Matt Wood of the HP Web Security Research Group shows how a hacker can change a trade show registration price by exploiting an application security vulnerability in a cloud-based service.
Today we have released a FREE flash security tool, SWFScan (Pronounced “Swiff Scan”), that will help developers find, fix and prevent security vulnerabilities in applications developed on the Adobe Flash platform. In the last few years, especially with the release of Adobe Flex (ActionScript 3), we have seen an explosion of web sites built on or containing Adobe Flash components. (Opera Developer Center Study in October 2008 found 30-40% of web sites contained Flash) However, like with the explosion of any technology, there is also an explosion in discovery of ways that the technology has been exploited by hackers, too often developers building applications on the Adobe Flash platform leave unintended security vulnerabilities in their code. (eg. Hard coding passwords and encryption keys into their applications)
Here’s a quick video of Billy Hoffman talking of a specific example called Billy ‘Wins’ a Cheesburger:
During the research and development of HP SWFScan, the HP Web Security Research Group tested about 4,000 SWF files and found the following issues to be the most alarming:
- 16% of Flash applications using Flash 8 and below have XSS vulnerabilities
- 77% of Flash 9 and 10 applications contain developer debugging information and source code file references
- 35% of all Flash applications violate Adobe’s security best practices
So…How does it work?
HP SWFScan takes an application developed on the Adobe Flash Platform and decompiles it revealing the ActionScript source code. The tool then takes the ActionScript and performs static analysis to understand the applications behaviors. SWFScan will then identify the vulnerabilities that lie under the surface of the application which are not detectable with traditional dynamic methods. (It is also the first security tool to address both ActionScript 2 & 3)
It not only identifies the vulnerability within the code, but also describes how it can be exploited as well as suggested ways of remediating (Including Adobe’s Best Practices)
HP SWFScan can analyze any SWF file regardless of the version of Flash or ActionScript, and no matter whether it is located on your local computer or available via a URL.
The HP Web Security Research Group have developed HP SWFScan in the name of helping our customers and developers around the world make the web a safer place.
Download a FREE copy here: www.hp.com/go/swfscan
As you can see, I spend most of my time thinking about Web Application Security and what is going on in the world to do with this. (It’s my job!) Even if it isn’t your job, just a little research into the web security and you will look at the WWW in a whole new way. Everyday we are reading about new attacks on prominant websites, like yesterday we heard of the CBS website being attacked by Russion Hackers. In this case they were able to distribute malware to vistors to the CBS website. (Read Article)
So why is it we have to do more about web application security?
Security risks are getting greater and greater everyday and they will continue to get greater as we go into 2009 and beyond. 7-10 years ago, hackers were out for a little individual fame. They may hack into a site, change some text or maybe an image and then go boast to their underground friends. The cost to the victim was minimal, more of an incovienience. As we all know over the last few years what we can do on the web has become a whole lot more sophisticated and with this we entrust a whole lot more personal, confidential information to the web world. We bank online, apply for credit, shop online and organisations we entrust all this information too transfer it internally across the web. As we, end users, have changed our patterns and increased our use of the web, the cyber criminals have also increased at a greater rate the exploitation of the web. Hacking is now an industry and it is growing. The cost to an organization can not only be large on the money side but also a huge cost in loss of face. Yes, there is an increase in regulations out there that require organizations to meet higher security standards, but there is a whole lot more we can do as organisations and individuals.
For the last 15 years organizations have spent millions of dollars securing the perimeter of their organizations with firewalls and their servers with things like Intrusion Prevention Systems (IPS). Everyone has done a pretty good job of this and we could almost go as far as saying that the network and servers have been locked down. Millions of dollars well spent! However, the inherent architecture of the web opens holes in these systems. For example, you need to open port 80 or 443(SSL) to enable web traffic to come into your organizations. By allowing your trusted users to come it through these ports, you are also allowing hackers access to your systems also. (In fact hackers love SSL. It means they can hack undetected!) Organizations need to shift their focus and invest in securing their applications to combat this. With many shifting to Web 2.0, the perimeter has just shifted, putting more control in the hackers hands. (I think a future blog post is required here)
So, how do you secure your applications?
Almost all web application security vulnerabilities lie within the code itself. Yes, you guessed it (Well at least I hope you did), security vulnerabilities are a code defect. You need to write secure code! Simple! Not really….we have a problem here. We have a gap. Security specialists know security but they don’t know the code and Developers know the code but they don’t know security. This is where organizations need to mandate secure coding practices and build this as part of the Security Program. Educating about and eliminating the the OWASP Top Ten is a good start. To aid developers there are a number of solutions out there that developers can use to scan and validate their code and at the same time teach them secure coding. (HP DevInspect is an example)
Address web application security at the development level is a good approach, but to ensure you organization is best protected and to compliment secure coding, your should also check your applications for vulnerabilities during QA as well as post production (New vulnerabilities are discovered everyday). An organization serious about web application security should implement a combination of manual penetration testing and web vulnerability scanners (HP has one of these also :)) at these points.
Last year the Web Application Security Consortium did a study of almost 32,000 websites. Over 85% of these websites had a vulnerability that coupld give hackers the ability to read, modify and transmit sensitive data.
Are you secure? Do you actually know?