some of the open challenges associated with this rising threat.
As Web browsers have become more
capable and the Web richer in features,
it is difficult for the average user to understand what happens when visiting a
Web page. In most applications visiting
a Web page causes the browser to pull
content from a number of different
providers, for example, to show third-party ads, interactive maps, or display
online videos. The shear number of
possibilities to design Web pages and
make them attractive to users is staggering. Overall, these features increase
the complexity of the components that
constitute a modern Web browser. Unfortunately, each browser component
may introduce new vulnerabilities an
adversary can leverage to gain control
over a user’s computer. Over the past
few years we have seen an increasing
number of browser vulnerabilities,
some of which have not had official
fixes for weeks.
For an adversary to exploit a vulnerability, it requires the user visit a Web
page that contains malicious content.
One way to attract user traffic is to send
spam email messages that advertise
links to malicious Web pages. However, this delivery mechanism has some
drawbacks. For the exploit to be delivered, the user must open the spam
email and then click on the embedded
link. The ubiquitous Web infrastructure provides a better solution to this
bottleneck. While it is easy to exploit a
Web browser, it is even easier to exploit
Web servers. The relative simplicity of
setting up and deploying Web servers
has resulted in a large number of Web
applications with remotely exploitable
vulnerabilities. Unfortunately, these
vulnerabilities are rarely patched, and
therefore, remote exploitation of Web
servers is increasing. To exploit users,
adversaries just need to compromise
a Web server and inject malicious
content, for example, via an IFRAME
pointing to an exploit server. Any visitor to such a compromised Web server
becomes a target of exploitation. If the
visitor’s system is vulnerable, the exploit causes the browser to download
and execute arbitrary payloads. We call
this process “drive-by download.” Depending on the popularity of the com-
to trick the users
promised Web site, an adversary may
get access to a large user population.
Last year, Web sites with millions of
visitors were compromised that way.
Taking Over Web Servers. Turning
Web servers into infection vectors is
unfortunately fairly straightforward.
Over the last couple years, we have observed a number of different attacks
against Web servers and Web applications, ranging from simple password
guessing to more advanced attacks that
can infect thousands of servers at once.
In general, these attacks aim at altering Web site content to redirect visitors
to servers controlled by the adversary.
Here, we expand on some examples of
recent dominant server attacks.
SQL Injection Attacks. SQL injection
is an exploitation technique commonly
used against Web servers that run vulnerable database applications. The vulnerability happens when user input is
not properly sanitized (for example, by
filtering escape characters and string
literals) therefore causing well crafted
user input to be interpreted as code and
executed on the server. SQL injection
has been commonly used to perpetrate
unauthorized operations on a vulnerable database server such as harvesting
users’ information and manipulating
the contents of the database. In Web
applications running a SQL database to
manage users’ authentication, adversaries use SQL injection to bypass login
and gain unauthorized access to user
accounts or, even worse, to gain administrative access to the Web application.
Other variants of these attacks allow the
adversary to directly alter the contents
of the server’s database and inject the
adversary’s own content.
Last year, a major SQL injection attack was launched by the Asprox botnet. In this attack several thousand
bots were equipped with an SQL injection kit that starts by sending specially
crafted queries to Google searching
for servers that run ASP.net, and then
launches SQL injection attacks against
the Web sites returned from those
queries. In these attacks the bot sends
an encoded SQL query containing the
exploit payload (similar to the format
shown here) to the target Web server.
plication.asp?arg=<encoded sql query>
The vulnerable server decodes and
executes the query payload which, in the
44 communicAtionS of the Acm | APriL 2009 | voL. 52 | no. 4