Cyber-Attackers Target Web Applications, Study Says

Most vulnerabilities stem from Web applications, not browsers or servers, security survey says.

by / September 1, 2008

As organizations harden their networks, Web applications have become primary targets for cyber-attack, according to a new report.

"Hackers have realized that because networks are secure, the application is the weakest link," said Mandeep Khera, chief marketing officer for Cenzic, a security firm which release the report Aug. 25. "That's where they want to get in and attack because most applications are not secure there."

The company specializes in application security risk management and vulnerability assessment solutions.

Cenzic's Application Security Trends Report - Q2 2008 on Aug. 25, 2008, is based on an examination of published vulnerability reports from April to June 2008. The company gleaned these reports from public sources provided by vendors, security news sites like SecurityFocus.com and its own investigative efforts.

The report identifies 1,207 total vulnerabilities for second quarter 2008, 73 percent of which resulted from Web servers, applications and browsers. However, 88 percent of the time, Web vulnerabilities came from the applications, not browsers or servers.

The report also presents the following information:

o Web technology vulnerabilities are on the rise - they made up 70 percent of total vulnerabilities reported in Q1 2008, almost 71 percent in Q4 2007 and more than the 68 percent in Q3 2007.
o Vulnerabilities in applications written in PHP, a programming language used to script Web pages, accounted for about 40 percent of reported vulnerabilities.
o Web server or Web application server vulnerabilities made up about 7 percent of vulnerabilities.
o Web browser vulnerabilities constituted about 4 percent of total vulnerabilities.
o SQL injection made up 34 percent of reported vulnerabilities, and Cross-Site Scripting composed 23 percent. In a SQL injection, the attacker exploits a site's code to perform unauthorized SQL commands and extract data. In a Cross-Site Scripting attack, users unknowingly use Web applications containing malicious code that infects their browsers when certain actions are performed on the application.

According to Khera, companies and governments have had years to secure their networks well enough to block most attacks in that area, but Web application security has slipped largely under the radar, so that's where malicious forces see their opportunity.

Simple flaws in secure coding can leave private citizen information vulnerable to exposure. The Associated Press reported that, from late June until Monday, Aug. 18, 2008, the names, birthdates and test scores of tens of thousands of students in Florida's Sarasota County Schools were unintentionally published on the Web after the students used an online Princeton Review program to study for assessment tests.

"If they had taken precaution in doing secure coding of the Web site, it would have [been] prevented easily," Khera said of the Princeton programmers. He speculates that people don't even know the full magnitude of the problem because vulnerabilities aren't always published. "For every one commercial application that people have deployed, there are hundreds of proprietary applications that people build on their own." Breaches with in-house applications are less likely to be publicized than breaches with vendor-created ones.

The Cenzic report also lists the top 10 most severe Web application vulnerability types, which all involve malicious code. Khera said corporate and government applications could be more secure against these threats if IT employees were better prepared. He offered a few reasons why they often aren't.

"One is that they have never been trained on secure coding and second, all developers, as you may know, are under so much pressure to deliver on time," he said. This pressure causes them to forsake the extra time it would take to make things more secure so they can just finish the application fast enough to make their bosses happy. He added that many universities don't cover application security deeply enough to prepare students for the professional world.

 

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.