WebKnowHow Monday, July 17, 2006; 07:56 AM
Fortify Software, provider of products that identify and remediate security vulnerabilities in software, announced the results of the first empirical research into attacks that specifically target Web-based applications. After collecting data from its customers' Web applications over the course of six months, Fortify identified four primary attack methods that present an imminent threat to Web-based applications today:
-- Bot Storming: Over half of the attacks on Web applications over the six month period were generated by automated probes, bots, or bot networks searching for unprotected or unpatched components of Web applications. Probes of this type can be negligible or catastrophic, depending on the way Web applications are built, and can be a forerunner to Internet worms and directed attacks. -- Google Hacking: Over 20 percent of all security events in the Fortify monitoring pool were the result of hackers accessing Web site vulnerability information stored in search engine indices. For example, a Web application may report diagnostic information if a Web page is broken. Hackers can use information stored in search engine indices of that site to map out the components and internal structure of the application. -- Directed Attacks: These Web application-specific attacks are less frequent, but are much more sophisticated and dangerous to Web applications. The techniques most often noted were cross-site scripting, SQL injection and buffer overflow attacks. -- Global Attack Base: Fortify's research revealed a wide range of attack origination points, including the United States, China, Poland, Australia, and many other countries, reflecting an increasingly global attack base. In addition, the use of anonymizing technologies and proxy servers continues to mask the true locations of Web application attack sources, reflecting their "invisible" nature. "There is a wealth of research covering viruses, network-based attacks, public vulnerability announcements, spam, and phishing schemes, but very little focusing on Web-enabled applications that sit beyond the reach of firewalls and traditional network security," said Brian Chess, Chief Scientist, Fortify Software. "With today's consumers and businesses depending on Web applications, such as ecommerce and financial services applications that contain sensitive customer information, it's critical that businesses understand the risk exposure of their applications and take the necessary steps to avoid dangerous security attacks."
|