WebApp Sec mailing list archives
RE: White Paper - Web Application Worms: Myth or Reality?
From: stephen () twisteddelight org
Date: Wed, 31 Mar 2004 09:07:40 -0000 (GMT)
Interesting paper. There are certain web application vulnerabilities that could easily be exploited automatically but I don't think that relying solely on a search engine to discover vulnerable hosts is the best approach for a worm. Traditional infrastructure worms cause the chaos they do because each newly rooted host starts scanning for more hosts to infect. Because of network constraints it's just not feasible for one system to search the entire internet for vulnerable system - hence the worm architecture where each instance of the worm does it's own search and spreads itself across the net. But by using a search engine to find vulnerable hosts, it is entirely feasible for the attacking program to know all the vulnerable hosts on the net - in one go. There is no need to propagate itself onto more systems as each instance is going to be working from the same set of vulnerable hosts. Traditional worms also have the advantage that they can infect private IP address ranges, and therefore private networks. An application based worm relying on results from an internet search engine simply can't infect hosts on private networks because they won't appear in search engines. For an app worm to pose a threat to internal systems it will have to include it's own HTTP scanner/spider and once it infects a system peform traditional HTTP scanning for vulnerabilities on private address ranges. The number of occurances of unprotected frontpage passwords is surely higher on internal networks than on the internet. Without the ability to attack internal systems, an app worm is no different to an app based auto rooter - There is simply no reason to make it propogate itself to other systems. Stephen.
Current thread:
- White Paper - Web Application Worms: Myth or Reality? Imperva Application Defense Center (Mar 30)
- <Possible follow-ups>
- Re: White Paper - Web Application Worms: Myth or Reality? Daniel (Mar 31)
- RE: White Paper - Web Application Worms: Myth or Reality? stephen (Mar 31)
- RE: White Paper - Web Application Worms: Myth or Reality? Amichai Shulman (Mar 31)
- RE: White Paper - Web Application Worms: Myth or Reality? Amichai Shulman (Mar 31)