Web Application Hacks: Upping The Arms Race
It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list.
August 27, 2008
It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list."Your garden-variety SQL and XSS is being replaced by encoded versions" of them, Jeremiah Grossman, CTO of WhiteHat Security, told DarkReading. "Any injection-style attack can be encoded using 100 different techniques and variations."
It's bad news. It means more Web attacks will fall under the radar. But it's the same tactics attackers have used since the '80s -- take a tactic that works, such as viruses, and morph how they look to defensive security technologies so that they slip unnoticed under the radar.
The data didn't come from just one vendor, as Kelly Jackson Higgins reported:
Mary Landesman, senior security researcher at ScanSafe, says her Web security services firm also is seeing more obfuscation, including encryption, of malicious code being injected into Web sites. "The bar is being raised each month, with different levels of obfuscation and encryption being used," she says. ScanSafe today reported an 87% jump in malware blocked by its Web security service in July compared with June, 75% of which came from the wave of SQL injection attacks hitting Web sites the past few months.
ScanSafe detected 34% more malware last month than it did in all of 2007, according to the report.
And while it's good news that 66% of the vulnerabilities on Web sites that WhiteHat Security tracks have been fixed, that strikes me as woefully inadequate.
It seems Web applications change too fast, and the need for good Web application security skills goes unmet at most organizations. Here's what those organizations are up against, as compiled by WhiteHat Security:
• Cross-site scripting (XSS), 67% • Information leakage, 41% • Content spoofing, 21% • Insufficient authorization, 18% • SQL injection, 17% • Predictable source location, 16% • Insufficient authentication, 12% • HTTP response splitting, 9% • Abuse of functionality, 8% • Cross-site request forgery (CSRF), 8%
About the Author
You May Also Like
How to Evaluate Hybrid-Cloud Network Policies and Enhance Security
September 18, 2024DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations
September 26, 2024Harnessing the Power of Automation to Boost Enterprise Cybersecurity
October 3, 202410 Emerging Vulnerabilities Every Enterprise Should Know
October 30, 2024
State of AI in Cybersecurity: Beyond the Hype
October 30, 2024[Virtual Event] The Essential Guide to Cloud Management
October 17, 2024Black Hat Europe - December 9-12 - Learn More
December 10, 2024SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
October 22, 2024