Vulnerabilities are everywhere. Knowing where they are is useful, but knowing which one will be exploited is much more useful. Security professionals need to focus on real threats plaguing today’s practitioners and provide up-to-date statistics on actual attack data.
As part of its ongoing Hacker Intelligence Initiative (HII), Imperva monitors malicious online activity to help organizations understand the threat landscape. During a six month period from June 2011-November 2011, Imperva researched and analysed web attack traffic targeted against 40 different web applications.
Interestingly, most of the attacks which exploited application vulnerabilities converged into five common attack techniques.
Web attack technique #1: SQL Injection (SQLi)
SQL Injection (SQLi) is an attack technique that exploits a web application vulnerability in order to access the organisations’ data in an unauthorised manner.
Take for example a web form. A hacker exploiting a SQLi vulnerability could insert some computer code into the username field rather than the actual user’s name. The code could be as simple as ‘1=1’ or be much more sophisticated and attempt to bypass simple defence measures or gain certain knowledge about the system’s setup. A vulnerable application will process the code and start coughing up sensitive data.
SQLi in the wild
According to the Privacy Rights Clearinghouse, over 313 million records were compromised by external hacking events since 2005. Some 262 million of these consisted of breaches at TJX, Heartland Payment Systems and RockYou - all SQLi attacks.
While the SQLi vulnerability is more than a decade-old attack technique, we can see it still tops the charts and accounts for at least 83% of all successful hacks. Last April, a SQLi attack against Sony resulted in the compromise of 77 million credit cards. Even Lady Gaga’s site was hacked by SQLi.
Web attack technique #2: Cross Site Scripting (XSS)
A successful cross site scripting attack allows the hacker to execute scripts in a victim’s browser. The script may redirect the visitor to an attacker-controlled website, to steal user credentials or simply to insert hostile content.
XSS is a peculiar attack. With XSS, the attacker abuses the trust between the application and the user. It is not a web attack against the server per se, but rather against the site’s visitors. However, this type of attack still continues to fall under the responsibility of the site administrators since the exploit occurs due to existing flaws on the server side.
XSS in the wild
Numerous applications suffer from XSS vulnerabilities. Even Microsoft’s fastest growing product to date—Sharepoint—has been found vulnerable to this attack, and Redmond’s latest patch included a fix to this. Hackers are quick to leach onto this type of vulnerability and LulzSec has been known to also use XSS as part of their hacking arsenal.
Web attack technique #3: Local File Inclusion (LFI)
In this setting, a web application is programmed to upload a local file. However, if the application is vulnerable to a Local File Inclusion attack, the hacker can replace that reference with a file of her own that she was able to previously plant on the server. Once the malicious script is uploaded, the server is under control of the hacker. The hacker can glean information, manipulate data and even upload a malicious executable.
LFI in the wild
Attractive LFI (and RFI - see below) attack targets are commonly PHP applications. With more than 77% of today’s websites running PHP, LFI should be on every security practitioner’s radar.
A notorious LFI exploit includes Timthumb - a WordPress add-on vulnerable to LFI which in November 2011 paved the way to 1.2 million infected websites.
Web attack technique #4: Remote File Inclusion (RFI)
This attack is similar in essence to LFI attacks, although in this case the web application is programmed to upload an external file.
RFI in the wild
The following snippet is taken from the LulzSec chat logs. It shows that RFI was one of the techniques used by the group to conduct their attacks.
lol - storm would you also like the RFI/LFI bot with google bypass i was talking about while i have this plugged in?
lol - i used to load about 8,000 RFI with usp flooder crushed most server :D
As we can see, LulzSec used bots to carry out RFI attacks, which led to the crashing of the servers (in other words, using RFI as a technique to conduct a DDoS attack). In fact, this was the technique used to bring down the CIA public website.
RFI is not a widely discussed attack and is often overlooked. But Lulzsec proved the consequence of such a vulnerability when they exploited it to help ambush their targets.
Web attack technique #5: Directory Traversal (DT)
As the name hints, in a directory traversal attack, a hacker traverses the web application’s file directory in an attempt to find hidden files that were inadvertently exposed to the application.
Say for example, a parent directory should not be accessed. By exploiting a DT vulnerability, a hacker will be able to retrieve information from the directory by using special characters such as the ‘.’, which requests to "traverse" to the file’s parent directory.
DT in the wild
DTs are commonly used for reconnaissance. When the hacker extracts enough information about the targeted victim, it can proceed to carry out an additional attack.
In particular, this attack is mainly used in conjunction with RFI/ LFI attacks: the DT maps out the vulnerabilities for a subsequent RFI/ LFI attack to exploit.
By Noa Bar-Yosef, Senior Security Strategist at Imperva.
Imperva is exhibiting at Infosecurity Europe 2012 on 24th - 26th April 2012. For further information please visit www.infosec.co.uk