WebApp Sec: RE: White Paper - Web Application Worms: Myth or Reality?

["Amichai Shulman" <shulman () imperva com>]

I think that the reason that "The most popular automated web application
scanners still miss simple vulnerabilities in an application" is that
finding vulnerabilities in an arbitrary site is difficult. This is
exactly why I pointed at mature, sophisticated, long established search
engines. These entities spend all their effort and time in extracting as
much information as possible from as much sites as possible and making
this information as accessible as possible. Hence I think they have a
"slight" advantage over a vulnerability assessment tool running against
a single arbitrary site.

Once a vulnerability is exposed (e.g. a parameter susceptible to SQL
injection) there is almost always a manner to automate the generation of
an exploit. Some of the research we have done with respect to this paper
was to build an experimental exploit generation toolkit. For instance,
it has been previously shown by others that SQL injection against MS SQL
server can be used for file upload. We can show that generating such an
exploit in an automated manner once the vulnerable spot is detect is
feasible.

In addition, it's true that automated tools miss simple vulnerabilities
by they do uncover both simple and complicated ones in almost every
tested site. One such vulnerability should be enough for the worm to
pick on if that vulnerability was identified by a search engine...

Amichai

-----Original Message-----
From: Daniel [mailto:daniel () dev ugc-labs co uk] 
Sent: Wednesday, March 31, 2004 11:18 AM
To: webappsec () securityfocus com
Subject: Re: White Paper - Web Application Worms: Myth or Reality?


In-Reply-To:
<96242ACDF1723A4BBF70D21211FB9B23586D0A () shrek webcohort com>

(disclaimer) this isn't meant to start a flame war



There seems to be a large amount of "ifs and what" if in this paper. 



The most popular automated web application scanners still miss simple
vulnerabilities in an application, so how will a blindly guided piece of
worm code resolve this?



Take for example SQL injection in a bespoke application. First the worm
needs to discover that they can bypass the input validation scheme in
place and force the app to accept the SQL query. It then needs to
determine what they can manipulate on the database itself. Once this is
all done, the worm needs to start its attack sequence and eventually
start a listener on the database itself or perform some other task.

 

I know a large amount of people that have problems with this let alone a
worm.





Daniel











> Received: (qmail 20045 invoked from network); 30 Mar 2004 20:50:03 
> -0000
> Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 30 Mar 2004 20:50:03 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id D08C08FE3D; Tue, 30 Mar 2004 08:32:59 -0700 (MST)
> Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <webappsec.list-id.securityfocus.com>
> List-Post: <mailto:webappsec () securityfocus com>
> List-Help: <mailto:webappsec-help () securityfocus com>
> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
> Delivered-To: mailing list webappsec () securityfocus com
> Delivered-To: moderator for webappsec () securityfocus com
> Received: (qmail 17881 invoked from network); 30 Mar 2004 13:49:08 
> -0000
> X-MIMEOLE: Produced By Microsoft Exchange V6.0.6487.1
> Content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> Subject: White Paper - Web Application Worms: Myth or Reality?
> Date: Tue, 30 Mar 2004 21:59:04 +0200
> Message-ID: 
> <96242ACDF1723A4BBF70D21211FB9B23586D0A () shrek webcohort com>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: White Paper - Web Application Worms: Myth or Reality?
> Thread-Index: AcQWkWXlPB/Phh6pT9WXcihfgdCqOA==
> From: "Imperva Application Defense Center" <adc () imperva com>
> To: <webappsec () securityfocus com>
>
> Dear WebAppSec List,
>
> Imperva(tm)'s Application Defense Center (ADC) has released a new white
> paper.
>
> The new paper demonstrates the feasibility of launching worms that
> attack custom Web application software automatically. These
> methodologies leverage common Web search engine technologies to achieve
> the characteristics of a worm: anonymous origin, automated discovery of
> vulnerable sites, automated exploit and self-propagation. The paper is
> based on the the research, led by Amichai Shulman, the company's CTO,
> that was conducted by Imperva's Application Defense Center (ADC). =20
>
> Imperva's ADC has begun to see open discussion in the security 
> community
> around the theoretical use of search engines to automate the exploit of
> vulnerabilities in custom application software. Experience shows that
> this will lead, at some point, to a real worm targeting these
> vulnerabilities. Putting the pieces together by conducting a controlled
> feasibility study, and testing how self-propagation might be enabled,
> validates the theory. It is important that the security community
> address these issues before the hacking community does so we can enable
> better defenses.
>
> The paper was written by Amichai Shulman, Co-Founder and CTO, Imperva
> Inc.
>
> Table of Contents:
>       - Abstract
>       - Introduction
>       - Anatomy of an Automated Application Worm
>       - War Searching
>       - Advanced War Searching
>       - The Search of Death
>       - Conclusion
>
> The paper can be downloaded at
> http://www.imperva.com/application_defense_center/white_papers/default.
> a
> sp?show=3Dappworm
>
> ---
> Imperva(tm) Application Defense Center (adc imperva com)
> http://www.imperva.com/adc
>
>