Mapping out Web apps attacks

A new report shows that while many attackers continue to stick with old techniques and targets, some are expanding their horizons in terms of tactics and victims

Attackers continue to use well-worn techniques, such as SQL injection, to exploit holes in popular Web applications but have also moved on to other targets, including government sites, and newer exploit methods, such as cross-site request forgery, according to the latest report filed by the Web Applications Security Consortium.

The nonprofit industry group released the findings of its annual Hacking Incidents Database report this week, and despite the fact that cyber-criminals are still capable of using familiar means like SQL injection to victimize e-commerce sites and other transactional systems, a growing number of assailants are broadening their efforts and capabilities and going after new sets of targets, the research contends.

Based on WASC's in-depth investigations into roughly 80 individual attacks carried out during calendar 2007, the group concludes that data theft remains the primary goal of most incidents, representing 42 per cent of all the events.

Surprisingly, site defacement -- thought to be a dying art in the world of profit-driven hacking -- actually still accounted for 23 per cent of the attacks covered in the report, followed by exploits aimed at planting malware on sites at roughly 15 per cent.

And while the lion's share of the incidents studied by the group revolved around the attempted theft of sensitive data that could be sold on the underground market or used to carry out fraud, the phishing threats of years past are increasingly becoming outnumbered by attacks that utilize malware code hidden on legitimate Web applications to victimize unsuspecting end-users, the group said.

Of all the threats studied by WASC in its report, 67 per cent were designed specifically to derive some form of profit -- pointing to continued growth in the professionalism of those responsible for the attacks, researchers said.

"One of the biggest issues is that so much of this activity is being delivered directly though legitimate Web sites that are being hacked," said Ryan Barnett, a project leader at WASC who also serves as director of application security training at applications firewall vendor Breach Security, which sponsored the 2008 report.

"It used to be that as long as users didn't go to certain Web sites they'd be safe, but obviously, that's changing," he said. "SQL injection still works surprisingly well, so we're seeing plenty of those across the board, but you do also begin to see more use of things like cross-site request forgery, to which even greater numbers of sites might be vulnerable."

SQL injection, which attempts to use security vulnerabilities occurring in the database layer of applications to compromise them, still remains a weak point in some widely-used Web systems, in particular e-commerce sites, a reality that the researcher views as surprising based on the well-established history of the technique. However, CSRF threats, which attempt to hijack authenticated Web sessions to carry out their ploys, are becoming more common, while still far less frequent than SQL injections, according to the expert. Indeed, CSRF threats accounted for only 2 per cent of the incidents tracked by WASC for the 2007 report, while SQL injections represented 20 per cent, the most popular format for exploit.

Unintentional information disclosure, which involves sites that emanate such detailed authentication failures that hackers may use them to find a way in, was the second most popular format for attackers to break into applications at 15 per cent, followed by cross-site scripting exploits, which use malware planted on legitimate sites to subvert end-users' machines, at 12 per cent of the incidents.

In terms of the types of organizations being assailed by the attacks tracked by WASC, the group found that government agencies actually represented the largest group of targets.

Perhaps because financial services companies and retailers have improved their applications defenses, hackers have moved on to the government set as well as educational institutions, the report contends.

Some 29 per cent of the incidents covered in the report targeted government agencies, followed by education at 15 per cent, and retailers and media outlets tied at 12 per cent.

In addition to attempts to steal data, WASC contends that government agencies may also be getting hacked by parties looking to embarrass or disable the organizations' sites based on ideological goals. Because government agencies are forced to report more of their security incidents publicly, hackers may merely be trying to force the organizations to admit that they have been exploited in public, the researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

InfoWorld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?