Web Application Hacks
27 August 2008It doesn’t seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are now finding ways to obfuscate these attacks. It’s an ever-evolving arms race. And there is an updated Top 10 Web site vulnerabilities list.
“Your garden variety SQL and XSS is being replaced by encoded versions” says Jeremiah Grossman, CTO of WhiteHat Security. “Any injection-style attack can be encoded using 100 different techniques and variations.” It’s bad news. It means more Web attacks will fall under the radar. But it’s the same tactics attackers have used since the 80s – take a tactic that works, such are viruses, and morph how they look to defensive security technologies so that they slip unnoticed under the radar.
And while it’s good news that 66 % of the vulnerabilities on Web sites, of those WhiteHat Security tracks, have been fixed: that strikes all web users as woefully inadequate.
It seems Web applications change too fast, and the need for good Web application security skills goes unmet at most organizations. Here’s what those organizations are up against, as compiled by WhiteHat Security:
Cross-site scripting (XSS), 67 percent
Information leakage, 41 percent
Content spoofing, 21 percent
Insufficient authorization, 18 percent
SQL injection, 17 percent
predictable source location, 16 percent
insufficient authentication, 12 percent
HTTP response splitting, 9 percent
Abuse of functionality, 8 percent
Cross-site request forgery, (CSRF), 8 percent
Leave a reply
You must be logged in to post a comment.
