The group “Anonymous” has rapidly reached universal recognition for its successful hacks on civic, commercial and government sites worldwide. The group uses its Web application hacking skills to gain notoriety, to inflict financial and reputational harm and to suspend services. In part one of this two-part article, we examine a few of Anonymous’ techniques in attacking websites. Part two proposes some steps engineering organizations can take to reduce the likelihood of a successful Anonymous attack.
Looking at Anonymous’ recent history, one thing stands out: regardless of how technical their skills are, Anonymous’ victims have done little to make successful attacks difficult. While the group has obviously needed to be persistent, most sites were hacked without deep technical skills. A recent article by the security firm Imperva, The Anatomy of an Anonymous Attack, outlines three phases of Anonymous’ attack methodology:
- Recruitment: In this phase, little is done to attack the target. Anonymous is a loose group of technical and non-technical hackers. In order to launch a successful ‘crowd-sourced’ attack, a small group of activists attempts to recruit a much larger group. Anonymous uses Facebook, YouTube, Twitter and other social media in an effort to develop the crowd size necessary to launch a technical attack.
- Web application penetration: In the penetration phase, Anonymous’ more technical hackers attempt to exploit common website vulnerabilities at the target. These include:
- Directory traversal: This attack attempts to navigate from the application’s valid directory into other file locations, to exploit critical operating system and application configuration files.
- SQL injection: This attack attempts to inject SQL commands into application database, where the attackers extract data.
- Distributed Denial of Service (DDoS): When all else fails (which is rare), Anonymous participants band together to execute a long series of high-volume transaction requests, rendering the site unresponsive to valid traffic and denying the company success with its Web application mission.
Read part two to learn more about ESAPI’s usefulness in preventing these attacks.
Follow us on Twitter at @SoftwareTestTT and let us know what you thought of this article.