Report: Web 2.0 site attacks on the rise
In its bi-annual report the Web Application Security Consortium (WASC) has reported that attacks on Web 2.0 sites have increased significantly compared to last year. Over the last ten years, the report has analysed and commented on the information provided from the Web Hacking Incidents Database (WHID), a WASC project dedicated to maintaining a list of web applications related security incidents.
According to the report, in the first half of 2009, attacks against Web 2.0 sites, such as social networking sites like the popular Twitter micro-blogging service, accounted for 19 per cent out of all of the recorded incidents. These sites typically have a large number of users and the user created content can often open up several attack vectors, such as a cross-site scripting (XSS) or cross-site request forgery attack (CSRF).
Commercial websites came in second place, with 16 per cent affecting media related organisations and 12 per cent of attacks each affecting both retail and technology organisations. Political and government related organisations (law enforcement and politics) dropped from the number one spot in 2008, to number four this year with 12 per cent. Entertainment sites came in at 7 per cent and education and finance sites both came in at 5 per cent each.
According to WASC, SQL Injection is still the top vulnerability being exploited by hackers at 19 per cent, followed by unknown attacks (11 per cent). Attacks are categorised as unknown when, due to the lack of logging mechanisms used by organisations, the vulnerabilities used can't be identified. With 11 per cent, lack of or inadequate authentication mechanisms came in third. Both Denial-of-Service (DoS) / Brute Force attacks and content spoofing each came in at 10 per cent.
Unlike other vulnerability databases, such as Common Vulnerabilities and Exposures (CVE), the Open Source Vulnerability Database (OSVDB) or SecurityFocus Vulnerabilities Database, the Web Hacking Incidents Database maintains a list of security incidents caused by vulnerabilities, not the vulnerabilities themselves. For an incident to make the list, it must have been publicly documented.