White Paper

Application Security Trends Report Featuring: Mobile Apps March 11, 2012 White Paper Application Security Trends Report

Table of Contents Executive Summary...... 3 Trends...... 3 2011 Overall Vulnerabilities Reported...... 4 Web Vulnerabilities Reported for 2011 and 2012...... 5 Mobile Vulnerabilities for 2011 and 2012 ...... 8 Cloud Implications...... 9 Conclusion...... 11

2 White Paper Application Security Trends Report

Executive Summary Web application vulnerabilities publically reported saw no significant decrease in 2011; not in absolute numbers or as a percentage of overall application vulnerabilities. Consistently, reported vulnerabilities in January and February of 2012 indicated no significant abatement for the coming year. Hackers continue to find new ways to hack web applications at Web Vulnerabilities as Percentage of Total a steady rate. While secure coding practices have not improved Application Vulnerabilities keeping vulnerability rates steady, they are not helping much in reducing the rates of web application vulnerabilities. In fact, 57% 57% 59% between an accelerated demand for experienced web application developers beyond supply, an evolving threat model, and the natural complexity of web-based software, an increase in web application vulnerabilities in 2012 wouldn’t be surprising, especially when considering which vulnerabilities are constant Q3-4 2011 Q1 2010 2012 and increasing. The critical application layer vulnerabilities dominate, with SQL Injection reported most frequently and Cross Site Scripting (XSS) frequent and increasing. Given that both types of vulnerabilities have known procedures for fixes, it calls into question the level of development experience and security awareness in companies pushing out web applications. While the surpassing of demand over supply of web developers might explain deficits in coding, it doesn’t explain why IT, Security and the C-suite are allowing untested and unsecured software to leave the building. Of the second tier of vulnerabilities reported, including Denial of Service (DoS), Cross Site Request Forgery (CSRF), and Remote File 60% Q1 - 2012 Include (RFI), CSRF is especially troubling, 50% 2011 not only because attacks can go unreported, 48% but also because they can be extremely 40% 37% devastating. The jump in reported CSRF vulnerabilities in the first two months of 30% 2012, while not conclusive, could indicate 20% an opportunity or even an incentive for 15%16% profiteering hackers capable of that level of 8% 7% 10% 6% exploit. If these vulnerabilities are exploited, 4% 4% 4% 5% it will indicate a significant evolution in the 0% 1% sophistication of web application threats. XSS SQL RFI CSRF Code DoS Injection Execution Trends This current document reports on trends discovered through analysis of findings by Cenzic managed services results and vulnerabilities reported through public channels. It is interesting to note that vulnerabilities are increasingly being reported in the Mobile space and thus are significant area of concern for enterprises. 89 Mobile vulnerabilities were reported in 2011 and 11 so far in 2012. Remote Code execution has been reported during both of these periods. Information Disclosure is another reported vulnerability that shows Mobile device credentials are increasingly at risk. Also recent analysis of vulnerability data makes it clear that core security vulnerabilities are becoming a serious issue as software is increasingly becoming deployed in a cloud computing paradigm. Cloud deployment will not make these issues go away, in fact they make things more difficult to secure especially in a “public cloud” multi-tenant environment. Since mobile devices are being used to access online cloud computing platforms, this presents an emerging hybrid vulnerability. By exploiting vulnerabilities in a mobile application a hacker can open up an attack vector to a preexisting vulnerability on the cloud based application.

3 White Paper Application Security Trends Report

2011 Overall Vulnerabilities Reported As the charts in this section indicate, XSS, SQL Injection, and Denial of Service (DoS) were the bulk of the 7,054 vulnerabilities reported in 2011. The 4,028 Web related vulnerabilities were 57 percent of the total vulnerabilities reported. These include all reported vulnerabilities, not just those that have received a CVE from US CERT. For the first few months of Q1 2012 a total of 1,134 vulnerabilities were reported. In this time period 59 percent of the vulnerabilities (666) were reported as Web vulnerabilities. This clearly indicates an overall steady trend in the number of Web application vulnerabilities especially since 57 percent was the same percentage reported in the Cenzic 2010 Q3-Q4 report.

Total 2011 Vulnerabilities (commercial applications)

Arbitrary File 2% LFI 2% Privilage Escalation RFI 1% 3% CSRF 2% Path Disclosure 3% Information Disclosure 3% Memory Corruption Other 5% 23%

Code Execution 7%

SQL Injection XSS 9% 21% DoS 11%

4 White Paper Application Security Trends Report

Web Vulnerabilities Reported for 2011 and 2012 2011 saw little change in web application vulnerabilities over 2H 2010 In 2011, the 4028 reported web vulnerabilities represented 57% of the 7,054 total reported vulnerabilities. This percentage is identical to the 57% reported for the 2010 Q3-Q4 time period. In the first two months of 2012, however, total web vulnerabilities reported (666) comprised 59% of the total reported vulnerabilities of 1,134. The 2011 reported vulnerability information reveals that 57 percent of the vulnerabilities were in Web applications. A detailed analysis based on type and class follows below: The traditional flaws Cross Site Scripting (XSS) and SQL Injection continue to dominate with XSS climbing to a staggering 38 percent of total Web vulnerabilities increasing slightly from the second half of 2010. SQL Injection went down a small amount to 15 percent as compared to 18 percent for the second half of 2010. Once again these high numbers are surprising since these vulnerabilities are well known and many large commercial vendors continue to have the vulnerabilities. Cross Site Request Forgery, Code Execution, Path Disclosure and Denial of Service (Dos) also made up a good portion of the total.

Web Related Vulnerabilities 2011 (commercial applications)

Information Overflow 1% Disclosure 3% RFI Privilage Escalation 0% LFI 2% 1% Arbitrary File 3% Memory Corruption 4%

CSRF 4%

Code Execution 4% XSS 37% DoS 5%

Path Disclosure 5% Other 15% SQL Injection 16%

5 White Paper Application Security Trends Report

The 2012 (Jan-Feb) reported vulnerability information reveals that 59 percent of the vulnerabilities were in Web applications. This is a slight increase but right on par with the 57 percent reported in 2011 Once again the analysis on type and class: The traditional flaws Cross Site Scripting (XSS) and SQL Injection continue to dominate with XSS climbing to an even higher 48 percent of total Web vulnerabilities increasing by 11 percent from 2011 reporting. SQL Injection was reduced slightly to 15 percent in 2012 so far as compared to 16 percent for the 2011 reporting. Remote File Include, Cross Site Request Forgery, Code Execution, and Denial of Service (DoS) round out the bulk the remaining percentage of the total. It is becoming very clear that the dominance of Cross Site Scripting (XSS) and SQL Injection show little sign of abating in commercial applications even though they are well known and effective techniques for vulnerability elimination exist.

Web Vulnerabilities Q1 2011 (commercial applications)

Memory Corruption 1% Overflow Path Disclosure 3% 0% LFI 2% Privilage Escalation Information 0% Disclosure 3% Arbitrary File 3%

DoS 4%

Code Execution 6% XSS 48%

CSRF 7%

RFI 8%

SQL Injection 15%

Multiple applications such as SocialCMS and ClipBucket had reported vulnerabilities with public exploits both in 2011 and in the first few months of 2012. Limney admin had a vulnerability reported that has no known solution, while a vulnerability reported in 2012 has a fix available. Thus vulnerabilities can be reported across significant time periods and can be fixed selectively by the developer. It is apparent that Web application vulnerability management requires ongoing security testing to stay ahead of the attackers.

6 White Paper Application Security Trends Report

From 2011 proprietary application data it is clear that SQL Injection is at a much smaller percentage than in the commercial/public domain. However at 17 percent XSS is still a dominant issue. When compared with the 2010 Q3-Q4 data, Information Leakage (54 percent) and Authentication and Authorization (28 percent) has decreased, but there was an increase in SQL Injection (1 percent), XSS (12 percent) CSRF (0.3 percent), Session Management (4 percent), and Remote Code Execution (0.3 percent).

2011 Private Source Web Vulnerabilities (proprietary applications)

Web Server 3% Web Server Configuration 7% Insecure Resource SQL Injection Allocation 2% 0% Unauthorized Directory Access 4% Information Leakage 23%

CSRF 6%

Authentication XSS 17% and Authorization 17%

Session Management 20%

Remote Code Execution 1%

7 White Paper Application Security Trends Report

Mobile Vulnerabilities for 2011 and 2012 As Mobile handsets and especially smartphones and tablets proliferate, tracking vulnerabilities becomes critical.

Mobile Vulnerabilities Mobile Vulnerabilities 2011 Q1 2012 Overflow 1% Code Execution Denial of Service Code Execution 9% 4% 1% Information Disclosure 9%

Other 94% Other 82%

A total of 89 Mobile vulnerabilities were made public in 2011 and so far in 2012 (Jan-Feb) 11 Mobile vulnerabilities have been made public. It is not clear that more Mobile vulnerabilities will be reported in 2012 than were reported in 2011, but with the current rate of reporting it seems likely that at least a similar amount will be reported. It also cements the fact that Mobile vulnerabilities are continuing to be reported and thus it is a risk factor as more and more general purpose Mobile devices are being used to access enterprise data and applications (many of these applications are now hosted on cloud computing platforms). Analysis shows that there is a wide array of Mobile vulnerabilities that have been reported and that categorization has been tricky. Categories such as Code Execution appear to have some consistency across the sampled time intervals. Most of the “Other” category involves Information Disclosure and Input Manipulation. Information disclosed often includes user password MD5 values, contacts, and SMS content as well as other cached data.

8 White Paper Application Security Trends Report

Cenzic has compiled a set of mobile vulnerabilities discovered from private testing in 2011 represented by the following chart:

Cenzic 2011 Private Source Mobile Vulnerabilities

Infrastructure Input Validation 25% 19%

Sensitive Information Session Disclosure (Authentication, Authorization) 28% 28%

It is interesting to note that Sensitive Information Disclosure (28 percent) and Session (Authentication and Authorization) (28 percent) make up the bulk of the vulnerabilities. Since application credentials and keys to access enterprise applications and data are often stored on the Mobile devices, this statistic should be a cause for concern.

Cloud Implications Analysis reveals that applications with reported vulnerabilities often are deployed as online services or even specifically in a cloud format such as SaaS. In 2011, out of a set of 1201 publically reported vulnerabilities 855 had cloud based security implications as they were deployed as an Internet online service or as a SaaS based offering. Cloud based offerings are often built on complex Web stacks which contain the traditional but serious Web application vulnerabilities outlined in the OWASP Top 10. An interesting point to consider is that some of vulnerable cloud deployed Web applications now have dedicated Mobile clients or are accessible by web browsers on Mobile clients. Vulnerabilities in Mobile clients (such as Information Disclosure) can lead to the exploitation of hosted applications that the Mobile client has access to. An example would be the attacker getting access to passwords to the online application stored on the Mobile client. This can be seen as Cloud/ Mobile blended or hybrid vulnerability. As we have seen from the previous section, Information Disclosure vulnerabilities are being reported in Mobile applications thus this type of threat can be considered very real. An example of this type of blended vulnerability can be shown using the Serv-U FTP server. Serv-U had an Arbitrary File Deletion vulnerability reported in 2011 which also has a public exploit available. The Serv-U FTP server can also be deployed on an online Cloud hosting provider. Also in 2011 an XSS vulnerability with a public exploit was reported for the Serv-U Web Client which is accessible from any web browser. Serv-U also has a specific Mobile client for devices like the Iphone, Kindle Fire and Blackberry. As you can see if a Mobile device Web browser interacts with the Serv-U FTP server hosted in the cloud or if a vulnerability is discovered in the targeted Mobile client the possibility exists for the vulnerability exploited on the handset to be used as the vector to exploit the fairly serious vulnerability on the Cloud hosted service. Thus the new blended/hybrid of Mobile and Cloud threat is illustrated. 9 White Paper Application Security Trends Report

2011 security vulnerabilities with cloud based implications.

EyeOS is an open source web based cloud desktop that has over one million downloads. It is the most popular cloud based web desktop software in the world. It presents, organizes and manages the users’ data, files and apps from any device. There is a professional version which is used widely by many commercial enterprises. It is geared toward private cloud deployments. In 2011 the following vulnerabilities were reported for EyeOS: ƒƒ Arbitrary file access ƒƒ XSS

OrangeHRM is a very popular open source web based CRM system that is available in SaaS based cloud deployments. It has been downloaded over one million times in its basic open source version. Similar to EyeOS the following vulnerabilities were reported in 2011: ƒƒ Arbitrary file access ƒƒ XSS

OpenEMR is a HIPAA compliant electronic health records and medical practice management application. There is a commercial version targeting doctors deployed on the Microsoft Azure Cloud. The following vulnerabilities were reported in 2011: ƒƒ SQL Injection ƒƒ XSS

The Parallels Plesk Panel is a popular web hosting control panel provided by many hosting providers some with over 8 million users. It allows for web site design and creation and customer management and billing. Many businesses depend on it for their basic livelihood and operations. Significant security holes in the software would be devastating to a large quantity of users and could include financial loss, data loss and significant reputational impacts. The Parallels Plesk Panel has numerous XSS, SQL Injection and XML Injection vulnerabilities. The XSS vulnerabilities place browser based users under significant risk to malicious local script execution. The SQL and XML injection vulnerabilities expose back end systems to malicious SQL code execution and manipulation of XML based data processing. Since this software is being used on a large scale (on the order of magnitude greater than 8.5 million) it can have a significant impact to a large user base. In 2011 Parallels Plesk Panel had the following vulnerabilities reported: ƒƒ Password Field Autocomplete Weakness 5 ƒƒ Content-Type Header HTML Charset Specification Weakness 5 ƒƒ Content-Type HTTP Header Matching Weakness 1 ƒƒ Content-type Handling Weakness 1 ƒƒ Incorrect Content-Type Header Weakness 3 ƒƒ SQL Injection 30 ƒƒ XML Injection 2

Q1 2012 security vulnerabilities with cloud based implications.

Oracle Fusion Middleware This package can be used in cloud infrastructure deployments and has a relatively large installed base. The following serious vulnerability has been reported: SQL Injection with full ability to manipulate the backend database.

Batavi E Commerce Batavi is a full featured ecommerce package that is widely used. It has had a serious vulnerability reported in 2012: SQL Injection to the back end database that can lead to full disclosure.

deV!ls ClanPortal The portal is a very popular software package that can be used to setup an information exchange for online gamers. Many sites currently exist. The following vulnerabilities have been reported: SQL Injection which can allow for the manipulation and disclosure of backend data.

10 White Paper Application Security Trends Report

Conclusion While 2011 and early 2012 publically reported web application vulnerabilities indicate no increase in vulnerabilities, the nature of those reported indicate a lack of security sophistication in the code, a dearth of testing, and very likely, an increased opportunity for all levels of attackers to exploit vulnerabilities in the increasing number of applications being pushed into the market. Furthermore, the increasing demand for Mobile, Saas and Cloud-based computing is producing hybrid vulnerabilities that compound the threat and increase the complexity of secure coding.

elimination traditional F Memory DoS orgery higher Information many

went c commercial orruption since abating small dominance large I

Include Escalation climbing made Disclosure staggeringRF half flaws slighty Overf DoS low clear SQL Remote dominateexist also ath Code P reduced Request CSRF sign Inhection Site applications portion e high percentag far little good becoming amount well remainingnumbers LFI Privilage even show Crosstotal vendors Disclosure F InjectionXSS techniques Serviceile reporting Arbitrary bulk Execution d Denial effectiv e vulnerabilities increasing roun surprising Web

second though known

continue vulnerability

Scripting

Cenzic, Inc. | 1-866-4-CENZIC (1-866-423-6942) | [email protected] | www.cenzic.com © 2012 Cenzic, Inc. All rights reserved. Cenzic, Hailstorm, Stateful Assessment, HARM, and SmartAttack are registered trademarks of Cenzic, Inc.