Cross-site request forgery heads new wave of Web apps attacks

New hacking methods such as cross-site request forgery have joined established techniques, such as SQL injection, to exploit holes in popular Web applications, according to the latest report filed by the Web Applications Security Consortium.

Share

New hacking methods such as cross-site request forgery have joined established techniques, such as SQL injection, to exploit holes in popular Web applications, according to the latest report filed by the Web Applications Security Consortium.

The non-profit industry group released the findings of its annual Hacking Incidents Database report this week, and found attackers are broadening their efforts and capabilities and going after new sets of targets, the research contends.

Based on WASC's in-depth investigations into roughly 80 individual attacks carried out during 2007, the group concludes that data theft remains the primary goal of most incidents, representing 42% of all the events.

Surprisingly, site defacement – thought to be a dying art in the world of profit-driven hacking - actually still accounted for 23% of the attacks covered in the report, followed by exploits aimed at planting malware on sites at roughly 15%.

While most incidents studied by the group revolved around the attempted theft of sensitive data that could be sold on or used to carry out fraud, the phishing threats of years past are increasingly becoming outnumbered by attacks that utilize malware code hidden on legitimate Web applications to target unsuspecting end-users, the group said.

Of all the threats studied by WASC in its report, 67% were designed specifically to derive some form of profit - pointing to continued growth in the professionalism of those responsible for the attacks, researchers said.

"One of the biggest issues is that so much of this activity is being delivered directly though legitimate Web sites that are being hacked," said Ryan Barnett, a project leader at WASC who also serves as director of application security training at applications firewall vendor Breach Security, which sponsored the 2008 report.

"It used to be that as long as users didn't go to certain Web sites they'd be safe, but obviously, that's changing," he said. "SQL injection still works surprisingly well, so we're seeing plenty of those across the board, but you do also begin to see more use of things like cross-site request forgery, to which even greater numbers of sites might be vulnerable."

SQL injection, which attempts to use security vulnerabilities occurring in the database layer of applications to compromise them, still remains a weak point in some widely-used Web systems, in particular e-commerce sites. This finding surprised researcher because of the well-established history of the technique.

However, cross-site request forgery threats, which attempt to hijack authenticated Web sessions to carry out their ploys, are becoming more common. However they accounted for only 2% of the incidents tracked by WASC for the 2007 report, while SQL injections represented 20

Unintentional information disclosure, which involves sites that emanate such detailed authentication failures that hackers may use them to find a way in, was the second most popular format for attackers to break into applications at 15%, followed by cross-site scripting exploits, which use malware planted on legitimate sites to subvert end-users' machines, at 12% of the incidents.