Real Life Examples Of Web Vulnerabilities

Knowing the common web vulnerabilities is great, but often it is hard to think of specific examples that appear in popular news to show the layman the relevance of these issues. Let’s take the approach of following the OWASP Top 10 list. At the time of this writing, the last major update to the Top 10 list was in 2013.

QuanHeng LimBy: QuanHeng Lim, Mar 23, 2018
TwitterFacebookLinkedIn

Knowing the common web vulnerabilities is great, but often it is hard to think of specific examples that appear in popular news to show the layman the relevance of these issues.

Let’s take the approach of following the OWASP Top 10 list. At the time of this writing, the last major update to the Top 10 list was in 2013. However, it’s due to be updated in early 2017.

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards
 
  1. Injection/Using Components with Known Vulnerabilities — The Panama Papers incident (April 3, 2016)

The Panama Papers are a collection of 11.5 million records from Mossack Fonseca, originally leaked to German journalist Bastian Obermyer in 2015. Due to the sheer size of the data, the International Consortium of Investigative Journalists were approached.

Why was this Significant?

¹Many public figures, present and past, had their financial dealings exposed, linking them to terrorists, drug cartels and tax havens. Some public figures had their careers affected, and in some instances, the information directly led to public unrest.

AFP/Getty images, The Indian Express, The Guardian, Daily Mail, whoar.co.nz

This is also significant from the cybersecurity point of view as it brought to attention the potential vulnerability and relative ease of attacking law firms, compared to the value of the information they carry. Fortune magazine² carried a commentary piece “The Panama Papers Signal A New Kind of Cyber Attack”, citing hacktivism as the motive. (This agrees with what is reported by the anonymous source, with income inequality as the reason). While not (actually) new, the incident did bring this to the public spotlight.

 

How does this relate to injection/using components with known vulnerabilities?

The documents were leaked in parts, and the site was hosted on outdated software³, open to a large number of vulnerabilities. Unfortunately, due to the large number of possible attack vectors, it is hard to pin down the actual method used by the subject(s) who leaked the data.

  • WordPress 4.1 (Released December 18, 2014) — various vulnerabilities
  • Revolution Slider Plugin — unauthenticated remote file upload via ‘upload_plugin’
  • WP SMTP Plugin — mail server login information stored in plaintext
  • ALO EasyMail Newsletter plugin — mail server login information stored in plaintext
  • Drupal 7.23 (Released August 8, 2013) — 23 vulnerabilities, including code execution and privilege escalation via SQL injection of the Drupalgeddon fame
  • Apache 2.2.15, Oracle fork (March 6, 2010) — various vulnerabilities
  • Microsoft Exchange / Outlook Web Access (2009) — various vulnerabilities
  • A SQL injection flaw was discovered by 1×0123(Twitter) in their payment system

Both the revolution slider’s unauthenticated file upload, which could lead to execution of PHP code, and the code execution via SQL injection on Drupal are trivial to exploit have been pretty thoroughly taken advantage of in the wild.

 

2. Broken Authentication and Session Management/Sensitive Data Exposure — Department of Revenue Hack (2012)

A foreign hacker was reported to have stolen 387,000 credit card numbers and 3.6 million Social Security numbers from the South Carolina Department of Revenue.⁴

 

Why was this Significant?

IRS was hacked again in 2015, exposing people’s social security numbers, address, incomes to more than 700,000 people. This information was then further used to authenticate themselves to get transcripts of their victims, resulting in more exposed data.

Even though in the first instance credit card data was encrypted, social security numbers and other personally identifiable data were not.

Direct consequences of this incident would be the exposure of these people to identity fraud.

The 2017 Identity Fraud Study… found that $16 billion was stolen from 15.4 million U.S. consumers in 2016… In the past six years identity thieves have stolen over $107 billion.

(www.iii.org)⁵

 

How does this relate to broken authentication and session management/sensitive data exposure?

The first breach in 2012 resulted from the default password set in the authentication layer. In addition, the lack of encryption on some sensitive data fields including the social security numbers increased the impact of this incident.

 

3. Cross Site Scripting (XSS) — Steam Profile Hack (7 Feb 2017)

This was a simple XSS hack that was discovered on the Steam platform, on user’s profile pages.

 

Why was this Significant?

While the Steam profile page feature has existed for many years now, this relatively easy to execute hack was only discovered after a long period of time. The potential impact of this hack is well summarised by Reddit commenter “R3TR1X” and Moderator “DirtDiglett”:

  • Redirecting a user to a website to phish their login.
  • Utilizing CSS trickery to change your profile to trick users.
  • Loading larger payloads
  • Silently draining your Steam Wallet funds.
  • Spreading Malware via an auto-download.

How does this relate to Cross Site Scripting (XSS)?

The vulnerability is a simple XSS flaw, where javascript can be input by a user to the profile page, and be executed on the viewer’s browser. This situation is the perfect example of how an innocuous function can hide a potentially damaging flaw for many years due to a minor mistake by a developer or security tester. A simple encoding of user input and display could have prevented this.

 

4. Insecure Direct Object References — Snapchat Phone Number Leak (Jan 2014)

Gibson Security detailed vulnerabilities in the snapchat service, which was dismissed as a purely theoretical attack. A week later, brute force enumeration had revealed 4.6 million usernames and phone numbers.

 

Why was this Significant?

The attack seems to be motivated at least partly by Snapchat’s assertion that the attack was theoretical, and they had not taken any action.

How does this relate to Insecure Direct Object References?

This arose due to a flaw in the implementation of the Snapchat API, allowing users to call every possible combination of phone numbers and judge if they were valid from the response.

 

5. Security Misconfiguration — CloudPets/Mirai (Dec 2016–13 Jan 2017/August 2016)

CloudPets

CloudPets’ MongoDB was unprotected with a password, and while they were attempts by multiple researchers (Notably, Troy Hunt) and users to alert Spiral Toys, nothing was done.

Mirai(未来)

Mirai was a botnet utilising IoT devices, managing to execute several high-profile attacks after discovery, with the creator going to ground after releasing the code as open source (Anna-senpai).

Why was this Significant?

CloudPets

A large amount of data was lost, including recorded conversations, profile pictures, as well as bcrypt passwords with no password strength requirements, and a total of 821,000 user records.⁶

Mirai(未来)

Mirai ran from CCTV cameras, DVRs and routers. Essentially worked by trying common passwords, something that can be easily avoided. The entirety of the password list used it included below:

With such a simple method, the Mirai botnet produced 280 Gbps and 130 Mpps in DDOS capability, attacking DNS provider Dyn, leading to inaccessibility of sites such as GitHub, Twitter, Reddit, Netflix, Airbnb.

 

How does this relate to Security Misconfiguration?

Security misconfiguration can range from something as simple as allowing excessive permissions to a user account, to failing to restrict resource access to external addresses. In the cases mentioned above, they were caused by misconfiguration of the passwords protecting the systems.

 

6. Sensitive Data Exposure — Cloudbleed (17 Feb 2017)

Google’s Project Zero found an issue in CloudFlare’s edge servers made it possible to dump memory potentially containing sensitive data⁷, some of which were cached by search engines. 

 

Why was this Significant?

CloudFlare had acknowledged the leak could have started as early as 22 September 2016, and a private key between CloudFlare machines had leaked.⁸ As nearly 6 million websites uses CloudFlare’s services, and many web application defenses are built with the assumption of a secure TLS communication channel, the impact could be large. Estimates from CloudFlare state that between September 22, 2016,f and 18 February 2017, the bug was triggered 1,242,071 times.

CloudFlare did a small sample study, which showed a limited amount of sensitive data exposed.

67.54 Internal CloudFlare Headers
 0.44 Cookies
 0.04 Authorization Headers / Tokens
 0 Passwords
 0 Credit Cards / Bitcoin Addresses
 0 Health Records
 0 Social Security Numbers
 0 Customer Encryption Keys

(confidence level of 99% with a margin of error of 2.5%)

 

How does this relate to Sensitive Data Exposure?

This should be clear intuitively. The original flaw was due to the way broken html tags were parsed, causing information from a random portion of the server’s memory to be returned.

 

7. Missing Function Level Access Control — Facebook Business Pages (August 2015)

Laxman Muthiyah found that it was possible for a malicious user to use a request to assign admin permissions to himself for a particular Facebook page. A sample request⁹ can be seen below:

Request :-

POST /<page_id>/userpermissions HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>

Response :-

true

(Laxman Muthiyah, https://www.7xter.com/2015/08/hacking-facebook-pages.html)

Why was this Significant?

Business pages are a widely used function, and by executing this attack, a malicious user could add himself as an administrator and deny access to the actual manager or administrator.

How does this relate to Missing Function Level Access Control?

Facebook had missed the step of checking user access permissions for the function to assign user role management, allowing this exploit to be possible.

 

8. Cross-Site Request Forgery (CSRF) — Incheon (Feb 2014)

Personal information from 17 million people was stolen from 225 websites and sold by three hackers¹⁰.

 

Why was this Significant?

A large amount of information was lost to a relatively trivial attack. Although an increasing number of web frameworks now have built-in solutions such as CSRF token generation and handling, there are still many CSRF vulnerabilities discovered regularly.

How does this relate to Cross-Site Request Forgery (CSRF)?

The attack was executed by inserting malicious links on forums, targeting the administrators of the websites. When clicked, the hackers obtained the session or credentials or the administrators, gaining access to the sites.

 

9. Using Components with Known Vulnerabilities — WordPress REST API (Jan 2017)

1.5 million web pages were defaced through an unauthenticated REST API flaw that allows malicious users to modify WordPress contents¹¹.

 

Why was this Significant?

In the normal course of software development, patching and enchantments are continuously released, with the exceptions of software at end-of-life. Part of this is fuelled by new vulnerabilities or exploits discovered.

If public exploits are available, the difficulty in exploiting these vulnerable components often boils down to enumeration and discovery, which can be easily done with scripts or applications such as Wappalyzer which identifies metadata about the application or device.

Many studies have been done showing that despite the publicity zero-day exploits get; many attacks come from old vulnerabilities. For example, the HPE Security Research Cyber Risk Report 2015 found that 44% of breaches come from vulnerabilities 2–4 years old.

While some vulnerabilities can be mitigated by security settings, the benefits of updating these components often outweigh the cost, and the mitigation might not be as effective as the patch. For example, in this case, some web hosting companies had put in place firewall rules, but these were bypassed anyway.

How does this relate to Using Components with Known Vulnerabilities?

The actual vulnerability was not announced by WordPress until one week after it’s patch was released, to give them time to patch their WordPress instance. The number of affected webpages is a testament to the ineffectiveness of their efforts.

 

10. Unvalidated Redirects and Forwards — Amazon Simple Storage Service (S3) (30 March 2017)

This flaw was discovered by the Zero Security Group, where a malicious user can redirect other users to his page of choice while disguised as a reputable link¹². This could be a phishing site, or towards a site hosting malware. This can be seen in the link below, where user is redirected to google.com

https://s3.amazonaws.com/psiphon/landing-page-redirect/redirect.html?landingPage=https://google.com

Why was this Significant?

Unvalidated redirects and forwards are among the easiest to exploit and spread. Attacks can be executed quickly and to a large audience.

How does this relate to Unvalidated Redirects and Forwards?

As the page processes the address for redirection as a parameter in the URL and does not check for its validity, it can be easily modified to another address.

 

Conclusion.

This is just a small sampling of vulnerabilities that had happened in the recent years, and have been specifically chosen due to the ease they can be explained and used as examples.

http://www.cvedetails.com/top-50-products.php?year=2017

The top 10 products with vulnerabilities in 2017, as of 19 March 2017 are listed above. Of which, Linux kernel (powering most servers in the world), Android and iOS, Mac OSx, Chrome and Safari all make the list.

Cybersecurity affects all of us, and given the prevalence of technology in everybody’s lives, we should all at least have an awareness of the potential harm the lack of it can cause.

 

References

  1. Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption — The Panama Papers. (2016, April 3). Retrieved March 16, 2017, from https://www.occrp.org/en/panamapapers/overview/intro/
  2. Gupta, R. (2016, April 9). The Panama Papers Signal A New Kind of Cyber Attack. Retrieved March 16, 2017, from http://fortune.com/2016/04/09/panama-papers-mossack-fonseca/
  3. Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal. (2016, April 08). Retrieved March 16, 2017, from https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
  4. D. (2016, October 26). SC: 3.6 million Social Security numbers stolen from state Department of Revenue (update 1). Retrieved March 17, 2017, from https://www.databreaches.net/sc-3-6-million-social-security-numbers-stolen-from-state-department-of-revenue/
  5. Identity Theft And Cybercrime. (n.d.). Retrieved March 17, 2017, from http://www.iii.org/fact-statistic/identity-theft-and-cybercrime
  6. Hunt, M. T. (2017, February 28). 821,000 user records exposed due to misconfigured MongoDB for smart stuffed toys. Retrieved March 18, 2017, from http://www.networkworld.com/article/3175508/security/821-000-user-records-exposed-due-to-misconfigured-mongodb-for-smart-stuffed-toys.html
  7. 1139 — CloudFlare: CloudFlare Reverse Proxies are Dumping Uninitialized Memory — project-zero — Monorail. (2017, February 19). Retrieved March 18, 2017, from https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
  8. Graham-Cumming, J. (2017, February 24). Incident report on memory leak caused by CloudFlare parser bug. Retrieved March 18, 2017, from https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
  9. Muthiyah, L. (2017, April 01). Hacking Facebook Pages. Retrieved April 10, 2017, from https://www.7xter.com/2015/08/hacking-facebook-pages.html
  10. Hackers arrested over data leakage. (2014, February 27). Retrieved April 10, 2017, from http://koreajoongangdaily.joins.com/news/article/Article.aspx?aid=2985550
  11. Constantin, L. (2017, February 10). Recent WordPress vulnerability used to deface 1.5 million pages. Retrieved April 10, 2017, from http://www.pcworld.com/article/3168846/security/recent-wordpress-vulnerability-used-to-deface-1-5-million-pages.html
  12. G. (n.d.). Amazon Simple Storage Service (S3) — Open Redirect Vulnerability. Retrieved April 10, 2017, from https://cxsecurity.com/issue/WLB-2017030252
QuanHeng Lim
By: QuanHeng Lim, Mar 23, 2018

Quanheng “Q” Lim is Director of CyberOps at Horangi.

TwitterFacebookLinkedIn

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.