaries and executables onto the database server and start running malicious code, how does running nmap from your database server sound to you? If that is all too theoretical to you. Take a look at these reverse shell designed to run on web server yielding a command shell back to the attacker. Once the attacker can upload the code or remotely include those code into the running web applications, they can get a command shell on your web server.
The reverse shell technique is a lot like the traditional infrastructure type of attack where an initial exploit is used to get a shell back to the attacker. The major changes here is web applications are used as the medium instead of OS or other software packages. If your application security practice is not as good as some of the large software manufacturers, it might be cause of concern.
Does your current incident handling plan include scenarios of compromised web applications? If not, I suggest you look at it seriously.
Jul 20th 2007
1 decade ago