WebApp Sec mailing list archives
RE: White Paper - Web Application Worms: Myth or Reality?
From: "Amichai Shulman" <shulman () imperva com>
Date: Wed, 31 Mar 2004 17:09:12 +0200
You raise some interesting and correct points. Some comments regarding that: - Generating an exploit once a vulnerability is exposed may require non-trivial computational resource (e.g. decrypting frontpage passwords with JTR). A worm would allow each infected server to handle only a portion of the entire result set and hence make world wide propagation much faster. - A worm makes it hard to trace back the actual attacker. It is my assumption that evil doers would like to remain anonymous. The issue of internal servers is indeed a challenging one for an application level worm. I hope to get more comments and ideas regarding this issue. Amichai -----Original Message----- From: stephen () twisteddelight org [mailto:stephen () twisteddelight org] Sent: Wednesday, March 31, 2004 11:08 AM To: webappsec () securityfocus com Subject: RE: White Paper - Web Application Worms: Myth or Reality? Interesting paper. There are certain web application vulnerabilities that could easily be exploited automatically but I don't think that relying solely on a search engine to discover vulnerable hosts is the best approach for a worm. Traditional infrastructure worms cause the chaos they do because each newly rooted host starts scanning for more hosts to infect. Because of network constraints it's just not feasible for one system to search the entire internet for vulnerable system - hence the worm architecture where each instance of the worm does it's own search and spreads itself across the net. But by using a search engine to find vulnerable hosts, it is entirely feasible for the attacking program to know all the vulnerable hosts on the net - in one go. There is no need to propagate itself onto more systems as each instance is going to be working from the same set of vulnerable hosts. Traditional worms also have the advantage that they can infect private IP address ranges, and therefore private networks. An application based worm relying on results from an internet search engine simply can't infect hosts on private networks because they won't appear in search engines. For an app worm to pose a threat to internal systems it will have to include it's own HTTP scanner/spider and once it infects a system peform traditional HTTP scanning for vulnerabilities on private address ranges. The number of occurances of unprotected frontpage passwords is surely higher on internal networks than on the internet. Without the ability to attack internal systems, an app worm is no different to an app based auto rooter - There is simply no reason to make it propogate itself to other systems. Stephen.
Current thread:
- White Paper - Web Application Worms: Myth or Reality? Imperva Application Defense Center (Mar 30)
- <Possible follow-ups>
- Re: White Paper - Web Application Worms: Myth or Reality? Daniel (Mar 31)
- RE: White Paper - Web Application Worms: Myth or Reality? stephen (Mar 31)
- RE: White Paper - Web Application Worms: Myth or Reality? Amichai Shulman (Mar 31)
- RE: White Paper - Web Application Worms: Myth or Reality? Amichai Shulman (Mar 31)