AppSec Blog

WASC Web Hacking Incident Database Semi-Annual Report

In addition to being a SANS Certified Instructor, I also serve as the WASC Web Hacking Incident Database (WHID) project leaders. If you are unfamiliar, WHID is a project dedicated to maintaining a record of web application-related security incidents. WHID's purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security — which focus on the technical aspect of the incident and are focused on vulnerability prevalence — WHID focuses on the impact of the attack.

Report Summary Findings

An analysis of the Web hacking incidents from the first half of 2010 shows the following trends and findings:

  • A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses' (SMBs) online banking accounts.
  • Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).
  • Application downtime, often due to denial of service attacks, is a rising outcome.
  • Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 "unknown" attack category.

Download the full report (no registration required).

WHID Top 10 Risks for 2010

As part of the WHID analysis, here is a current Top 10 listing of the application weaknesses that are actively being exploited (with example attack method mapping in parentheses). Hopefully this data can be used by organizations to re-prioritize their remediation efforts based on application weaknesses that are being actively exploited by cyber-criminals.

WHID Top 10 Application Weaknesses for 2010OWASP Top 10 Web Application Security Risks for 2010
1Improper Output Handling (XSS and Planting of Malware)Injection
2Insufficient Anti-Automation (Brute Force and DoS)Cross-Site Scripting (XSS)
3Improper Input Handling (SQL Injection)Broken Authentication and Session Management
4Insufficient Authentication (Stolen Credentials/Banking Trojans)Insecure Direct Object References
5Application Misconfiguration (Detailed error messages)Cross-Site Request Forgery (CSRF)
6Insufficient Process Validation (CSRF and DNS Hijacking)Security Misconfiguration
7Insufficient Authorization (Predictable Resource Location/Forceful Browsing)Insecure Cryptographic Storage
8Abuse of Functionality (CSRF/Click-Fraud)Failure to Restrict URL Access
9Insufficient Password Recovery (Brute Force)Insufficient Transport Layer Protection
10Improper Filesystem Permissions (info Leakages)Unvalidated Redirects and Forwards

Post a Comment


* Indicates a required field.