Bot storming, "Google" hacking, directed attacks and the global/anonymous nature of attackers are the four primary attack methods against Web-based applications, according to a recent study by Fortify Software. And it's not just the big, high-profile sites that have to worry -- even home-based and small businesses on the Web face these imminent threats, said Brian Chess, chief scientist at the Palo Alto, Calif.-based company.
"The message is that for the majority of [businesses] who think they have "little" Web sites, they can't hide," Chess said. "People are using sophisticated techniques attacking Web sites, and it's not just the PayPals and Yahoos being attacked."
"If you're not thinking about Web application security, you will lose to someone who is. The idea that Web application security is something you need to think about someday is behind the times," Chess said. "Just because you look through the Web logs and see irrelevant attacks doesn't mean there aren't relevant attacks as well. It's easy for real attacks to get swamped by the noise."
Fortify conducted its research over the past six months, working with early adopters of its Application Defense product to capture trends in real-world attack patterns. Fortify Application Defense is intended to protect J2EE applications from losing private data, leaking information or performing unwanted tasks due to hacking. Chess said these customers gave Fortify access to the security information the product collected.
"We found quite a bit of chaff -- probably 50%-70% of the attacks were not interesting, and they were mostly launched by worms," he said. This "chaff," or bot storming, consists of bots and bot networks searching for known vulnerabilities, mostly in PHP files. While organizations should be aware of this attack method, they are typically not a major area of concern, Chess said.
"Most people who are moderately concerned about security aren't running PHP applications," he said. "These bots aren't very smart, and they're trying to attack things you don't have on your Web site."
The remaining percentage of attack methods found were more interesting -- and more dangerous. "The number two finding, and the most relevant, is that people are making a lot of errors in coding on Web sites that are exposing inner workings of the Web site," Chess said. "Then search engines like Google are indexing those errors. Now the bad guy, instead looking at Web sites one at time, can go to Google and look for vulnerabilities and get search results."
According to the Fortify data, over 20% of all security events in the monitoring pool were the result of hackers accessing Web site vulnerability information stored in search engine indices. As an example, a Web application may report diagnostic information if a Web page is broken. Hackers can use information stored in search engine indices of that site to map out the components and internal structure of the application. Fortify calls this "Google" hacking, but any search engine would apply.
"What was surprising to people was the number of errors, and the leaking of the information about the internal workings of applications," Chess said. "They didn't expect so much of their applications would be cooperating with the bad guys."
Attacks that were less frequent, but more dangerous to Web applications, are directed attacks. These attacks are always carried out by a human, who may or may not be using an automated tool. According to Fortify's study, the most common directed attacks were cross-site scripting, SQL injection and buffer overflows.
"People are very much looking at the particulars of Web sites to break into. They're altering cookie values or taking Web application scanners and running them against Web sites. They're using very sophisticated things to attack the Web application itself. They're not trying to break into the host or do a denial of service -- they're targeting the application."
The directed attacks combined with the "Google" hacking mean that bad guys are tuning into vulnerabilities specific to Web sites, Chess said. "That's bad news for people who think they can hide because they've got a small Web site or think that nobody is out to get them."
Finally, while the Fortify data found that the majority of the attacks were coming from the U.S., it is a global issue and attacks originated from all over the world. Moreover, the use of "anonymizing" technologies make it difficult to determine the origin of the attack. The report cited Anonym.OS as an example. It's a specialized variant of the free BSD Unix operating system that transparently encrypts and anonymizes traffic sent from a particular computer on the Internet.
While the bad guys are making use of such technologies, Chess said it raises the question: Do users have a right to be anonymous on the Internet? On the one hand, anonymity on the Internet prevents oppressive governments from throwing dissidents into jail for expressing their opinion, Chess said, but on the other hand, users conducting transactions have the right to know who they're doing business with.
"Society as a whole has mixed answers," he said. "You have credit cards, which are not anonymous, and then you have cash, which is totally anonymous."
One thing to think about, Chess said, is perhaps treating anonymous users differently from non-anonymous users.
Chess said Fortify is taking this information gathered from its early customers and using it to refine Application Defense. "We've had to alter the product to deal with the level of noise we've encountered." For instance, he said, Fortify has changed the way information is reported, starting with the dashboard. In the case of PHP worms, "we're making sure people see these worms, but we're making sure we draw their attention to targeted attacks."
Fortify has been providing patches to its customers involved in the study as it refines the product.