While working on the WASC Threat Classification v2.0 project, I got to think about the subject of classifying web application threats once again… You see, I have been dealing with Web Application Security Threat Classification since I started working on AppScan, approximately 7 years ago. back then (the Sanctum days), things were a lot simpler, the threat classes that were used in the product and in presentations, were proprietary, and were invented mainly for educational and marketing purposes.
The "10 Types of Hacks":
- Hidden Manipulation
- Cookie Poisoning
- Backdoor & Debug Options
- Buffer Overflow
- Stealth Commanding
- 3rd. party misconfiguration
- Known Vulnerabilities
- Parameter Tampering
- Cross Site Scripting
- Forceful Browsing (not to be mistaken with Directory Listing, this is actually the ability to access files that were not intended to be accessed by web users)
From the first day I laid my eyes on this classification system, it was obvious that it was severely flawed. Some classes, where actually sub-classes of others, for example:
- XSS can be classified under Parameter Tampering, or even sometimes Cookie Poisoning
- Buffer Overflows can occur in Cookies (Cookie Poisoning), or in a parameter (Parameter Tampering)
- Did they classify threats according to the hacking techniques used by the hacker? (e.g. Parameter Tampering)
- Did they classify threats according to the weakness on the application's side? (e.g. 3rd. party misconfiguration)
- Did they classify techniques according to the attack outcome/goal?
The "J" types of hacks:
The main difference between the J-types of hacks, and the 10-types of hacks, was that the J-types, was classified according to the outcome of the attack, and not according to the technique used by the hacker. The types were:
- Information gathering - Examples: path disclosure, error messages mining
- Script source disclosure - Examples: +.htr, ::$DATA, Translate: f (HTTP), appending .BAK to script files.
- File download - Examples: adding ../../../../boot.ini to the PATH, sending ../../../../boot.ini as a parameter value.
- Directory listing - Example: Chopping the path of a request for directory indexing
- Session hijacking/impersonation - Example: Session cookie manipulation, Cross site scripting.
- Command execution - Examples: Perl's pipe in a parameter, IIS's double decoding and Unicode issues.
- Denial of Service. Example - overlong URL, overlong parameter value, overlong HTTP header.
- Privilege Escalation - Example: e.g. requesting /phpmyadmin/ to get a database console.
- Database query manipulation - Example: Injecting various SQL queries
- e-Shoplifting - Example: price mutations, other logical flaws
Pay attention to the “Denial of Service”, we’ll get back to it in a few minutes…
Fast forward to more recent times, WASC introduced the Web Application Threat Classification Project (in which I participated), and it is time to refresh the project, and start working on v2.0. In one of the email threads, we have noticed some problems in the classification system. To make a long story short, here's an email I've issued after noticing the problem:
I think the bigger issue here, is that we need to decide if this project classifies attack techniques or weaknesses. I don't believe it should classify both under the same umbrella. The term "Threat" might have been an unfortunate choice, as it is ambiguous in this context. Actually, I have been thinking about something a bit more troubling - what happens if a certain attack technique, can exploit more than one "threat" - my best example is:
Here's my suggestion for unraveling this knot:
- SQL Injection, which is used to bypass the login page (e.g. ' or 1=1--). This would be classified under "Authentication Bypass"
- SQL Injection, which is used to execute a remote command on the DB server (e.g. xp_cmdshell), which would be classified under "Command Execution"
- We change the name of the project to "Web Application Attack Classification" (the same attack can be classified under several categories, depending on its use)
- We create a different project called "Web Application Weaknesses Classification"
- We can create a mapping between #1 and #2 (probably would be many-to-many)
In addition, the WASC TCv2, classifies some threats that are actually Attack Goals (outcome) for example - Denial of Service (DoS), which is an outcome, and not an attack technique per se. DoS can be performed in many different ways -
- SQL Injection - drop the entire database, and deny service from users
- Buffer Overflow - perform a buffer overflow attack that crashes the application or the web server
- Endless application loop - exploit an endless loop condition in the application to consume resource
So what is the moral of this post? I'm not sure...
I guess the WASC TCv2 can do the job at the moment, even if it is not completely accurate. BTW, those who want to go hardcore on accuracy, should check out the MITRE CWE project, it is VERY comprehensive, but also very exhaustive. Maybe there's no way around it - classifying web application threats is not that trivial.
Maybe in one of the next posts, I'll talk about other classification systems that are out there.