Web applications caught in a storm of attacks, report finds

Bots wage war on Web apps
On average, 50% to 70% of attacks against Web applications over a six-month period were launched by bots and bot networks searching for known vulnerabilities.

More on Web security How to make Web services secure JavaScript worm targets Yahoo Mail

"These automated probes seek out unprotected or unpatched components in applications and deliver their malicious code" successfully, the report said. "The effect is much like a storm raging over a landscape: the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit Web applications."

Over a single week, for example, Fortify monitored applications that were pummeled by seven distinct attacks from separate IP addresses that resulted in 52 attempts to access .php files. "Given the attacks' frequency and content, they most likely originated from machines infected by worms that periodically launched these automated attacks," the report said.

Brian Chess, Fortify's chief scientist, said he was most surprised to see how much useless data these bots generate in order to mask their attacks.

"If you're the IT administrator, the bot is generating a lot of data that masks its more interesting activities," he said. "After a while of seeing all this noise, you tend to get bored and walk away, and you may not detect the real damage."

Bad guys use Google, too
More than 20% of all security events in the Fortify monitoring pool were the result of hackers accessing Web site vulnerability information stored on search sites like Google, the report said, since search engines collect a wealth of information about every Web site they index. "If a Web site inadvertently reveals sensitive information or advertises the presence of a vulnerability, then Google's index of the site will contain evidence of the flaw," the report said.

For example, if a page is broken, a Web application may report diagnostic information like a stack trace. Cyberthieves can use that to map out the components and internal structure of a vulnerable application and then pounce on the target.

((Content component not found.)) "The biggest surprise to people using our product was the number of errors on their Web sites and how much of it is being revealed on Google and other search sites," Chess said. "When Google indexes all this information, the attackers can find you from Google just as the good guys can find you from Google."

Attacks more sophisticated, widespread
Application-specific attacks appear less frequent, but Fortify found they are much more sophisticated and even more dangerous to the Web applications that are assaulted. The most common techniques in directed attacks appear to be cross-site scripting, SQL injection and buffer overflows.

Fortify's research also showed attacks originating from the United States, China, Poland, Australia and many other countries. "The use of anonymizing technologies and proxy servers continues to mask the true locations of Web application attack sources, reflecting their 'invisible' nature," the report said.

There are a variety of techniques the bad guys use to cover their tracks, like hiding behind a proxy server or a chain of proxy servers, the report said.

"Various anonymizing technologies have been developed … to make it difficult to determine the origin of an Internet connection," the report said. "In the best cases, they prevent repressive governments from punishing political opponents. In the worst cases, these technologies can be used by malicious hackers to attack other computers with little chance of being physically captured."

Chess said a vast majority of Web app attacks seem to be coming from the United States. But, he added, "We really have no idea where the attackers are actually sitting."

This article originally appeared on SearchSecurity.com.

Tags: Risk management for the midmarket,  SOA and Web services for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program SOA and Web services for the midmarket Guide to building and managing a business process management strategy Virtualization management strategies ezine for CIOs FAQ: Business process management defined Evaluating a business process management solutions vendor: What to ask Cloud computing tips for getting started with next-gen IT capabilities SOA and Web services: What you need to know Enterprise application integration: Beyond SOA and into the cloud First SOA implementations should focus on business value Use cloud computing to drive IT innovation Google Apps highlights midmarket business benefits

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary