In addition to being a SANS Certified Instructor, I also serve as the WASC Web Hacking Incident Database (WHID) project leaders. If you are unfamiliar, WHID is a project dedicated to maintaining a record of web application-related security incidents. WHID's purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security — which focus on the technical aspect of the incident and are focused on vulnerability prevalence — WHID focuses on the impact of the attack.
Report Summary Findings
An analysis of the Web hacking incidents from the first half of 2010 shows the following trends and findings:
- A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses' (SMBs) online banking accounts.
- Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).
- Application downtime, often due to denial of service attacks, is a rising outcome.
- Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 "unknown" attack category.
Download the full report (no registration required).
WHID Top 10 Risks for 2010
As part of the WHID analysis, here is a current Top 10 listing of the application weaknesses that are actively being exploited (with example attack method mapping in parentheses). Hopefully this data can be used by organizations to re-prioritize their remediation efforts based on application weaknesses that are being actively exploited by cyber-criminals.
|WHID Top 10 Application Weaknesses for 2010||OWASP Top 10 Web Application Security Risks for 2010|
|1||Improper Output Handling (XSS and Planting of Malware)||Injection|
|2||Insufficient Anti-Automation (Brute Force and DoS)||Cross-Site Scripting (XSS)|
|3||Improper Input Handling (SQL Injection)||Broken Authentication and Session Management|
|4||Insufficient Authentication (Stolen Credentials/Banking Trojans)||Insecure Direct Object References|
|5||Application Misconfiguration (Detailed error messages)||Cross-Site Request Forgery (CSRF)|
|6||Insufficient Process Validation (CSRF and DNS Hijacking)||Security Misconfiguration|
|7||Insufficient Authorization (Predictable Resource Location/Forceful Browsing)||Insecure Cryptographic Storage|
|8||Abuse of Functionality (CSRF/Click-Fraud)||Failure to Restrict URL Access|
|9||Insufficient Password Recovery (Brute Force)||Insufficient Transport Layer Protection|
|10||Improper Filesystem Permissions (info Leakages)||Unvalidated Redirects and Forwards|