News Stay informed about the latest enterprise technology news and product updates.

MD5 hash vulnerability is expert's top Web security flaw

Jeremiah Grossman told RSA Conference 2010 attendees that a successful defense against Web-based flaws requires both a secure browser and a secure website infrastructure.

SAN FRANCISCO -- One of the infosec industry's top Web security gurus said a hash algorithm flaw, discovered more than a year ago, may well be the most dangerous security flaw on the Web. 

"A website must be able to defend against a hostile user, and a browser must be able to defend against a hostile webpage."
Jeremiah Grossman, Chief Technology Officer WhiteHat Security Inc.

During a session at the 2010 RSA Conference, WhiteHat Security chief technology officer Jeremiah Grossman formally presented his list of the top 10 Web hacking techniques of the past year. First revealed on his blog in January, Grossman's fourth-annual list is intended to shed light on obscure but significant exploit research that would otherwise go unnoticed.

At the top of the list was the ability to create a rogue certificate authority, which essentially defeats the Internet's trust infrastructure and makes it difficult for users to know which sites and certificates are trustworthy. 

MD5 weakness:

Rogue digital certificates strike blow to Internet security: Security researchers exploit weaknesses in digital certificates to bypass browser security. Experts say the method is within reach of well-funded cybercriminals.

Originally discovered in late 2008 by a team of security researchers, including independent researcher Alex Sotirov, the flaw exploits a weakness in the MD5 hash algorithm that under special circumstances allows a collision attack in the form of a duplicate fake digital fingerprint.

Grossman said MD5 is still used by some CAs, but is being phased out in favor of the more secure SHA-1 hash function, which is not vulnerable.

Second on the list was a technique called HTTP parameter pollution. Using multiple requests to websites, it's possible to bypass input validation checkpoints and Web application firewalls to modify not only webpage content, but also the behavior of client-side applications.

"You can change back-end actions by using multiple URL parameters of the same name," Grossman said. "It's also very possible to get users to blow up their own Yahoo Mail accounts."

Grossman was unable to cover each hacking technique in detail, but he did highlight several that pose a particularly significant risk to private intranets. Included among those was DNS rebinding. The method, which has several techniques, basically exploits DNS servers and the methods in which browsers acquire IP addresses to make secure intranet zones accessible to attackers.

Even though DNS rebinding has been known for several years, Grossman said it remains "more or less completely unfixed on the Web … It can actually turn browsers into network proxies to do [attackers'] bidding. It's a very wild attack."

Similarly, another method, RFC-1918, also enables attackers to gain access to trusted intranets using man-in-the-middle attacks involving iframe injections pointing to non publicly-routable IP addresses. 

"All of the sudden you have cached Javascript malware on their browsers," Grossman said. "Even if the victims close their browsers, it remains cached forever because the attacker was in the stream."

Attendee Glenn Ridnour, director of information technology for Dallas-based engineering firm Huitt-Zollars Inc., said not all of Grossman's talk was new, but the flaws that gave attackers intranet access were particularly disturbing because of the ease with which attackers can pivot from one machine to another.

"We spend a lot of time building firewalls and filters," Ridnour said, "but one exploit makes it all not matter."

The key theme of Grossman's session was that successful defense against Web-based flaws requires both a secure browser and a secure website infrastructure.

"A website must be able to defend against a hostile user, and a browser must be able to defend against a hostile webpage," Grossman said. "You can't fly with one wing, so to speak."

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.