• No results found

Web Application Security and Search Engines Beyond Google Hacking pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Web Application Security and Search Engines Beyond Google Hacking pdf"

Copied!
36
0
0

Loading.... (view fulltext now)

Download now ( 36 Page )

Full text

(1)

Web Application Security and Search Engines –

pp

y

g

Beyond Google Hacking

(2)

Agenda

ƒ

Google Hacking on Steroids

ƒ

Automated Google Hacking

ƒ

Google Wormsg

ƒ

Malware Distribution & Search Engines

Sit M ki

ƒ

Site Masking

ƒ

The Search of Death

(3)

In the News

(4)

In the News

(5)

Google Hacking on Steroids

ƒ

What is Hacking?

ƒ

Using a search engine to uncover application vulnerabilities or sensitive data

bl h ’ G l k

ƒ

Most notable resource is Johnny Long’s Google Hacking Database

ƒ

What is the threat to application owners?

ƒ

What is the threat to application owners?

ƒ

All Web site content is exposed to Google

ƒ

Sensitive content might be available for months before the

ƒ

Sensitive content might be available for months before the compromise is discovered

(6)

Automated Google Hacking

ƒ

Automating data leakage discovery and vulnerability

discovery

ƒ

Powerful hacking tool – quickly find a list of vulnerable

sites per set of vulnerabilities

sites per set of vulnerabilities

ƒ

Tools

ƒ

Goolag Scan

ƒ

Goolag Scan

(7)

Automated Google Hacking

ƒ

Google are putting a strict restriction on the number of

queries per IP per day.

ƒ

Violating IP addresses are punished by having to answer a Captcha

Captcha

ƒ

Hackers are mainly unaffected

ƒ

Can use a multitude of open proxies on the webp p

(8)

Google Worms

ƒ

Concept first analyzed in March 2004 ADC paper:

“Web Application Worms: Myth or Reality?”

ƒ

First actual exploit -

Santy Worm

, December 2004

ƒ

What is a Google Worm

ƒ

Normal worms randomly draw IP addresses and hope for the best

best.

ƒ

Large foot print

ƒ

Infection is almost impossible for non-standard deployments

ƒ

Google Worms search Google for the first batch of vulnerable

sites, infect them and instruct the infected machines to go for a

different batch each.

ƒ

Small foot print

(9)

Google Worms

ƒ

Recent Incidents

ƒ

January 2008

ƒ First massive incident combining SQL Injection and HTML Injection

ƒ Tens of thousands of sites affected (including CA’s site)Tens of thousands of sites affected (including CAs site)

ƒ

April 2008

ƒ Huge number of MS SQL Server based sites injected with HTML IFRAME through SQL Injection

through SQL Injection

ƒ Infection code introduces an IFRAME to each field in the database.

ƒ Number of infected hosts and their uniformity suggest an infection engine based on Google Hacking

(10)
(11)

Mitigation Strategies

Google Hacking

ƒ Passively monitor Web traffic for sensitive information

g

g

ƒ

Preventing data leakage without affect application delivery is a difficult problem. Preventing leakage of information to search engines is much easier

engines is much easier

ƒ

Search request / reply pairs for potentially sensitive information. Block reply if request is made by a search bot.

ƒ

Need a solution that contains an up-to-date database of search

(12)

Mitigation Strategies

Google Hacking

Google Hacking

ƒ

Actively Search Google (or any other search engine) for

leakage

ƒ

Difficult to use a tool like GoolagScan. Google’s anti-automation measures do affect application owners trying to defend

measures do affect application owners trying to defend themselves.

(13)

Malware Distribution & Search Engines

ƒ

How can search engines be used to distribute malware,

or other attack vectors?

ƒ

Infect a page on the web

M k th t th i k d hi h f l h t

ƒ

Make sure that the page is ranked high for popular search terms

ƒ

Google study concluded that about 1.3% of search

queries returned at least one malicious URL result

queries returned at least one malicious URL result

ƒ

How can I ensure that the infected page is ranked high

for popular search terms?

for popular search terms?

(14)

Malware Distribution & Search Engines

Google

www.famouse.com

search.asp?query=“Paris Hilton” + xss vector

(15)

Malware Distribution & Search Engines

Google

www.famouse.com

search.asp?query=“Paris

search.asp?query= “paris hilton” + xss

vector Hilton” + xss vector

(16)

Malware Distribution & Search Engines

Google

Index site

www.famouse.com

Index site

search.asp?query=“Paris

search.asp?query= “paris hilton” + xss

vector Hilton” + xss vector

(17)

Malware Distribution & Search Engines

Google

Index site

www.famouse.com

Index site

search.asp?query=“Paris

search.asp?query= “paris hilton” + xss

vector “Paris Hilton”

Hilton” + xss vector

(18)

Malware Distribution & Search Engines

Google

Index site

www.famouse.com

Index site

search.asp?query=“Paris

search.asp?query= “paris hilton” + xss

vector “Paris Hilton”

Hilton” + xss vector

(19)

Malware Distribution & Search Engines

ƒ The example is taken from a recent attack that took place on March

2008 d d ib d b h D h D h

2008 and described by researcher Dancho Danchev

ƒ Results from major web sites rank high in search engines.

ƒ Many sites allow search engines to index pages with internal searchMany sites allow search engines to index pages with internal search

results

ƒ An attacker found XSS vulnerabilities in search pages of high profile

sites Attacker then used the search functionality to look for popular sites. Attacker then used the search functionality to look for popular search terms (e.g. Paris Hilton), appending the attack vector as part of the search

Th lt ith th tt k t b dd d i th th

ƒ The result pages with the attack vector embedded in them are then

(20)

Mitigation Strategies

Malware Distribution

ƒ

Careful input validation and sanitation is always a good

ti

practice

ƒ

Fast reaction using up-to-date signature mechanism can

provide timely protection against a sudden outbreak of an

provide timely protection against a sudden outbreak of an

attack and ensure that malicious content isn’t delivered

by application to users

ƒ

Search engines are trying to identify “infected” pages and

ƒ

Search engines are trying to identify “infected” pages and

place a visual notification

ƒ

Yahoo! SearchScan

(21)

Mitigation Strategies

(22)

Site Masking

ƒ

What is it?

ƒ

Take your competitor out of Google!

ƒ

Index a competitor’s content under your domain!

ƒ

How?

ƒ

Can only be applied to relatively small scale sites

ƒ

Google penalizes sites for having duplicate content

(23)
(24)

Site Masking

Proxy

www.proxy.com

Google Bot Google Bot

Original Web Page www.foo.com Malicious Web Page

(25)

Site Masking

Proxy

www.proxy.com

Google Bot Google Bot

Original Web Page www.foo.com Malicious Web Page

1

(26)

Site Masking

Proxy

www.proxy.com

Google Bot Google Bot

Original Web Page www.foo.com Malicious Web Page

1 2

Malicious Web Page www.mal.com

href http //www proxy com?url www foo com

(27)

Site Masking

Proxy

www.proxy.com

Google Bot

3

Google Bot

Original Web Page www.foo.com Malicious Web Page

1 2

Malicious Web Page www.mal.com

href http //www proxy com?url www foo com

(28)

Site Masking

Proxy

www.proxy.com

Google Bot

3

Google Bot

4

Original Web Page www.foo.com Malicious Web Page

1 2

Malicious Web Page www.mal.com

href http //www proxy com?url www foo com

(29)

Site Masking

Proxy

www.proxy.com

Google Bot

3

Google Bot

4 5

Original Web Page www.foo.com Malicious Web Page

1 2

Malicious Web Page www.mal.com

href http //www proxy com?url www foo com

(30)

Site Masking

Proxy

www.proxy.com

Google Bot

3

Google Bot

4 6

5

Original Web Page www.foo.com Malicious Web Page

1 2

Malicious Web Page www.mal.com

href http //www proxy com?url www foo com

(31)

Site Masking

ƒ

In some cases, by creating many proxy links

, y

g

y p

y

Google can be confused to consider the

original web site as presenting duplicate

g

p

g

p

content

ƒ

The original web site vanishes from the

The original web site vanishes from the

(32)

Mitigation Strategies

Site Masking

S te as

g

ƒ

Based on the source of the request make changes to the

outgoing HTML document:

ƒ

If the request is not from a validated robot (user agent header and IP address) then add a

noindex

in the Robots <META> tag and IP address) then add a

noindex

in the Robots <META> tag of the page.

ƒ

As a consequence GoogleBot will only index a

As a consequence GoogleBot will only index a

page if it is accessed directly and not via a

proxy.

(33)

The Search of Death

ƒ

When Google is an attacker’s weapon of choice…

ƒ

Google can access sites that are not open for anonymous public access

ƒ

Attack cannot be linked to the source

ƒ

Attack cannot be linked to the source

ƒ

How do I do that?

ƒ

A number of methods under researchA number of methods under research

(34)

Google for Security – Application Owner

ƒ

Google Webmaster Tools

ƒ

Who is searching my site and for what?

ƒ

Stop Google Worms Outbreak

(35)

Google for Security – End Users

ƒ

Google’s Safe Browsing API enables client applications

to check URLs against Google's constantly updated

blacklists of suspected phishing and malware pages.

ƒ

GooDelete tool can be used to clear cached Google

Toolbar queries that may contain sensitive information

that you don't want lying around

that you don t want lying around.

ƒ

Google will notify user if link is suspicious (see previous

slides)

(36)

Th

k Y

Thank You

Imperva, Inc.

References

Download now ( PDF - 36 Page - 1.30 MB )

Related documents

Vol 8, No 1 (2017)

The purpose of this research is to demonstrate that, the enhancement of input of prefabricated chunks in the training of interpreters, combined with grammar, culture and

Preliminary DNA fingerprinting of the turf grass Cynodon dactylon (Poaceae: Chloridoideae)

These differences in fragment intensities were therefore, also used as criteria in determining genetic variation within and between known cultivars and unknown

QA 14. ALTA Gr C22 A CURR HIST CURRGDHT

activity units has been found necessary for the purpose of motivating the learner, so in intermediate and high school grades units of work grouped around &#34;centres of

Energy Performance of a Solar Home Constructed for the Solar Decathlon Competition 2013

Because of these specific competition requirements, UNLV students focused on designing and constructing the insulation of the home, its envelope, the HVAC system, the hot water

VARRAY AND NESTED TABLE

It takes a column of nested table or VARRAY type and allows you to treat that as a collection of rows. Collection methods are used to provide information and manage collections

Utilizing Knowledge Bases In Information Retrieval For Clinical Decision Support And Precision Medicine

Synonyms of explicit concepts, as well as other concepts that are relevant to the information need, but are not explicitly mentioned in the query (henceforth referred

Policies and practices for mental health in Europe. - meeting the challenges

Representation of service users on committees and groups responsible for planning, implementing and reviewing anti-stigma, mental disorder prevention and mental health

Integrin Acts Upstream of Netrin Signaling to Regulate Formation of the Anchor Cell's Invasive Membrane in C. elegans

These results indicate that integrin and netrin have distinct roles that act together to properly form the invasive cell membrane: INA-1/PAT-3 plays a broad role in promoting