Security Watch | Matt Hines » Malware's next big trends?

July 13, 2007 | Comments: (0)

Malware's next big trends?

TAGS: None

Always on the lookout for new and less-noticeable means for carrying out online fraud and other cyber-crimes, hackers are increasingly moving to adopt techniques including response splitting and cross-site forgery as they continue to mature their attacks, according to Web security and testing expert Jeremiah Grossman.

Grossman, founder and CTO of Web site vulnerability testing specialists WhiteHat Security, said that he has recently begun noticing more attacks in the wild that employ the two methods -- both of which have been understood for some time, but were thought to be avoided by most hackers based on their complexity and the availability of easier means to trick Web sites and end users.

While cross-site scripting (XSS) threats remain by far the most widespread method in use today by advanced hackers who seek to defraud online businesses and end users -- and Grossman expects that to be the case for the foreseeable future until more Web sites are secured from the technique -- the expert indicated that response splitting and cross-site forgery could represent the next big things in terms of vulnerability exploitation trends.

As defined by the Open Web Application Security Project (OWASP) -- which Grossman co-founded -- HTTP response splitting vulnerabilities occur when data enters a Web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a Web user without being validated for malicious characters.

Using the approach, an attacker then attempts to feed malicious data to a vulnerable application, including the data in an HTTP response header.

To mount a successful exploit, OWASP says, the application must allow input that contains carriage return characters into the header. The characters in turn give attackers control of the remaining headers and body of the response the application intends to send, and allows them to create additional responses entirely under their control.

Using the technique, hackers are already creating a range of new attacks, including variants on the time-honored XSS theme, Grossman said.

In some cases, attackers use the approach to send requests to a Web server and get the server to respond twice. Most times the server lets the first request by and "chokes" on the second, said the expert. This allows the attacker to poison the cache on the server itself and gain control over whatever Web pages are supported by the server -- and insert XSS code.

"Response splitting has been discounted for years as too hard to execute, but as soon as we began adjusting our tests to look for it we started seeing it everywhere," Grossman said. "This is already a big problem and we continue to find more and more examples; admittedly we were in the dark about its prevalence too until we started educating ourselves about it using customers' Web sites."

Cross-Site Request Forgery (CSRF), as defined by OWASP, is an attack that attempts to fool end users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.

Using the technique, hackers try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to banking sites, or to log into e-commerce sites to make fraudulent purchases in their names.

In some cases, the attacks are hidden on the vulnerable sites themselves.

CSRF attacks are also known by a number of other names, including XSRF, Sea Surf, Session Riding and Hostile Linking.

Grossman said that CRSF threats and XSS attacks are most commonly being used together to swipe money from online bank accounts and the like. Utilizing the approach, hackers can essentially access prior Web browser sessions and remain logged-in to any sites that have been accessed by an end user to carry out illicit activities.

Since the attackers log-in using legitimate credentials, it may prove harder for those victimized by the threats to prove to their banks or e-commerce sites that they weren't responsible for any transactions that were carried out, the expert maintains.

"Cross-site scripting and forgery are being used hand-in-hand, and almost everyone is vulnerable to forgery, it could become a massive problem," said Grossman, who will host a online seminar to discuss the topic on July 24.

"XSS will remain no. 1 in terms of attacks for a while, but cross-site request forgery is truly up-and-coming," he said.

Posted by Matt Hines on July 13, 2007 02:48 PM

RATE THIS ARTICLE: