Manage Learn to apply best practices and optimize your operations.

Anonymous attacks: Three phases of an anonymous attack methodology

Security expert John Overbaugh examines three of Anonymous’ most common techniques for attacking websites and how they are carried out.

The group “Anonymous” has rapidly reached universal recognition for its successful hacks on civic, commercial and government sites worldwide. The group uses its Web application hacking skills to gain notoriety, to inflict financial and reputational harm and to suspend services. In part one of this two-part article, we examine a few of Anonymous’ techniques in attacking websites. Part two proposes some steps engineering organizations can take to reduce the likelihood of a successful Anonymous attack.

Looking at Anonymous’ recent history, one thing stands out: regardless of how technical their skills are, Anonymous’ victims have done little to make successful attacks difficult. While the group has obviously needed to be persistent, most sites were hacked without deep technical skills. A recent article by the security firm Imperva, The Anatomy of an Anonymous Attack, outlines three phases of Anonymous’ attack methodology:

  1. Recruitment: In this phase, little is done to attack the target. Anonymous is a loose group of technical and non-technical hackers. In order to launch a successful ‘crowd-sourced’ attack, a small group of activists attempts to recruit a much larger group. Anonymous uses Facebook, YouTube, Twitter and other social media in an effort to develop the crowd size necessary to launch a technical attack.
  2. Web application penetration: In the penetration phase, Anonymous’ more technical hackers attempt to exploit common website vulnerabilities at the target. These include:
    1. Directory traversal: This attack attempts to navigate from the application’s valid directory into other file locations, to exploit critical operating system and application configuration files.
    2. SQL injection: This attack attempts to inject SQL commands into application database, where the attackers extract data.
    3. Cross-site scripting: This attack is actually focused on the application’s users—cross-site scripting involves executing JavaScript in client browsers, with the goal of extracting user account data (thereby stealing account access to the target application).
  3. Distributed Denial of Service (DDoS): When all else fails (which is rare), Anonymous participants band together to execute a long series of high-volume transaction requests, rendering the site unresponsive to valid traffic and denying the company success with its Web application mission.

The good news which comes from Imperva’s analysis is that the three Web application attacks Anonymous employs are generally simple to prevent. It may involve a fair amount of work if a company has habitually ignored application security, but the fixes themselves are generally simple. A key set of tools in securing Web applications can render the work even easier and more successful. The Open Web Application Security Project offers Web developers and testers a wealth of tools and information to help them build more secure applications. One OWASP project is the ESAPI project (the Enterprise Security API). This API, available for Java, .NET, ASP, PHP, ColdFusion, Python and even JavaScript projects, offers libraries developers can call to validate user-supplied data for format, type, length and other properties which hackers generally use to execute their attacks.  

Read part two to learn more about ESAPI’s usefulness in preventing these attacks.

Follow us on Twitter at @SoftwareTestTT and let us know what you thought of this article.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.