SlideShare a Scribd company logo

CMS Hacking 101

Imperva, profile picture
Imperva

The document discusses the security risks associated with content management systems (CMS), particularly focusing on vulnerabilities from third-party applications. It outlines the prevalence of these vulnerabilities, recent incidents, and gives recommendations for improving security, such as implementing web application firewalls and conducting penetration testing. The overall message emphasizes the importance of addressing security in third-party code to prevent potential attacks.

Technology
Related topics:
Data Security
1 of 38
Downloaded 92 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
© 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
© 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
© 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
© 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
© 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
© 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
© 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
© 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
© 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
© 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
© 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
© 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
© 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
© 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
© 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
© 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
© 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
© 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
© 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
© 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
© 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
© 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
© 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
© 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
© 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
© 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
© 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
© 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
© 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
© 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
© 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
© 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
© 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
© 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
© 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential

More Related Content

PPTX
Hotspot!
VC Infotech
 
PPT
Web server
Sajan Sahu
 
PDF
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
PDF
CNIT 129S: Ch 7: Attacking Session Management
Sam Bowne
 
PDF
Alice Phieu - WordPress For Beginners
Alice Phieu
 
PPTX
Asp.net web api
Binu Bhasuran
 
PDF
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
PDF
Getting Started with Process Builder
Salesforce Admins
 
Hotspot!
VC Infotech
 
Web server
Sajan Sahu
 
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
CNIT 129S: Ch 7: Attacking Session Management
Sam Bowne
 
Alice Phieu - WordPress For Beginners
Alice Phieu
 
Asp.net web api
Binu Bhasuran
 
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
Getting Started with Process Builder
Salesforce Admins
 

What's hot (20)

PDF
Shopify Ecommerce Solutions Proposal PowerPoint Presentation Slides
SlideTeam
 
PDF
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Gabriella Davis
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
PPTX
Payroll presentation Pitching
Gaurav Muliya
 
PPTX
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
andrewscott01
 
PPTX
Azure Logic Apps
Marco Parenzan
 
PPTX
Basics for hosting a website
baabtra.com - No. 1 supplier of quality freshers
 
PPTX
IDS+Honeypots Making Security Simple
Gregory Hanis
 
PPTX
UiPath Certified Professional Certification for Specialized AI.pptx
DianaGray10
 
PDF
IBM Traveler Management, Security and Performance
Gabriella Davis
 
PDF
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...
PimJacobs3
 
PPTX
HCL Domino V12 Key Security Features Overview
hemantnaik
 
PPTX
SINGLE SIGN-ON
Shambhavi Sahay
 
PPT
Web servers – features, installation and configuration
webhostingguy
 
PPTX
Introduction To WordPress
Craig Bailey
 
PPTX
Robot Framework
Onur Baskirt
 
PDF
JavaScript for Hackers.pdf
slideshareadmin2
 
PPTX
A Brief History of Web publishing (from HTML to WordPress)
Brian Duffy
 
PDF
Introduction to Apex Triggers
Salesforce Developers
 
PPTX
Api testing
Keshav Kashyap
 
Shopify Ecommerce Solutions Proposal PowerPoint Presentation Slides
SlideTeam
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Gabriella Davis
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
Payroll presentation Pitching
Gaurav Muliya
 
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
andrewscott01
 
Azure Logic Apps
Marco Parenzan
 
Basics for hosting a website
baabtra.com - No. 1 supplier of quality freshers
 
IDS+Honeypots Making Security Simple
Gregory Hanis
 
UiPath Certified Professional Certification for Specialized AI.pptx
DianaGray10
 
IBM Traveler Management, Security and Performance
Gabriella Davis
 
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...
PimJacobs3
 
HCL Domino V12 Key Security Features Overview
hemantnaik
 
SINGLE SIGN-ON
Shambhavi Sahay
 
Web servers – features, installation and configuration
webhostingguy
 
Introduction To WordPress
Craig Bailey
 
Robot Framework
Onur Baskirt
 
JavaScript for Hackers.pdf
slideshareadmin2
 
A Brief History of Web publishing (from HTML to WordPress)
Brian Duffy
 
Introduction to Apex Triggers
Salesforce Developers
 
Api testing
Keshav Kashyap
 

Viewers also liked (7)

PPTX
CMS Hacking
Barry Shteiman
 
PPT
The most possible risk factors faced by Wordpress Developers
iMOBDEV Technologies Pvt. Ltd.
 
PPTX
Botnets presentation
Mahmoud Ibra
 
PPTX
Botnets 101
Aung Thu Rha Hein
 
PPT
Botnet Detection Techniques
Team Firefly
 
PPT
The Loyalty Program: A Recipe for Success
National Restaurant Association
 
PDF
Digital Strategy 101
Bud Caddell
 
CMS Hacking
Barry Shteiman
 
The most possible risk factors faced by Wordpress Developers
iMOBDEV Technologies Pvt. Ltd.
 
Botnets presentation
Mahmoud Ibra
 
Botnets 101
Aung Thu Rha Hein
 
Botnet Detection Techniques
Team Firefly
 
The Loyalty Program: A Recipe for Success
National Restaurant Association
 
Digital Strategy 101
Bud Caddell
 

Similar to CMS Hacking 101 (20)

PDF
Top Security Trends for 2014
Imperva
 
PDF
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
PDF
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
PPT
The State of Application Security: Hackers On Steroids
Imperva
 
PPTX
Vulnerability Management
justinkallhoff
 
PPT
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
PDF
Hacking Encounters of the 3rd Kind
Imperva
 
PDF
Lessons Learned From the Yahoo! Hack
Imperva
 
PPTX
Imperva - Hacking encounters of the 3rd kind
Barry Shteiman
 
PPTX
WordPress Security: Beyond The Plugin
Stacy Clements
 
PDF
Anatomy of the Compromised Insider
Imperva
 
PDF
Identifying a Compromised WordPress Site
Chris Burgess
 
PDF
Top Security Trends for 2013
Imperva
 
PPTX
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
PDF
Web hackingtools cf-summit2014
ColdFusionConference
 
PDF
Check point presentation june 2014
David Berkelmans
 
PDF
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
PDF
Web hackingtools 2015
ColdFusionConference
 
PDF
Web hackingtools 2015
devObjective
 
PDF
Targeted Defense for Malware & Targeted Attacks
Imperva
 
Top Security Trends for 2014
Imperva
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
The State of Application Security: Hackers On Steroids
Imperva
 
Vulnerability Management
justinkallhoff
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Hacking Encounters of the 3rd Kind
Imperva
 
Lessons Learned From the Yahoo! Hack
Imperva
 
Imperva - Hacking encounters of the 3rd kind
Barry Shteiman
 
WordPress Security: Beyond The Plugin
Stacy Clements
 
Anatomy of the Compromised Insider
Imperva
 
Identifying a Compromised WordPress Site
Chris Burgess
 
Top Security Trends for 2013
Imperva
 
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Web hackingtools cf-summit2014
ColdFusionConference
 
Check point presentation june 2014
David Berkelmans
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
Web hackingtools 2015
ColdFusionConference
 
Web hackingtools 2015
devObjective
 
Targeted Defense for Malware & Targeted Attacks
Imperva
 

More from Imperva (20)

PPTX
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
PPTX
API Security Survey
Imperva
 
PPTX
Imperva ppt
Imperva
 
PPTX
Beyond takeover: stories from a hacked account
Imperva
 
PPTX
Research: From zero to phishing in 60 seconds
Imperva
 
PDF
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
PDF
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
PPTX
Survey: Insider Threats and Cyber Security
Imperva
 
PPTX
Companies Aware, but Not Prepared for GDPR
Imperva
 
PPTX
Rise of Ransomware
Imperva
 
PDF
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
PDF
SEO Botnet Sophistication
Imperva
 
PDF
Phishing Made Easy
Imperva
 
PDF
Imperva 2017 Cyber Threat Defense Report
Imperva
 
PDF
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
PDF
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
PDF
Get Going With Your GDPR Plan
Imperva
 
PDF
Cyber Criminal's Path To Your Data
Imperva
 
PDF
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
Imperva
 
Imperva ppt
Imperva
 
Beyond takeover: stories from a hacked account
Imperva
 
Research: From zero to phishing in 60 seconds
Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
Survey: Insider Threats and Cyber Security
Imperva
 
Companies Aware, but Not Prepared for GDPR
Imperva
 
Rise of Ransomware
Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
SEO Botnet Sophistication
Imperva
 
Phishing Made Easy
Imperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
Get Going With Your GDPR Plan
Imperva
 
Cyber Criminal's Path To Your Data
Imperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 

Recently uploaded (20)

PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
The various Industrial Revolutions .pptx
bandileshozi3
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Modernising the Digital Integration Hub
Daniel Toomey
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 

CMS Hacking 101

  • 1. © 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
  • 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
  • 3. © 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
  • 4. © 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
  • 5. © 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
  • 6. © 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
  • 7. © 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
  • 8. © 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
  • 9. © 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
  • 10. © 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
  • 11. © 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
  • 12. © 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
  • 13. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
  • 14. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
  • 15. © 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
  • 16. © 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
  • 17. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
  • 18. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
  • 19. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
  • 20. © 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
  • 21. © 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
  • 22. © 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
  • 23. © 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
  • 24. © 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
  • 25. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
  • 26. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
  • 27. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
  • 28. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
  • 29. © 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
  • 30. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
  • 31. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 32. © 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
  • 33. © 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
  • 34. © 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
  • 35. © 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
  • 36. © 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
  • 37. © 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
  • 38. © 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential