The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents. WHID’s purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack. Trustwave's SpiderLabs is a WHID project contributor.
An analysis of the Web hacking incidents from the first half of 2010 performed by Trustwave’s SpiderLabs Security Research team shows the following trends and findings:
- A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses’ (SMBs) online banking accounts.
- Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).
- Application downtime, often due to denial of service attacks, is a rising outcome.
- Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 “unknown” attack category.
WHID Top 10 Risks for 2010
As part of the WHID analysis, here is a current Top 10 listing of the application weaknesses that are actively being exploited (with example attack method mapping in parentheses). Hopefully this data can be used by organizations to re-prioritize their remediation efforts.
|
WHID Top 10 for 2010 |
|
|
1 |
Improper Output Handling (XSS and Planting of Malware) |
|
2 |
Insufficient Anti-Automation (Brute Force and DoS) |
|
3 |
Improper Input Handling (SQL Injection) |
|
4 |
Insufficient Authentication (Stolen Credentials/Banking Trojans) |
|
5 |
Application Misconfiguration (Detailed error messages) |
|
6 |
Insufficient Process Validation (CSRF and DNS Hijacking) |
|
7 |
Insufficient Authorization (Predictable Resource Location/Forceful Browsing) |
|
8 |
Abuse of Functionality (CSRF/Click-Fraud) |
|
9 |
Insufficient Password Recovery (Brute Force) |
|
10 |
Improper Filesystem Permissions (info Leakages) |
Download the full report.
