SlideShare une entreprise Scribd logo
1  sur  17
The Five Phases of Web Application Abuse
Sept 2010
Kyle Adams, Architect, Mykonos
Al Huizenga, Product Manager, Mykonos
The Problem
What is Web app abuse?
Manipulating your site (and it’s trust) in
an attempt commit fraud, deface your
brand, and compromise
your users’ privacy
The final attack (Injection, XSS, etc.) is just part of it
Examples
What does it look like?
Hogging limited inventory via
shopping cart abuse
Scraping competitive content
Phishing for credentials
Loading nasty 3rd-party content
Could be bad guys…
Could just be
your users…
Characteristics
What’s common?
Often automated
Based on a deep understanding of
application behavior
Hard to filter out effectively over time
How does it happen?
Over time…
Not a one-time incident
(it just gets reported that way)
The actual attack vector that
works needs to be established first
The abuse needs to be tested and automated
It has it’s own dev lifecycle
Phase 1
Silent Introspection
Phase 2
Attack Vector
Establishment
Phase 3
Attack
Implementation
Phase 4
Attack
Automation
Phase 5
Maintenance
Understanding
The 5 phases of Web app abuse
Phase 1
Silent Introspection
Footprint: Low
Run a debugger, surf the site, collect data,
analyze offline
What Web server? Database? Network hardware and
software? Programming languages and libraries?
Phase 2
Attack Vector Establishment
Footprint: Higher
Cloak yourself
For all dynamic URLs, test inputs for
errors or blind injection to find vulnerabilities
For each vulnerability, start structuring your input to
shape the error into an attack
Phase 3
Implementation
Footprint: Highest
Now that you know the vector(s),
what can you do with them?
Extract/edit/delete DB records or tables?
Infect site with a worm that distributes malware?
Launch a complex phishing scam?
Phase 4
Automation
Footprint: Low
If the attack makes money, you want to do it
discretely again and again
Write an attack program script
Buy a pre-fab “Command and Control” kit and raise
your own BotNet to attack from
Phase 5
Maintenance
Footprint: Low
Let the money roll in, go do something else
Successful automated abuse can exist undetected in
maintenance mode for years
If a patch disrupts the abuse, oh well. Either refine the
vector again, or go hunting elsewhere
What can you do?
VM and filtering help, but…
Hard to pre-guess all possible
vulnerabilities and vectors
Hard to filter intelligently
and dynamically enough
Fix
Firewall
What else?
New approaches
Get closer to the app context
(and more aware of the client environment)
Analyze app and user behavior to
identify abuse early, esp. automated
Respond adaptively –
beyond blocks and IP blacklists
Early Detection
What about all the requests before
an attack is delivered?
Malicious activity
detected
Attack vector
established
Number of Requests
OSS Example
OWASP AppSensor Project
A conceptual framework for
implementing intrusion detection
capabilities into existing
applications
http://www.owasp.org/index.php/
Category:OWASP_AppSensor_Project
Commercial Example
The Mykonos Security Appliance
A high speed HTTP gateway that
injects code-level honeypots into
application code at serve time, and
provides automated adaptive
responses
http://www.mykonossoftware.com
Questions

Contenu connexe

Plus de Rochester Security Summit

Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
Rochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
Rochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
Rochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Rochester Security Summit
 

Plus de Rochester Security Summit (9)

A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Baking It In – Towards Abuse-Resistant Web Applications

  • 1. The Five Phases of Web Application Abuse Sept 2010 Kyle Adams, Architect, Mykonos Al Huizenga, Product Manager, Mykonos
  • 2. The Problem What is Web app abuse? Manipulating your site (and it’s trust) in an attempt commit fraud, deface your brand, and compromise your users’ privacy The final attack (Injection, XSS, etc.) is just part of it
  • 3. Examples What does it look like? Hogging limited inventory via shopping cart abuse Scraping competitive content Phishing for credentials Loading nasty 3rd-party content Could be bad guys… Could just be your users…
  • 4. Characteristics What’s common? Often automated Based on a deep understanding of application behavior Hard to filter out effectively over time
  • 5. How does it happen? Over time… Not a one-time incident (it just gets reported that way) The actual attack vector that works needs to be established first The abuse needs to be tested and automated It has it’s own dev lifecycle
  • 6. Phase 1 Silent Introspection Phase 2 Attack Vector Establishment Phase 3 Attack Implementation Phase 4 Attack Automation Phase 5 Maintenance Understanding The 5 phases of Web app abuse
  • 7. Phase 1 Silent Introspection Footprint: Low Run a debugger, surf the site, collect data, analyze offline What Web server? Database? Network hardware and software? Programming languages and libraries?
  • 8. Phase 2 Attack Vector Establishment Footprint: Higher Cloak yourself For all dynamic URLs, test inputs for errors or blind injection to find vulnerabilities For each vulnerability, start structuring your input to shape the error into an attack
  • 9. Phase 3 Implementation Footprint: Highest Now that you know the vector(s), what can you do with them? Extract/edit/delete DB records or tables? Infect site with a worm that distributes malware? Launch a complex phishing scam?
  • 10. Phase 4 Automation Footprint: Low If the attack makes money, you want to do it discretely again and again Write an attack program script Buy a pre-fab “Command and Control” kit and raise your own BotNet to attack from
  • 11. Phase 5 Maintenance Footprint: Low Let the money roll in, go do something else Successful automated abuse can exist undetected in maintenance mode for years If a patch disrupts the abuse, oh well. Either refine the vector again, or go hunting elsewhere
  • 12. What can you do? VM and filtering help, but… Hard to pre-guess all possible vulnerabilities and vectors Hard to filter intelligently and dynamically enough Fix Firewall
  • 13. What else? New approaches Get closer to the app context (and more aware of the client environment) Analyze app and user behavior to identify abuse early, esp. automated Respond adaptively – beyond blocks and IP blacklists
  • 14. Early Detection What about all the requests before an attack is delivered? Malicious activity detected Attack vector established Number of Requests
  • 15. OSS Example OWASP AppSensor Project A conceptual framework for implementing intrusion detection capabilities into existing applications http://www.owasp.org/index.php/ Category:OWASP_AppSensor_Project
  • 16. Commercial Example The Mykonos Security Appliance A high speed HTTP gateway that injects code-level honeypots into application code at serve time, and provides automated adaptive responses http://www.mykonossoftware.com

Notes de l'éditeur

  1. Examples: Twitter
  2. Examples: Twitter
  3. Examples: Twitter
  4. Examples: Twitter
  5. Examples: Twitter
  6. Examples: Twitter
  7. Examples: Twitter
  8. Examples: Twitter
  9. Examples: Twitter
  10. …but have their limits It’s hard to pre-guess all possible vulnerabilities and vectors It’s hard to filter intelligently and dynamically enough New solutions are attempting to hook into the application context, use it to understand abusive behavior, and respond adaptively
  11. Examples: Twitter
  12. Project Lead Michael Coates Senior Application Security Engineer Aspect Security, Inc. michael.coates@aspectsecurity.com