Commentary
Web Application Hacks: Upping The Arms Race
It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list.It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list."Your garden-variety SQL and XSS is being replaced by encoded versions" of them, Jeremiah Grossman, CTO of WhiteHat Security, told DarkReading. "Any injection-style attack can be encoded using 100 different techniques and variations."
It's bad news. It means more Web attacks will fall under the radar. But it's the same tactics attackers have used since the '80s -- take a tactic that works, such as viruses, and morph how they look to defensive security technologies so that they slip unnoticed under the radar.
More Security Insights
White Papers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
Reports
More >>Webcasts
- Outsourcing Security: What Every Potential Cloud Security Customer Should Know
- Maximize ROI with Database Consolidation onto Private Clouds
The data didn't come from just one vendor, as Kelly Jackson Higgins reported:
Mary Landesman, senior security researcher at ScanSafe, says her Web security services firm also is seeing more obfuscation, including encryption, of malicious code being injected into Web sites. "The bar is being raised each month, with different levels of obfuscation and encryption being used," she says. ScanSafe today reported an 87% jump in malware blocked by its Web security service in July compared with June, 75% of which came from the wave of SQL injection attacks hitting Web sites the past few months.
ScanSafe detected 34% more malware last month than it did in all of 2007, according to the report.
And while it's good news that 66% of the vulnerabilities on Web sites that WhiteHat Security tracks have been fixed, that strikes me as woefully inadequate.
It seems Web applications change too fast, and the need for good Web application security skills goes unmet at most organizations. Here's what those organizations are up against, as compiled by WhiteHat Security:
• Cross-site scripting (XSS), 67% • Information leakage, 41% • Content spoofing, 21% • Insufficient authorization, 18% • SQL injection, 17% • Predictable source location, 16% • Insufficient authentication, 12% • HTTP response splitting, 9% • Abuse of functionality, 8% • Cross-site request forgery (CSRF), 8%
Related Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
|
T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting! |
Subscribe to RSSResource Links
This Week's Issue
Technology Whitepapers
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Resource
This is your portal to all the news, product information, technical data, and other information related to the topic of computer user authentication and certification. Visit us to find out how to ensure that computer users are who they say they are.
Learn More
