Tags:
In addition to being a SANS Certified Instructor, I also serve as the WASC Web Hacking Incident Database (WHID) project leaders. If you are unfamiliar, WHID is a project dedicated to maintaining a record of web application-related security incidents. WHID's purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security — which focus on the technical aspect of the incident and are focused on vulnerability prevalence — WHID focuses on the impact of the attack.
Report Summary Findings
An analysis of the Web hacking incidents from the first half of 2010 shows the following trends and findings:
- A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses' (SMBs) online banking accounts.
- Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).
- Application downtime, often due to denial of service attacks, is a rising outcome.
- Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 "unknown" attack category.
Download the full report (no registration required).
WHID Top 10 Risks for 2010
As part of the WHID analysis, here is a current Top 10 listing of the application weaknesses that are actively being exploited (with example attack method mapping in parentheses). Hopefully this data can be used by organizations to re-prioritize their remediation efforts based on application weaknesses that are being actively exploited by cyber-criminals.
WHID Top 10 Application Weaknesses for 2010 | OWASP Top 10 Web Application Security Risks for 2010 | |
1 | Improper Output Handling (XSS and Planting of Malware) | Injection |
2 | Insufficient Anti-Automation (Brute Force and DoS) | Cross-Site Scripting (XSS) |
3 | Improper Input Handling (SQL Injection) | Broken Authentication and Session Management |
4 | Insufficient Authentication (Stolen Credentials/Banking Trojans) | Insecure Direct Object References |
5 | Application Misconfiguration (Detailed error messages) | Cross-Site Request Forgery (CSRF) |
6 | Insufficient Process Validation (CSRF and DNS Hijacking) | Security Misconfiguration |
7 | Insufficient Authorization (Predictable Resource Location/Forceful Browsing) | Insecure Cryptographic Storage |
8 | Abuse of Functionality (CSRF/Click-Fraud) | Failure to Restrict URL Access |
9 | Insufficient Password Recovery (Brute Force) | Insufficient Transport Layer Protection |
10 | Improper Filesystem Permissions (info Leakages) | Unvalidated Redirects and Forwards |