1 / 47

Impact of Plugins on Web Application Security

Impact of Plugins on Web Application Security. James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof , John Murray. Topics. Web Application Security Plugins Plugin Vulnerabilities Comparing Core and Plugin Security

ruby
Download Presentation

Impact of Plugins on Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Impact of Plugins on Web Application Security James Walden, Maureen DoyleNorthern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray

  2. Topics Web Application Security Plugins Plugin Vulnerabilities Comparing Core and Plugin Security Vulnerabilities by Category Conclusions IMI Security Symposium 2010

  3. Why Web Applications? IMI Security Symposium 2010

  4. Reasons for Attacking Web Apps IMI Security Symposium 2010

  5. Firewalls don’t protect web apps telnet Firewall ftp Application DatabaseServer WebClient WebServer Application HTTP Traffic Port 80 IMI Security Symposium 2010

  6. History of Web Security IMI Security Symposium 2010

  7. Evolution of Web App Security IMI Security Symposium 2010

  8. IMI Security Symposium 2010

  9. SQL Injection Attacker • App sends form to user. • Attacker submits form with SQL exploit data. • Application builds string with exploit data. • Application sends SQL query to DB. • DB executes query, including exploit, sends data back to application. • Application returns data to user. User ‘ or 1=1-- Pass Firewall DB Server Web Server IMI Security Symposium 2010

  10. SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query); IMI Security Symposium 2010

  11. SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access. IMI Security Symposium 2010

  12. SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from tableuserswhereusernamelike ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from tableuserswhereusernamelike ‘%’ IMI Security Symposium 2010

  13. Exploits of a Mom http://www.xkcd.com/327/ IMI Security Symposium 2010

  14. Real Estate Site Hacking Exploit against http://phprealestatescript.com/ www.website.com/fullnews.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,char(58),password),4,5/**/FROM/**/admin/* IMI Security Symposium 2010

  15. Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. XSS used to obtain session ID for • Bank site (transfer money to attacker) • Shopping site (buy goods for attacker) • E-mail Key ideas • Attacker sends malicious code to server. • Victim’s browser loads code from server and runs it. IMI Security Symposium 2010

  16. Anatomy of an XSS Attack Web Server 8. Attacker hijacks user session. 1. Login Attacker User 2. Cookie 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID. IMI Security Symposium 2010

  17. Are Individual Web Apps Worsening? IMI Security Symposium 2010

  18. Example: Addressing Security Issues IMI Security Symposium 2010

  19. Web Application Plugins Add features to apps: • Advertising • E-commerce • Media • Security • Site Navigation • Statistics • Themes • User Management IMI Security Symposium 2010

  20. What makes up a web application? Is it the core code or core code + plugins? • Some apps are almost always deployed with plugins. • Plugins are written by non-core developers. • Core site may or may not track plugin security. Some apps are packaged in distributions with plugins such as Drupal which has: • OpenAtrium (Development Seed) • Acquia Drupal • OpenPublish • Pressflow (Four Kitchens) IMI Security Symposium 2010

  21. Research Objective Goal: Identify differences between security of core code and plugins for web applications. Researchquestions: Are plugins less secure than core code? How are vulnerabilities distributed across plugins? How do different applications compare in terms of plugin security? IMI Security Symposium 2010

  22. Open Source and PHP Security Open Source • Evaluate source code that has no barriers to access • 85% of businesses use open source software • Probably all if embedded open source is counted, such as printers, routers, projectors, etc. PHP is most widely used language for OS web • 35.3% of web apps on Freshmeat are PHP, 14% Java • Most popular apps written in PHP: Drupal, Joomla, Mediawiki, phpBB, PhpMyAdmin, WordPress IMI Security Symposium 2010

  23. Open Source Web Apps are Targets IMI Security Symposium 2010

  24. Open Source Web Applications Selection process PHP web applications from freshmeat.net. A central plugin repository. Automatable downloads. At least 10 plugins. Why PHP? Most popular web applications written in PHP. Can compare applications evenly. Range of projects 12 projects met selection criteria. 13,535 plugins for these applications. Plugins per app ranged from 10 to 8989 plugins. IMI Security Symposium 2010

  25. Measuring Vulnerabilities Reported Vulnerabilities in NVD or OSVD • Coarse-grained time evolution. • Difficult to correlate with revision. • Undercounts actual vulnerabilities. Dynamic Analysis • Expensive. • False positives and negatives. • Must install and execute application. Static Analysis • Expensive. • False positives and negatives. • Requires application installation IMI Security Symposium 2010

  26. Plugin Size Distribution IMI Security Symposium 2010

  27. Plugin Vulnerability Distribution IMI Security Symposium 2010

  28. % of Vulnerable Plugins by Size IMI Security Symposium 2010

  29. Static Analysis Vulnerability Density Number of vulnerabilities found by a static analysis tool per 1000 lines of source code. • Fortify SourceAnalyzer 5.8.0 Aggregate SAVD • Use aggregate of source code for all plugins. • Total vulnerabilities / Total KSLOC Average SAVD • Compute SAVD for each plugin individually. • Average individual plugin SAVD values. IMI Security Symposium 2010

  30. Aggregate vs. Average SAVD IMI Security Symposium 2010

  31. Do plugins make a site less secure? Core code developed by small core team. • Team experienced with core code over years. • May or may not be paid full-time developers. • Most sites have some form of security information. Plugins developed by many people. • Wide variety of programming experience. • Few develop more than one plugin and so have little experience with application compared to core team. • Few plugins mention security unless a vulnerability has been previously reported. IMI Security Symposium 2010

  32. Core vs. Plugin SAVD IMI Security Symposium 2010

  33. Drupal Core vs. Plugins www.drupalsecurityreport.org • Secure coding documentation. • XSS Filter API. • DB API to handle SQLi attacks. • Input validation API. Drupal tracked both core and plugin vulns since 2006. Most popular CMS with 1.58% of web sites including whitehouse.gov IMI Security Symposium 2010

  34. X-Force 2010H1 Report: Plugins IMI Security Symposium 2010

  35. WordPress: Effect of Adding Plugins IMI Security Symposium 2010

  36. Vulnerability Categories SCA →Top 10       Mapped SCA categories to OWASP Top 10 2010. • SCA 5.8 reports 73 categories, only 25 in this code. • 18 of 25 categories mapped to 5 of OWASP Top 10. • 7 remaining categories did not map to Top 10. IMI Security Symposium 2010

  37. OWASP Top 10: Core vs. Plugin IMI Security Symposium 2010

  38. Drupal: Core vs. Pluginsby Category www.drupalsecurityreport.org IMI Security Symposium 2010

  39. OWASP Sum: Core vs. Plugin IMI Security Symposium 2010

  40. Conclusions Plugins slightly less secure than core. Plugins made up 91% of 11.7 MLOC. Contained 92% of 135,907 vulnerabilities. Plugin SAVD correlates with code size. ρ = 0.91 (strong correlation) Larger plugins are more likely to have vulnerabilities. Core SAVD does not correlate w/ code size. IMI Security Symposium 2010

  41. Additional Material IMI Security Symposium 2010

  42. Vulnerability Type Analysis 2006 2008 IMI Security Symposium 2010

  43. Plugin Counts and Max Plugin SAVD IMI Security Symposium 2010

  44. SAVD by Plugin Size IMI Security Symposium 2010

  45. Core vs. Plugin SLOC IMI Security Symposium 2010

  46. %vulns by size, - wordpress and drupal IMI Security Symposium 2010

  47. SAVD by size, -wordpress and drupal IMI Security Symposium 2010

More Related