Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Blended Web Attacks Hitting More Websites

Hackers increasingly use four top techniques, such as cross site scripting and SQL injection, in combination, researchers say.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
The average large business's website sees 27 attacks per minute, though attackers--thanks to automation--can create spikes of up to seven attacks per second, or about 25,000 attacks per hour.

Those findings come from a new study, conducted by Imperva, of more than 10 million Web application attacks targeting the websites of 30 large businesses and government agencies, launched between January 2011 to May 2011. The study also assessed traffic that flowed via the onion router, better known as TOR, which helps anonymize Web traffic.

The study found that the four most prevalent attacks against Web applications were directory traversal (37%), cross site scripting (36%), SQL injection (23%), and remote file include (4%), aka RFI.

Attackers often employed those techniques in combination, whether to steal data, surreptitiously install malware on servers, or simply create a denial of service. "For example, a hacker may use directory traversal during a reconnaissance phase of the combined attack to identify the directory structure of an attacked server before sending an additional effective exploit vector, such as an RFI," according to the report.

Interestingly, the LulzSec hacking group employed three of those techniques, sometimes in combination. But LulzSec's exploits, which largely occurred in June, fell outside the scope of the report. "Consequently, we didn't directly witness any attacks from Lulzsec," according to Imperva's report. However, the Imperva researchers did see an "incredible similarity" between the most prevalent Web application hacking techniques, and the techniques used by LulzSec's members.

Imperva's research presents an interesting contrast with other vulnerability information, such as the Open Web Application Security Project (OWASP) list of the top 10 worst Web application vulnerabilities. According to Amichai Shulman, CTO of Imperva, when it comes to the OWASP top 10, "RFI and directory traversal were not identified as top vulnerabilities, yet our research shows that these are two of the most common attacks used by hackers to steal data."

The difference comes from assessing vulnerabilities, versus what's actually being attacked, he said via email. "The shortcoming of OWASP Top 10 is that they concentrate on the most prevalent vulnerabilities. And while this is important, it does not concentrate on what hackers are actually hacking."

According to Imperva's research, attackers largely pursue the easiest exploits, rather than the most prevalent vulnerabilities. "Our report shows that if there is a vulnerability out there--even overlooked by Web application developers, not appearing in OWASP top 10, though easily exploitable--then hackers will go after it," said Shulman.

Beyond attack type, the Imperva report also assessed attack origin. Overall, most Web application attacks are launched from botnets involving exploited PCs located in the United States (for 61% of attacks), followed by China (9%), Sweden (4%), and France (2%).

But the identity of whoever's behind those attacks, and where they might be based, isn't clear. "Our data shows that it is increasingly difficult to trace attacks to specific entities or organizations," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "This complicates any effort to retaliate, shut down cybercriminal gangs or identify potential acts of war."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18575
PUBLISHED: 2019-12-06
Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system.
CVE-2019-11293
PUBLISHED: 2019-12-06
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
CVE-2019-16771
PUBLISHED: 2019-12-06
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97....
CVE-2019-1551
PUBLISHED: 2019-12-06
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are n...
CVE-2019-16671
PUBLISHED: 2019-12-06
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.