• E-mail this page
• |  Print this page
• | 
• | 
• | 

Web Application Hacks: Upping The Arms Race

It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list.

"Your garden-variety SQL and XSS is being replaced by encoded versions" of them, Jeremiah Grossman, CTO of WhiteHat Security, told DarkReading. "Any injection-style attack can be encoded using 100 different techniques and variations."

It's bad news. It means more Web attacks will fall under the radar. But it's the same tactics attackers have used since the '80s -- take a tactic that works, such as viruses, and morph how they look to defensive security technologies so that they slip unnoticed under the radar.

The data didn't come from just one vendor, as Kelly Jackson Higgins reported:

Mary Landesman, senior security researcher at ScanSafe, says her Web security services firm also is seeing more obfuscation, including encryption, of malicious code being injected into Web sites. "The bar is being raised each month, with different levels of obfuscation and encryption being used," she says. ScanSafe today reported an 87% jump in malware blocked by its Web security service in July compared with June, 75% of which came from the wave of SQL injection attacks hitting Web sites the past few months.

ScanSafe detected 34% more malware last month than it did in all of 2007, according to the report.

And while it's good news that 66% of the vulnerabilities on Web sites that WhiteHat Security tracks have been fixed, that strikes me as woefully inadequate.

It seems Web applications change too fast, and the need for good Web application security skills goes unmet at most organizations. Here's what those organizations are up against, as compiled by WhiteHat Security:

• Cross-site scripting (XSS), 67%
• Information leakage, 41%
• Content spoofing, 21%
• Insufficient authorization, 18%
• SQL injection, 17%
• Predictable source location, 16%
• Insufficient authentication, 12%
• HTTP response splitting, 9%
• Abuse of functionality, 8%
• Cross-site request forgery (CSRF), 8%

« Micosoft's SQL Strategy For Massive Data Sets | Main | The Touchscreen BlackBerry Storm Emerges »