REPORT: SQL Injection Attacks #1 Web Drive-by Hazard
Web application security company Breach Security announced today that SQL Injection attacks remains the number one web attack vector, accounting for nearly one-fifth of all security breaches (19%).
Attack vectors exploiting Web 2.0 features such as user-contributed content were also commonly employed: authentication abuse was the second most active attack vector (11%), and Cross Site Request Forgery (CSRF) rose to number five with 5% of the reported attacks.
The data released today was part of Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report. Breach Security contributes to the project. The WHID project compiles and analyzes application-related security incidents, focusing exclusively on publicly reported web application security attacks that have an identified outcome. The WHID 2009 Bi-Annual report analyzed global security incidents that occurred from January 1 through July 31, 2009. The report shows a 30 percent increase in overall web attacks compared to the same period in 2008.
The report also shows that planting of malware and standard overt changes on web sites, remains the most common outcome of web attacks (28%), while leakage of sensitive information is a close second, at 26%.
“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”
The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents. The WHID’s purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack.