Web Security Trends 2010
Over the last few months, with Jason and Baptiste we have gathered a lot of statistics about the web security to get a better understanding of how the situation evolves and where doing research will be the most effective. While some of these statistics have already been used in our papers or for our web security class (CS241), many of them are still undisclosed. Since this kind of statistics seems to trigger a lot of interest based on the feedback I received while giving a talk or a lecture , I thought they will make a great first post for my blog rebirth. Overall we gathered statistics in three different direction: server security, browser security and web security awareness.
We started with Jason by doing some data mining on the VUPEN vulnerability database to see how much “market share” the web represents. As visible in the figure below, since 2005 the number of vulnerabilities reported for web application account for at least 40% of all the vulnerabilities reported. So it is clear that the web security is a big issue and deserves a lot of attention. Moreover please bear in mind that the vulnerabilities reported affect only browsers and mainstream web applications such as WordPress and Wikimedia which is only the tip of the iceberg. What is not accounted for in this statistic is the number of vulnerabilities found in custom web applications. It will be nice at some point to cooperate with a vulnerability scanner vendor to do some data mining as it is not uncommon for a company to have a dozen of those. Similarly It will be nice to have statistics on vulnerability found in top websites but these statistics are very hard to collect (we are still working on it, if you have any idea how to do it efficiently shoot me an email).
For those who wonder, the spike observed in 2006 is due to the rise of XSS (Cross site scripting) and SQL injection vulnerabilities. Contrary to a popular belief, XSS vulnerability have been around for a long time before being popularized after the Internet boom. This is clearly visible in the figure below that is based on statistics collected by Steve Christey and Robert A. Martin from the MITRE in 2007.
What we did next with Jason was to dig deeper in the VUPEN database to get a web vulnerabilities breakdown by categories. This analysis was meant to be used a baseline to build the testbed used in our paper about PCI scanners efficiency. As expected, the popularization of XSS ans SQL injection vulnerabilities is also visible in the figure below but our number are slightly lower than the MITRE one. One explanation for this phenomena is part of the VUPEN database value is the uniqueness of each vulnerability. The VUPEN team do a great job as aggregating vulnerabilities reports. The other factor is the presence in our categorization of XCS (Cross Channel Scripting) which was not part of the MITRE categorization:
I won’t discuss to much this figure as it is already done in this paper. For me the two important point regarding the evolution of web security showed by this figure is that nowadays web security is even more difficult than before. Back in 2005, web security was only about testing few vectors of attacks, mainly XSS and SQL injection. In 2010, the situation is way more complex, as the number of attack vectors exploded. For instance how many of you heard of the new attack released in May named “Cross Site URL Hijacking“ ? In a nutshell this attack allows an attacker to know the URL parameters of a different origin by abusing the Firefox error object. While this attack might seems innocuous, it has serious privacy implications.
The fact that web security is (becoming) a very complex field is supported by another statistic we collected with Baptiste while building our web security testbed: webseclab. We looked at Jeremiah Grossman blog, to compute a trends on how many new web attacks vector are discovered every year. We choose to use Jeremiah data because he is doing an amazing job as keeping track of what happen in the web security world. As visible in the figure above, which represent the cumulative number of attack vectors discovered over the last four years, the number of vector to understand/test increase almost linearly:
The fact that the number of attack vectors increase at a steady pace pose a serious challenge. Obviously, this steady pace forces the community to continuously build and update tools that helps web developers detecting if their web applications are vulnerable to these new attacks but more deeply it also poses the question of how to educate web developers. I strongly believe that education is the key to web security because every web application has it own specificity so unless web developers have a clear understanding of what an attacker can do then the problem will only get worst. As a matter of fact with this steady income of new attack vectors, even if you are able to keep track of what is going on (and this is a full time job), assessing how serious the threat posed by new attack vector of attack and what to do about it is next to impossible without a strong web security background.
A good example of why having a strong background in web security is important for web developers are clickjacking attacks: I recall that recently I read a blog post (I think it was one of Jeremiah’s posts) wondering if web developers were paying attention to clickjacking attacks . Well it is obviously not the case as showed in one of our recent paper, and one reason why web developers don’t pay much attention to it is because clickjacking attacks consequences are hard to assess without the right background. For instance how many of you knows that you can steal the content of the framed page with a “drag-and-drop clickjacking” attack ? Speaking of this we will demonstrate a lot of new attacks based on framing at the Blackhat USA this year.
Another long lasting example that emphases that knowledge is essential to web security is CSRF attacks: Even 4 years after the media put this kind of attack under the spotlight there is still people wondering if it is really dangerous. If you still don’t believe that it is dangerous, ask the people who had their Gmail account backdoored.
To end up this post on a bright note, with Baptiste we looked at the number of web trainings proposed at the Blackhat. We choose to look at these trainings because it shows the willingness of companies to invest in web security education. Turnout that over the last two years, as visible in the figure below, the number of training proposed literally exploded. This support the hypothesis that web security education is important and people are aware of it.