Mapping out Web apps attacks

A new report shows that while many attackers continue to stick with old techniques and targets, some are expanding their horizons in terms of tactics and victims

Attackers continue to use well-worn techniques, such as SQL injection, to exploit holes in popular Web applications but have also moved on to other targets, including government sites, and newer exploit methods, such as cross-site request forgery, according to the latest report filed by the Web Applications Security Consortium.

The nonprofit industry group released the findings of its annual Hacking Incidents Database report this week, and despite the fact that cyber-criminals are still capable of using familiar means like SQL injection to victimize e-commerce sites and other transactional systems, a growing number of assailants are broadening their efforts and capabilities and going after new sets of targets, the research contends.

Based on WASC's in-depth investigations into roughly 80 individual attacks carried out during calendar 2007, the group concludes that data theft remains the primary goal of most incidents, representing 42 per cent of all the events.

Surprisingly, site defacement -- thought to be a dying art in the world of profit-driven hacking -- actually still accounted for 23 per cent of the attacks covered in the report, followed by exploits aimed at planting malware on sites at roughly 15 per cent.

And while the lion's share of the incidents studied by the group revolved around the attempted theft of sensitive data that could be sold on the underground market or used to carry out fraud, the phishing threats of years past are increasingly becoming outnumbered by attacks that utilize malware code hidden on legitimate Web applications to victimize unsuspecting end-users, the group said.

Of all the threats studied by WASC in its report, 67 per cent were designed specifically to derive some form of profit -- pointing to continued growth in the professionalism of those responsible for the attacks, researchers said.

"One of the biggest issues is that so much of this activity is being delivered directly though legitimate Web sites that are being hacked," said Ryan Barnett, a project leader at WASC who also serves as director of application security training at applications firewall vendor Breach Security, which sponsored the 2008 report.

"It used to be that as long as users didn't go to certain Web sites they'd be safe, but obviously, that's changing," he said. "SQL injection still works surprisingly well, so we're seeing plenty of those across the board, but you do also begin to see more use of things like cross-site request forgery, to which even greater numbers of sites might be vulnerable."

SQL injection, which attempts to use security vulnerabilities occurring in the database layer of applications to compromise them, still remains a weak point in some widely-used Web systems, in particular e-commerce sites, a reality that the researcher views as surprising based on the well-established history of the technique. However, CSRF threats, which attempt to hijack authenticated Web sessions to carry out their ploys, are becoming more common, while still far less frequent than SQL injections, according to the expert. Indeed, CSRF threats accounted for only 2 per cent of the incidents tracked by WASC for the 2007 report, while SQL injections represented 20 per cent, the most popular format for exploit.

Unintentional information disclosure, which involves sites that emanate such detailed authentication failures that hackers may use them to find a way in, was the second most popular format for attackers to break into applications at 15 per cent, followed by cross-site scripting exploits, which use malware planted on legitimate sites to subvert end-users' machines, at 12 per cent of the incidents.

In terms of the types of organizations being assailed by the attacks tracked by WASC, the group found that government agencies actually represented the largest group of targets.

Perhaps because financial services companies and retailers have improved their applications defenses, hackers have moved on to the government set as well as educational institutions, the report contends.

Some 29 per cent of the incidents covered in the report targeted government agencies, followed by education at 15 per cent, and retailers and media outlets tied at 12 per cent.

In addition to attempts to steal data, WASC contends that government agencies may also be getting hacked by parties looking to embarrass or disable the organizations' sites based on ideological goals. Because government agencies are forced to report more of their security incidents publicly, hackers may merely be trying to force the organizations to admit that they have been exploited in public, the researchers said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?