Real Life Examples Of Web Vulnerabilities (Revised with OWASP 2017)

Since the previous review of web vulnerabilities mapped to the OWASP Top 10 previously published on Apr 10, 2017, the awareness document has been updated to reflect the current risk trends related to web applications.

This document is meant as a reference for examples that to provide context, and support a universal understanding about the relevance of cybersecurity issues in our daily lives. Many of these incidents were chosen for their impact, where a large number of individuals were affected, or were featured prominently in the mainstream news-media. While others were chosen to highlight just how mundane and unexceptional the causes of some of these issues are.

We will be taking the approach of highlighting cases according to the 2017 OWASP Top 10:

1. Injection
2. Broken Authentication and Session Management
3. Sensitive Data Exposure
4. XML External Entities (XXE) — New
5. Broken Access Control — Merge of Insecure Direct Object References, Missing Function Level Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XXS)
8. Insecure Deserialisation — New
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring — New

A1. Injection/Using Components with Known Vulnerabilities — The Panama Papers incident (April 3, 2016)

The Panama Papers are a collection of 11.5 million records from Mossack Fonseca, originally leaked to German journalist Bastian Obermyer in 2015. Due to the sheer size of the data, the International Consortium of Investigative Journalists were approached.

Why was this Significant?

Many public figures, present and past, had their financial dealings exposed. Linking them to terrorists, drug cartels and tax havens. Some public figures had their careers affected and in some instances, the information directly led to public unrest.

AFP/Getty images, The Indian Express, The Guardian, Daily Mail, whoar.co.nz

This is also significant from the cybersecurity point of view as it brought to attention the potential vulnerability, and relative ease of attacking law firms. Especially when compared to the value of the information they carry. Fortune magazine carried a commentary piece “The Panama Papers Signal A New Kind of Cyber Attack”, citing hacktivism as the motive. (This agrees with what is reported of the anonymous source, with income inequality as the reason). While not (actually) new, the incident did bring this to the public spotlight.

How does this relate to injection/using components with known vulnerabilities?

The documents were leaked in parts, and the site was hosted on outdated software which possessed a large number of vulnerabilities. Unfortunately, due to the large number of possible attack vectors, it is hard to pin down the actual method that the original source used.

• WordPress 4.1 (Released December 18, 2014) — various vulnerabilities
• Revolution Slider Plugin — unauthenticated remote file upload via ‘upload_plugin’
• WP SMTP Plugin — mail server login information stored in plaintext
• ALO EasyMail Newsletter plugin — mail server login information stored in plaintext
• Drupal 7.23 (Released August 8, 2013) — 23 vulnerabilities, including code execution and privilege escalation via SQL injection of the Drupalgeddon fame
• Apache 2.2.15, Oracle fork (March 6, 2010) — various vulnerabilities
• Microsoft Exchange / Outlook Web Access (2009) — various vulnerabilities
• A SQL injection flaw was discovered by 1×0123(Twitter) in their payment system

Both the revolution slider’s unauthenticated file upload, which could lead to execution of PHP code, and the code execution via SQL injection on Drupal are trivial to exploit, and have been pretty thoroughly taken advantage of in the wild.

A2. Broken Authentication and Session Management/Sensitive Data Exposure — Department of Revenue Hack (2012)

A foreign hacker was reported to have stolen 387,000 credit card numbers and 3.6 million Social Security numbers from the South Carolina Department of Revenue.

Why was this Significant?

IRS was hacked again in 2015, exposing people’s social security numbers, address, incomes to more than 700,000 people. This information was then further used to authenticate themselves to get transcripts of their victims, resulting in more exposed data.

Even though in the first instance credit card data was encrypted, social security numbers and other personally identifiable data were not.

Direct consequences of this incident would be the exposure of these people to identity fraud.

The 2017 Identity Fraud Study… found that $16 billion was stolen from 15.4 million U.S. consumers in 2016… In the past six years identity thieves have stolen over $107 billion.

(www.iii.org)

How does this relate to broken authentication and session management/sensitive data exposure?

The first breach in 2012 resulted from the default password set in the authentication layer. In addition, the lack of encryption on some sensitive data fields including the social security numbers increased the impact of this incident.

A3. Sensitive Data Exposure — Cloudbleed (17 Feb 2017)

Google’s Project Zero found a issue in cloudflare’s edge servers made it possible to dump memory potentially containing sensitive data, some of which were cached by search engines.

Why was this Significant?

Cloudflare had acknowledged the leak could have started as early as 22 September 2016, and a private key between cloudflare machines had leaked. As nearly 6 million websites uses cloudflare’s services, and many web application defenses are built with the assumption of a secure TLS communication channel, the impact could be large. Estimates from cloudflare state that between 22 September 2016 and 18 February 2017, the bug was triggered 1,242,071 times.

Cloudflare did a small sample study, which showed a limited amount of sensitive data exposed.

67.54 Internal Cloudflare Headers
0.44 Cookies
0.04 Authorization Headers / Tokens
0 Passwords
0 Credit Cards / Bitcoin Addresses
0 Health Records
0 Social Security Numbers
0 Customer Encryption Keys

(confidence level of 99% with a margin of error of 2.5%)

How does this relate to Sensitive Data Exposure?

This should be clear intuitively. The original flaw was due to the way broken html tags were parsed, causing information from a random portion of the server’s memory to be returned.

A4. XML External Entities (XXE) — Android Studio, Eclipse, IntelliJ IDEA, APKTool (Dec 2017 — Discovered May 2017)

Check Point’s research team found vulnerabilities in popular android development and reverse engineering tools used by developers, engineers and researchers. The issues found could lead to data exposure, as well as malicious users taking over the devices running APKTool.

The Proof of Concept attack allowed showed that a malicious user could inject the malicious code into shared online repositories such as those on github, and allow the malicious user to obtain files available on the device reading the code. Similarly, the popular compiler APKTool has a vulnerability in the configuration yml file, allowing files to extracted anywhere on the system running it.

Why was this Significant?

This vulnerabilities could be used to target developer’s machines and servers attempting to load, run, or decompile code.

In the development community, code or libraries are often shared in open source repositories, and a attack like this could result in sensitive documents such as credentials and source code to be exposed. Developers using these popular IDEs could be led to leak sensitive files in this manner.

In the second scenario, the APKTool exploit can lead to Remote Code Execution and allowing a remote malicious user to take control of the machine. For example, extracting a PHP exploit and calling the web server to run it.

How does this relate to XML External Entities (XXE)?

Both attacks are due to the way XML and YML(a similar human-readable data format) is parsed/read. The external reference contained in the XML is processed without further checks, leading to the above issues.

A5. Broken Access Control — Snapchat Phone Number Leak/Facebook Business Pages (Jan 2014/August 2015)

Snapchat

Gibson Security detailed vulnerabilities in the snapchat service, which was dismissed as a purely theoretical attack. A week later, brute force enumeration had revealed 4.6 million usernames and phone numbers.

Facebook Business Pages

Laxman Muthiyah found that it was possible for a malicious user to use a request to assign admin permissions to himself for a particular Facebook page. A sample request can be seen below:

Request :-

POST /<page_id>/userpermissions HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>

Response :-

true

(Laxman Muthiyah)

Why was this Significant?

Snapchat

The attack seems to be motivated at least partly by Snapchat’s assertion that the attack was theoretical, and they had not taken any action. This resulted in a data leakage of phone numbers and users details that could be valuable for various uses.

Facebook Business Pages

Business pages are a widely used function, and by executing this attack, a malicious user could add himself as an administrator and deny access to the actual manager or administrator.

How does this relate to Broken Access Control?

Both issues arose due to the lack of access control measures with a specific function provided.

A6. Security Misconfiguration — Amazon S3/Mirai (Now/Dec 2016–13 Jan 2017/August 2016)

Amazon S3

Notably, in recent years, there has been numerous organisations who failed to protect their Amazon S3 storage instance:

• Australian Broadcasting Corporation (Nov 17 2017) — Leakage of hashed passwords, keys and internal resources.
• United States Army Intelligence and Security Command (Nov 17 2017) — Various files, including Oracle Virtual Appliance (.ova). volumes with portions marked top secret.
• Accenture (Sept 17 2017)11 — Authentication information, including certificates, keys, plaintext passwords, as well as sensitive customer information.

There is an extremely high likelihood that similar issues will continue to be found.

Mirai(未来)

Mirai was a botnet utilising IoT devices, managing to execute several high profile attacks after discovery, with the creator going to ground after releasing the code as open source (Anna-senpai).

Why was this Significant?

Amazon S3

A large number of organisations rely on Amazon’s S3 data storage technology, including governments and military organisations. From past examples found, this is a pervasive problem and the information leaked often has a high impact on the organisation affected.

Mirai(未来)

Mirai ran from CCTV cameras, DVRs and routers. Essentially worked by trying common passwords, something that can be easily avoided. The entirety of the password list used is included below:

With such a simple method, the Mirai botnet produced 280 Gbps and 130 Mpps in DDOS capability, attacking DNS provider Dyn, leading to inaccessibility of sites such as GitHub, Twitter, Reddit, Netflix and Airbnb.

How does this relate to Security Misconfiguration?

Security misconfiguration can range from something as simple as allowing excessive permissions to a user account, to failing to restrict resource access to external addresses. In the cases mentioned above, they were caused by misconfiguration of the passwords protecting the systems.

A7. Cross Site Scripting (XSS) — Steam Profile Hack (7 Feb 2017)

This was a simple XSS hack that was discovered on the Steam platform, on user’s profile pages.

Why was this Significant?

While the Steam profile page feature has existed for many years now, this relatively easy to execute hack was only discovered after a long period of time. The potential impact of this hack is well summarised by Reddit commenter “R3TR1X” and Moderator “DirtDiglett”:

• Redirecting a user to a website to phish their login.
• Utilizing CSS trickery to change your profile to trick users.
• Loading larger payloads
• Silently draining your Steam Wallet funds.
• Spreading Malware via an auto-download.

How does this relate to Cross Site Scripting (XSS)?

The vulnerability is a simple XSS flaw, where javascript can be input by user to the profile page, and be executed on the viewer’s browser. This situation is the perfect example of how an innocuous function can hide a potentially damaging flaw for many years due to a minor mistake by a developer or security tester. A simple encoding of user input and display would have prevented this.

A8. Insecure Deserialisation (Sept 5, 2017 )

Apache Struts 2, a popular framework used by many enterprise applications, was found to have a Remote Code Execution vulnerability, which could lead to malicious users gaining control over machines running these applications.

Why was this Significant?

This issue affects every version of Struts using the REST plugin since 2008, and can be exploited by sending a crafted request remotely. This would allow a remote attacker to run arbitrary code on the machine. Java, and specifically the Struts framework, is popular within the enterprise environment, and this exploit could lead to high risk issues to the companies involved.

How does this relate to Insecure Deserialisation?

The vulnerability is due to the XStreamHandler in the REST plugin, and the failure to filter file types from information sent from untrusted source.

A9. Using Components with Known Vulnerabilities — Wordpress REST API (Jan 2017)

1.5 million web pages were defaced through an unauthenticated REST API flaw that allows malicious users to modify wordpress contents.

Why was this Significant?

In the normal course of software development, patching and enchantments are continuously released, with the exceptions of software at end-of-life. Part of this is fuelled by new vulnerabilities or exploits discovered.

If public exploits are available, the difficulty in exploiting these vulnerable components often boils down to enumeration and discovery, which can be easily done with scripts or applications such as “Wappalyzer”, which identifies metadata about the application or device.

Many studies have been done showing that despite the publicity zero day exploits get, many attacks come from old vulnerabilities. For example, the HPE Security Research Cyber Risk Report 2015 found that 44% of breaches come from vulnerabilities 2–4 years old.

While some vulnerabilities can be mitigated by security settings, the benefits of updating these components often outweigh the cost, and the mitigation might not be as effective as the patch. For example, in this case some web hosting companies had put in place firewall rules, but these were bypassed anyway.

How does this relate to Using Components with Known Vulnerabilities?

The actual vulnerability was not announced by wordpress until one week after it’s patch was released, to give them time to patch their wordpress instance. The number of affected webpages is testament to the ineffectiveness of their efforts.

A10. Insufficient Logging and Monitoring

Insufficient Logging and Monitoring is a new entry for 2017, and reflects the rise in popularity of the term DevSecOps. Logging and monitoring are essential components in ensuring that any suspicious activity can be detected close to real time, or diagnosed after the fact.

Unfortunately, this is a extremely common issue, and one that often does not come to attention unless the company experiences an incident and is unable to triage or diagnose it.

Cybersecurity affects all of us, and given the prevalence of technology in everybody’s lives, we should all at least have an awareness of the potential harm the lack of it can cause.

References

1. Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption — The Panama Papers. (2016, April 3). Retrieved March 16, 2017, from https://www.occrp.org/en/panamapapers/overview/intro/
2. Gupta, R. (2016, April 9). The Panama Papers Signal A New Kind of Cyber Attack. Retrieved March 16, 2017, from http://fortune.com/2016/04/09/panama-papers-mossack-fonseca/
3. Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal. (2016, April 08). Retrieved March 16, 2017, from https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
4. D. (2016, October 26). SC: 3.6 million Social Security numbers stolen from state Department of Revenue (update 1). Retrieved March 17, 2017, from https://www.databreaches.net/sc-3-6-million-social-security-numbers-stolen-from-state-department-of-revenue/
5. Identity Theft And Cybercrime. (n.d.). Retrieved March 17, 2017, from http://www.iii.org/fact-statistic/identity-theft-and-cybercrime
6. Cloudflare Reverse Proxies are Dumping Uninitialized Memory — project-zero — Monorail. (2017, February 19). Retrieved March 18, 2017, from https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
7. Graham-Cumming, J. (2017, February 24). Incident report on memory leak caused by Cloudflare parser bug. Retrieved March 18, 2017, from https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
8. ParseDroid: Targeting The Android Development & Research Community. (2017, December 11). Retrieved January 04, 2018, from https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
9. Muthiyah, L. (2017, April 01). Hacking Facebook Pages. Retrieved April 10, 2017, from https://www.7xter.com/2015/08/hacking-facebook-pages.html
10. Simon Sharwood, APAC Editor 16 Nov 2017 at 22:20 tweet_btn(). (n.d.). Australian Broadcasting Corporation leaks passwords, video from AWS S3 bucket. Retrieved January 04, 2018, from https://www.theregister.co.uk/2017/11/16/australian_broadcasting_corporation_leaks_data_from_s3_bucket/
11. Accenture — Embarrassing data leak business data in a public Amazon S3 bucket. (2017, October 11). Retrieved January 04, 2018, from http://securityaffairs.co/wordpress/64150/data-breach/accenture-data-leak.html
12. Apache Struts 2 CVE-2017–9805 Remote Code Execution (Sep 7 2017). (n.d.). Retrieved January 04, 2018, from https://www.mysonicwall.com/SonicAlert/searchresults.aspx?ev=article&id=1076
13. Constantin, L. (2017, February 10). Recent WordPress vulnerability used to deface 1.5 million pages. Retrieved April 10, 2017, from http://www.pcworld.com/article/3168846/security/recent-wordpress-vulnerability-used-to-deface-1-5-million-pages.html