Web Attack Trends 2007

Date February 25, 2008

whid2007 Also crossing my RSS feed today is the Web Hacking Incidents Database Annual report for 2007 [warning: PDF link behind free registration - I'm sure if you don't want to register, you know what do to ;) ]

The ModSecurity blog summarized it nicely, but there are some areas of it that I find a bit weird.

First thing that hits me is that SQL injection is listed as the number one attack vector.  This surprises me somewhat, as XSS seems clearly to be where so many vulnerabilities are being found – you just have to step over to the sl.ackers.org forum to see how often.  However, saying that, some companies (who shall remain nameless) don’t rate XSS injections too highly because it mostly targets end-users – often (but not always) no “data” is lost on the server.  This attitude I think just shows disrespect to users because it pushes security (or insecurity) on to them, and could allow them to throw up their hands and say “well you allowed for your account to be compromised” or “hey, you fell for it” (obviously not using those exact words though).

Although it’s only a few quick sentences, there’s an interesting revelation that one third of the attacks were “operational mistakes” where unintentional publishing of information caused either the site to be at risk, or it’s users details being left out there in the open.  Doesn’t sound far-fetched at all – I’ve had one client that had a very sensitive access database left completely open on a public webserver, and didn’t even have the logs any more to at least see if it was ever accessed!

I’ve argued it before, but 15% of the vulnerabilities exploited were previously known.  ‘Nuf said.

Cross-site request forgery is a tiny 2% of the total.  This is one of the big worrying stats to me because either attackers aren’t yet taking advantage of this vector (which most sites are vulnerable to in some way) or the attacks are just going unnoticed (which wouldn’t be to surprising either as the traffic looks so much like “legitimate” use, and if it’s kept small, users probably wouldn’t notice).

Finally, despite lots of efforts of people either talking about secure code/websites, awareness, community projects, improvements in frameworks, technology, etc, it appears that things are getting worse, not better.  I’m not going to steal another graph from the report as I appreciate I’m pushing it with just one – please grab the report for yourself – but there’s clearly an upwards trend.  There could be an bias as maybe reporting is just better/more frequent because the focus is shifting away from traditional software (and unlike tracking patches from established companies, websites can be patched silently), but it feels about right.

Anyway, interesting stuff, and a big “keep up the great work” to the guys at Breach for doing this and everyone over at the Web Application Security Consortium.  Hit up the links for more info and post your own analysis.

Category Posted in Industry, Security, Uncategorized


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>