Sleepy Dragon · 2014/08/06 12:48

information from WooYun

A1- Internet leaks/warehouse attacks


Based on a large amount of user data, using the same user registration habits (the same user name and password), try to log in to other sites. In 2011, Internet leaks exploded the entire information security community, resulting in the traditional user + password authentication has been unable to meet the existing security needs. The leaked data include: Tianya: 31,758,468 articles, CSDN: 6,428,559 articles, Weibo: 4,442,915 articles, Renren: 4,445,047 articles, Mop: 2,644,726 articles, 178:9,072,819 articles, Dudu: 13,891,418 articles, 7K7K: 18,282,404, 120 million in total.

Classic case:

WooYun: The CSDN database is leaked, and a large number of user accounts and passwords are leaked

At the end of November, CSDN was disclosed on the dark cloud that the database had been leaked. The user names and plaintext passwords of users were spread on the Internet, revealing the tip of the iceberg of the Internet database leakage event, and the stolen databases of a number of large websites began to spread on the Internet.

A2- References insecure third-party applications


Third-party open source applications, components, libraries, frameworks and other software modules; Over the past few years, the security world has made great strides in assessing how to handle vulnerabilities, with almost every business system increasingly using third-party applications, increasing the threat of system intrusion. Because third-party applications are deployed in parallel on business systems, if a vulnerable third-party application is exploited, such attacks will lead to serious data theft or system destruction.

Classic case:

WooYun: Improper operation and maintenance of taobao main site leads to random users being logged in and sensitive information of the server being obtained

The disclosure of OpenSSL vulnerabilities has caused many large Internet manufacturers to suffer.

A3- System errors/logic defects bring violent guess solutions


Due to the business characteristics of the application system itself, many interfaces will be opened for processing data. If the interfaces or functions are not strictly controlled or judged, hackers will accelerate the process of attacking the application and greatly reduce the human cost of hackers to discover threats. As modular automated attack kits become more sophisticated, they will pose the greatest threat to applications.

Classic case:

WooYun: Big companies criticized series #1 to reset any jingdong user password

Jingdong employees’ email login can be accessed on the Internet, resulting in the violent guess solution of many employees’ email weak password.

A4- Sensitive information/configuration information leakage


Because there is no one universal standard defense rules protect middleware configuration information, DNS information, business information, customer information, information source backup files, version management tool, system error sensitive information and address information (background or test address) leakage, an attacker may through collecting the data of the lack of protection of these, Use this information to carry out further attacks on the system.

Classic case:

WooYun: Ctrip’s security payment log can be traversed and downloaded, resulting in the disclosure of a large number of users’ bank card information (including cardholder’s name, ID card, bank card number, CVV code and 6-digit Bin card)

Sensitive user information is placed in the Web directory, so that it can be downloaded directly.

A5- Apply incorrect configuration/default configuration


Before deployment, most applications, middleware, and server programs lack strict security configuration definition and deployment based on security baseline, which facilitates further attacks. Common risks are as follows: Default flash configuration, default Access database address, incorrect WebDav configuration, incorrect Rsync configuration, default background and management passwords of application servers, Web servers, and database servers.

Classic case:

WooYun: Sensitive information leakage series #6 server default configuration leads to massive user information leakage.

Backup databases can be browsed and downloaded directly.

A6-sql injection vulnerability


Injection defects are not limited to SQL, but include command, code, variables, HTTP response headers, XML injection, and so on. Programmers write code without judging the validity of user input data, and injection occurs when untrusted data is sent to the interpreter as part of a command or query. The attacker’s malicious data tricks the interpreter into executing unexpected commands or accessing data that is not properly authorized.

Classic case:

WooYun: xiami.com SQL injection, 14 million user data, all kinds of transaction data, master site data, can be dragged, urgent!!

As a classic vulnerability that can directly affect core data, it still frequently appears in people’s eyes.

A7-xss Cross-site scripting attack /CSRF


A type of code injection, XSS occurs when an application obtains untrusted data and sends it to the browser or to the supporting client scripting language container without proper validation or escape. XSS allows an attacker to execute scripts on a victim’s browser to hijack a user’s session, destroy the Dom structure of a site, or redirect a victim to a malicious site.

Classic case:

WooYun: a massive, stealthily stolen Taobao/Alipay account and password vulnerability – (Lightning attack with video demo)

XSS attacks most hope to achieve: covert, long-term control, this vulnerability has been achieved.

A8- Unauthorized access/permission bypass


Most business system applications simply verify authorization information on the user client, or do not restrict access control rules at all. If the server does not perform integrity checks on requests from the client, an attacker will be able to forge requests to access unauthorized functions.

Classic case:

WooYun: Unauthorized access to an important background of Sogou (involving important functions and statistical information)

The background of important functions must be secure.

A9- Lax control of account system/unauthorized operation


Application functions related to authentication and session management are often exploited by attackers who can retrieve user passwords through social engineering databases, or access data that does not belong to them by bypassing authorization controls through keys, session tokens, GSIDs, and other information obtained through information leakage. If the server does not verify the identity of the request from the client, an attacker can steal data of all service systems by forging the request.

Classic case:

WooYun: Any of letV’s 22 million users log in

Unauthorized access to any user.

A10- Internal leakage of critical information/documents


Businesses and individuals are increasingly relying on the ability of electronic devices to store, process and transmit information. Important data information of enterprises is stored in electronic devices or data centers in the form of files. Employees or programmers often copy confidential data to mobile storage media or upload it to the network for the convenience of office work. Once information is leaked, the probability of enterprise security risks will be directly increased.

Classic case:

WooYun: Sensitive information leakage of Taobao can enter an important background (use a large number of sensitive functions and control internal servers)

There’s always something interesting to find on sharing sites like Github or Baidu netdisk.

Thanks to Pigman for contributing to this article.