20102010 IEEE 21st 21st International International Symposium Symposium on onSoftware Software Reliability Reliability Engineering Engineering The Web Attacker Perspective – A Field Study José Fonseca Marco Vieira, Henrique Madeira CISUC, University of Coimbra / CISUC, University of Coimbra Polytechnic Institute of Guarda, Portugal Coimbra, Portugal [email protected] [email protected], [email protected] Abstract—Web applications are a fundamental pillar of today’s corporations in recent years reflects the increasing concern globalized world. Society depends and relies on them for top managers now have about web security. However, there business and daily life. However, web applications are under are some significant factors that still make securing web constant attack by hackers that exploit their vulnerabilities to applications a task hard to fulfill. Some examples are the fast access valuable assets and disrupt business. Many studies and growing market, their high exposure to attacks and the reports on web application security problems analyze the general lack of knowledge or experience in the area of victim’s perspective by detailing the vulnerabilities publicly security from those who develop and manage these disclosed. In this paper we present a field study on the applications. attacker’s perspective by looking at over 300 real exploits used In spite of all security-related efforts, web applications by hackers to attack web applications. Results show that SQL are typically deployed with security vulnerabilities that make injection and Remote File Inclusion are the two most frequently used exploits and that hackers prefer easier rather them vulnerable to attacks. This suggests that web than complicated attack techniques. Exploit and vulnerability developers and researchers still need to know more about data are also correlated to show that, although there are many vulnerabilities and attacks to mitigate them more effectively. types of vulnerabilities out there, only few are interesting Web application vulnerability analysis has been addressed by enough for attackers to obtain what they want the most: root recent studies from several points of view [1, 4, 8, 9, 10, 11]. shell access and admin passwords. The attacker’s perspective has also been of some focus in the literature ([12, 13, 14, 15], among others), but mainly from Keywords- Security; Exploit; Vulnerability; Web application; empirical data gathered by the authors highlighting social Field study networking and what could be obtained from attacking specific vulnerabilities. Some studies analyze the attack from I. INTRODUCTION the victim's perspective, like the proposal of a taxonomy to classify attacks based on their similarities [16] and the In less than two decades, the World Wide Web was able analysis of the attack traces from HoneyPots to separate the to radically change the way people communicate and do attack types [17]. There is, however, a lack of knowledge business. From individuals to large organizations, everyone about existing exploits and their correlation with the targeted uses the web. In fact, web applications quickly spread all vulnerabilities. over the world in the form of personal web sites, blogs, Important aspects that help understand web application news, social networks, webmails, forums, e-commerce attacks are what vulnerabilities are exploited, what assets applications, among others. In developed countries, even hackers usually target, how these attacks are performed and critical infrastructures like water supply, power supply, the techniques actually used to execute them. This valuable banking, insurance, stock market, retail, communications, data can be obtained by analyzing real attacks on web defense, etc. rely on networks, on the web and on applications and the tools used to execute these attacks. In applications that run in these distributed environments. this paper we address the security of web applications As the importance of the assets accessed and managed by focusing on the attacker’s perspective. To have a broader web applications increases, so does the natural interest of view of the attacker panorama we analyzed over three malicious minds in exploiting this new streak. Frequently, hundred real exploits targeting vulnerabilities of six widely web applications developed with a strong focus on used LAMP (Linux, Apache, Mysql and PHP) web functionality and usability find themselves under heavy applications. These exploits are publicly available in a attack by hackers and organized crime, exploiting their hacker related site [18] and they have been downloaded over weaknesses and vulnerabilities [1, 2, 3, 4]. The pressure to three million times from that site by potential attackers. take advantage of web application assets is huge, thus it is Some of the exploits have also been adapted as modules of not a surprise to see numerous reports of successful security the Metasploit framework, widely used for generic breaches and exploitations [5, 6, 7]. penetration testing and vulnerability exploitation [19]. After years of uncontrolled software development In this field study, exploits are analyzed from various processes and practices, we now face the challenge of dimensions to understand what types of vulnerabilities securing millions of existing web applications and attackers prefer, what the goals of attacks are and how they developing new ones with good security embedded. The high are performed. The exploit data is also compared with number of regulations put into place by governments and vulnerability data of web applications to help unveil some 1071-9458/10 $26.00 © 2010 IEEE 299 DOI 10.1109/ISSRE.2010.21 behaviors, like whether the most common vulnerabilities are community of users to easily create and administer web sites the ones that hackers prefer to attack. that publish a variety of contents. PHP-Nuke is a well-known The information resulting from this study can be used in web based news automation system built as a community security related scenarios, to help directing security portal. News can be submitted by registered users and practitioners to the most common attack types, to better commented by the community. WordPress is a personal blog protect the assets and to properly configure their publishing platform that also supports the creation of easy to environment. In fact, results confirm and enforce that some administer web sites. phpMyAdmin is a web based MySQL well-known security measures can prevent some real administration tool. It is one of the most popular PHP devastating attacks. For example, implementing policies like applications and has a huge deployment base. giving the lowest privilege to Operating System (OS) users The web applications considered have a large community that own network services, using strong passwords or cease of users and belong to a class of applications that has a large using the register_globals = 1 PHP directive can prevent spectrum of adoption. They have also won several prizes many exploits from achieving their goal. Finally, field study (some are Sourceforge and Open Source CMS finalists and data can be valuable to improve security mechanisms, like winners [23, 24]) and are considered among the best in their the payload generator of a web application attack injector class. All these web applications are developed using LAMP [20], the training of penetration testers and the procedures (Linux, Apache, Mysql and PHP), which is a combination of they use in the process. the most common technologies used by web applications The outline of this paper is as follows. Next section around the world. Linux is mostly used as the chosen OS for presents the target web applications and the field study servers, MySQL is the world’s most popular database, methodology. Section III details the types of exploits found. Apache is a leader in web servers and PHP web sites have Section IV analyses the field data and discusses the results. about 1/3 of the worldwide market share [25]. Section V concludes the paper. These same web applications were also previously used in a field study on security vulnerabilities [8], in which the II. FIELD STUDY ON WEB APPLICATION EXPLOITS authors analyzed the classes of vulnerabilities that are the A vulnerability is a weakness (an internal software bug) most frequent in web applications. Using the same web that may be exploited to cause harm, although its presence applications makes it possible to correlate exploit results does not cause harm by itself [21]. However, a vulnerability with information about the vulnerabilities that are being is a precondition for an attack (a malicious external fault) to exploited. This can be done at least for XSS and SQL cause an error and possibly subsequent failures [22]. The Injection vulnerabilities, which are the two most common exploit is the piece of code that is used to maliciously take vulnerabilities in web applications [1] and were the focus of advantage of a given vulnerability. the field study presented in [8]. A web application exploit may be as simple as a specially B. Field Study Methodology crafted URL or as complex as an automated program with hundreds of lines of code that can be compiled and executed. The field study consisted in the analysis of pieces of code Failures may occur due to attacks performed on a weakness developed to take advantage of vulnerabilities in web in the security (vulnerability) of the application, which applications. These are the kind of exploits used by hackers allows a malicious user to bypass security attributes like and script kiddies to attack widely spread web applications, Authentication, Integrity, Non-repudiation, Confidentiality, like the ones considered in this work. As the goal is to Availability and Authorization [12]. This malicious action examine the inner workings of the exploits, for the analysis allows the attacker to gain access and to tamper with we need their source code. This may seem a big constraint, inappropriate resources and assets within the web application but it is quite common to find web application exploits or the server computer: unauthorized access to data like available in their source code version.