Report Introduction
The advent of the Internet + ERA, people fully enjoy the new era of scientific and technological innovation results of convenience at the same time, the interconnection of all things brought about by the information security risks are increasing, information leaks, in a huge amount of funds, user information concentration, security implications far-reaching financial areas, the security problems are particularly prominent. People really perceive that the original financial services model has been overturned, network banking, third-party payment, internet finance and other emerging models. Users also in these new business models, their own name, * * * number, mobile phone number and other identity authentication information and business tightly bound. Therefore, the development of the Internet for the traditional information defense system has cut open a gap, breaking the seemingly unbreakable security protection state, the user's core data. In this context, the An Huaqin and Database Defense Laboratory selected three months of financial industry data security Risk vulnerability as a sample analysis of the Financial industry security vulnerability distribution status, cause analysis and corresponding security defense methods described in detail.
The core point of this report
Analysis of vulnerability segmentation in financial industry
Analysis of the causes of financial data leakage
Financial Industry vulnerability intrusion prevention recommendations
Report Body
From September 2015 to November for three months, Anwarking a total of 206 security breaches identified by customers in the financial industry on cloud vulnerability platforms. Among them high-risk vulnerability 195, medium-Crisis vulnerability 9, low-risk vulnerability 2. Of these 206 vulnerabilities, directly related to data leakage vulnerability 110, accounting for 53% of the total number of vulnerabilities.
Analysis of vulnerability segmentation in financial industry
In recent years, with the promotion of industry policies and market demand, the financial industry has begun to try to service the Internet, the general business and deeper business will gradually become the Internet, and gradually promote the entire financial industry to the Internet full migration. Because of the nature of the financial industry, all kinds of criminals have been eyeing the industry; some internal practitioners will be driven by the interests of the lower moral bottom line, stealing data from the inside, resulting in the security fortress from the inside, the internal and external security issues concentrated, making the financial security more dangerous. In the financial industry, the Border security defense mechanism, which has been precipitated for many years, should be confronted with the new problems brought by Internet.
An Huaqin and the financial industry security loopholes are broken down, in the banking, insurance, internet finance, financial institutions (including securities, funds, futures, payments and other financial-related institutions) Category four for Vulnerability division. Nearly three months in the cloud has confirmed the financial industry 206 loopholes, of which 42 banks, insurance and internet Finance 47, the rest from securities, funds, futures, payment and other financial institutions. The average monthly breakdown area exposes 10 to 20 vulnerabilities.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/F6/wKioL1ZfzfvDrqC6AACvtDepdtg681.jpg "title=" Jr-2.jpg "alt=" Wkiol1zfzfvdrqc6aacvtdepdtg681.jpg "/>2 015 years 9-11 months financial breakdown Industry Vulnerability Distribution
Financial institutions because of a wide range of business, the largest number of loopholes, emerging internet finance, due to the pursuit of business speed and requirements far higher than security requirements, although the business development is not long, but the number of exposed security and threats are among the best. By the end of November 2015, nearly 100 Internet financial platforms nationwide had been found to be vulnerable.
Analysis of the causes of financial data leakage
Anwarking, through a statistical analysis of a large number of financial industry security vulnerabilities, found that SQL injection remains the biggest threat in the financial industry. Command Execution (framework vulnerability) is followed by a 13% ratio. Among them, the number of ultra-vires loopholes accounted for significantly higher than other industries.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/F7/wKiom1ZfzdOxWzx2AAEg_bQvxXo329.jpg "title=" Jr-3.jpg "alt=" Wkiom1zfzdoxwzx2aaeg_bqvxxo329.jpg "/> 2015 9 to November Financial sector security vulnerability types
In accordance with the industry in-depth exploration is not difficult to find:
1. The number of private bank security loopholes in banking industry is significantly higher than that of state-owned banks.
2. Financial sector vulnerabilities threaten, high-risk loopholes accounted for 94.56% of the total number of loopholes
3. The bank's app business has become a hidden vulnerability in the hardest hit
4. Application System permissions Bypass Vulnerability
5. Although there is a WAF, SQL injection is still strong.
The most comprehensive loophole in the financial industry is internet finance. Let's highlight the loopholes in the Internet financial industry.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/76/F7/wKiom1ZfzfWzY0IOAACnhpAcyVI784.jpg "title=" Jr-4.jpg "alt=" Wkiom1zfzfwzy0ioaacnhpacyvi784.jpg "/> Internet financial security vulnerability types
Although the number of loopholes in the Internet financial industry is not the most, the most complete, the distribution is more balanced. Because it is easy to use, users are generally more receptive to internet finance. From a variety of treasures to the names of the complex peer, Internet finance is the new darling of the financial industry. However, due to the lack of strict policy management and code audit, the business development speed is far more than the security can provide support capacity, foreground code quality is low, resulting in a large number of design logic errors, SQL injection, cross-site scripting attacks, employee security awareness is low, management is not in place, resulting in a large number of weak passwords, framework vulnerabilities, Configuration error, sensitive information disclosure, software update slow, resulting in frame error.
The most serious of these is the system design logic security threat. These design errors are manifested in the failure of the permission constraints, resulting in a series of ultra-vires vulnerabilities and SQL injection. Ultra vires nature is not complex, such as parallel ultra-vires query, parallel ultra-vires modification, Vertical ultra vires operation, batch registration, user password modification, password brute force hack, parallel unauthorized download, identity forgery loophole, exit function failure, any mailbox registration vulnerability, mailbox activation function Vulnerability, brush integration vulnerability, invite code violence cracked, A multi-family problem and so on.
Among them, the ultra-vires type of query in design errors accounted for about 29%. As a simple example, a user's order is 111. The order number for the B user is 112. A originally can not query the order of B, but a user can modify the order number to ultra vires query B orders, this is a parallel vires loopholes. This kind of problem is mainly caused by the logic error of the program code itself. This is similar to the behavior of many internet companies that are overly focused on scaling and not focusing on their own security, and need to strengthen code audits to circumvent this risk.
For example, the wuyun-2015-147026 flaw on a dark cloud is a standard vulnerability that could result in the recharging of arbitrary user passwords due to design permissions. Follow the process to register a user on the website, select the forgotten password. Go to the mailbox to open the link. Re-enter the password and confirm the password. Click Send, hijack the client's network package.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/F7/wKiom1ZfzhOD3ENaAADGGp8XhXA354.jpg "title=" Jr-5.jpg "alt=" Wkiom1zfzhod3enaaadggp8xhxa354.jpg "/>
In the package, the current user name is replaced with the target user name and then sent to the server, the purpose of modifying the target user password. At this point the intruder obtains a set of accounts for the intruder to lay the foundation for further intrusion.
While there is a WAF support for SQL injection, there is a time when the WAF will inevitably have a keyword filter. So there are a lot of SQL injection holes in the financial industry. Since WAF uses a regular match approach, there are 3 common ways to circumvent WAF:
( 1 ) encoding Bypass
On the basis of casing bypass, there are three main types of encoding bypasses: URL encoding, hex encoding, Unicode encoding. Entering a URL in the browser will encode the URL once, and the hacker will bypass the WAF with multiple encodings, for example: Id.php?id=1%2520union/**/select, the id.php?id=1 union/**/select the database gets. If you decode only once to get the id.php?id=1%20union/**/select, it is possible to bypass the WAF to invade the database. This problem can be addressed by multiple loop decoding. There are many kinds of Unicode encoding, if only based on the blacklist filter, can not handle the whole situation, where UTF-32 has implemented a bypass for Google.
( 2 ) Comment Bypass
Not only can the code rewrite the keyword, but also can use comments to rewrite the keyword, to avoid regular matching. For example z.com/index.php?page_id=-15%55nion/**/%53elect 1,2,3,4 ' Union%a0select pass from users#. is to use symbolic coding instead of a subset of letters and spaces to avoid regular matches. (Selectxxx will not be intercepted because it may be a function name, etc.) Select Space xxx is bound to be intercepted, remove the space to become the key to bypass). There is also the/*!5000union*/series for the MySQL version.
( 3 ) equivalent substitution
Equivalent substitution is a relatively large classification, which can be divided into 4 categories, such as equivalent functions, equivalent symbols, special symbols, and comparative symbols.
Equivalence function is the substitution of the same function function. The WAF prohibits some functions, but for other functions there are no prohibitions such as Substring () that can be replaced with mid (), substr () functions. It will also be possible to bypass the WAF keyword by using the function of the primitive function circuitous. And or this keyword can be used in PHP | | and && instead. So the statement id=1 or 1=1 can be written id=1 | | 1= to be bypassed. Same! =, >, <, etc. can be bypassed instead of equals sign.
In addition to bypassing keywords and key symbols, the key is to bypass the spaces. Think of ways to avoid the appearance of spaces.
For example, the original sentence id=1 or 1=1
can be written id=1+or+1=1
Id=1%0bor%0b1=1
Id=1--s%0aor--s%0a1=1
Id=1/*!or*/1=1
Id=1 () or (1=1) and many other forms to try to bypass
Financial Industry vulnerability intrusion prevention recommendations
In addition to the vulnerabilities caused by human factors in the financial industry, the two major types of vulnerabilities are SQL injection and program logic errors.
1. Solving Human Factors
Human factors can cause weak passwords, misconfiguration, and so on. Human factors can only be regulated from a human perspective. By strengthening the security team building, personnel safety awareness training methods should be able to solve the problems caused by human factors.
2. Resolving SQL injection
SQL injection is the biggest threat to data security in the financial industry. Relying only on WAF is not enough to fully protect the program from SQL injection. This is because WAF specializes in parsing the filtering HTTP protocol and cannot parse and filter SQL. For this flaw, the database firewall can be added between the Web application and the database to parse and filter the SQL part. The database firewall parses the SQL statements from the Web application to the database to understand the true meaning of the SQL statement and makes the following four judgments:
1, whether the statement contains obvious SQL injection characteristics;
2. Whether the object accessed by the statement belongs to the user's access rights;
3, whether the key predicate of the statement is disabled;
4, limit the number of return rows of the statement, the risk control at the lowest limit.
When you join a database firewall, the database firewall gets the SQL statements that the Web app sends to the database between the Web app and the database. Through the obtained SQL statement, according to different database for SQL protocol resolution, through the Protocol resolution to the application sent SQL statements to the standard mode (remove the various added symbols, translation code, etc.), to prevent hackers to bypass the WAF approach to the database firewall for SQL injection.
First, the restored SQL statement and the blacklist of the forbidden statement structure to match, if it is considered a threat statement, it is forbidden to send the statement to the database side, and by sending SMS, mail, etc. to notify the Administrator in a timely manner to deal with , the statement structure is not a problem after the firewall next will be in the statement of the operands and predicates, if the object or predicate control, it is still forbidden to send the statement to the database side; even if the rules are all compliant, the SQL statements are sent to the database side. The database firewall can also reduce the threat to a minimum by restricting the number of rows that the database returns per time by row count control.
3. Resolving program logic errors
Program logic error mainly refers to the existence of a logic problem when dividing each user's rights. This requires code modifications to the logic errors in the business system and the logical defense of the key parts. Special need to pay attention to strengthen the defensive function points have shopping cart, payment function, withdrawal function, user data query, order data query, API interface, password settings/reset and so on. At the same time, we should pay attention to operational management of important business systems, follow security development best practices, and reliably store the password itself (the database only stores the salt hash instead of the password itself) and uses the encrypted transport protocol.
Security is actually such a form, usually do not see the effect of security, once the outbreak of data leakage event, whether for enterprises or users themselves, or even national information security, its loss immeasurable. Business in the development, security field attack and defense confrontation will continue for a long time.
Download the full version: "Financial Industry Vulnerability Analysis Report"
This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1719175
Financial industry security Vulnerability Analysis Report