Hosting generously provided by
|
|
12/31/2005 Application Security Predictions For The Year 2006
|
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know
just how often , SQL Injection, or
Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering
the threats that the web brings.
Worms and Browser Vulnerabilities
2005 brought the first web application worm (not web server) and a couple of spin offs. Of course the trend will continue although I suspect
2006 will bring more criminal aspects. Currently the only web application worms (that we've seen) attach to irc servers and
seem to belong to some 'hacking/script kid' groups.
The year 2005 has also brought a 'TON' of browser based vulnerabilities in most browsers including Netscape, Internet Explorer,
FireFox, and more. A mix of web application, and browser based worms probably will begin in 2006. Some of you remember the Nimda
worm and since then a worm exploiting a server/client hasn't been identified. Frankly I'm surprised we haven't seen any since but
with the recent interest in browser based vulnerabilities I suspect this idea is going to catch on, and not just with hacking groups
but also organized crime. The potential here is endless (See Prediction #2 for an example of what I'm talking about).
Phishing and Cross Site Scripting
has become more widespread with no slowdown in
sight. In 2005 multiple presentations including one by
at Blackhat, and another by
outlined the combination of phishing and cross site scripting. These talks touched on the ability by an attacker to use known exploits
in a browser to have interactive sessions with the attacker, as well as perform backend network scanning/exploitation via the XMLHTTP AJAX
functionality that most browsers support. For years Cross Site Scripting has been a 'joke' to many people in the security industry. With new
uses for cross site scripting being found everyday I see the potential for XSS exploding, including being included as a payload for future worms
(traditional, and web based) to help execute phishing attacks.
Web Application Backdooring
Millions of web applications process billions of dollars per year in transactions. Understanding how these applications work is fairly trivial since a
large majority of them are off the shelf open source, or fairly cheap. We've seen people in the past install trojans, and rootkits to help gain
control over a users system in order to steal data including credit cards, social security numbers, game keys ;) etc... We've also seen breaches at large
financial organizations were data was being stolen via website vulnerabilities such as . Something we haven't heard much about is web application
backdooring. This happens when an attacker exploits a vulnerable web server, and modifies an existing web application to perform new duties, or copy
transaction information. For years people have been tracking application integrity with applications such as tripwire to see if an application has been
modified although this isn't practical in a large percentage of situations were a website is going through constant changes.
RSS Feeds
Just like any application you must ensure that the data that you're processing is properly sanitized. I suspect that we'll be seeing wide scale abuse
of RSS feeds in the near future. Having done some research on this myself (which I hope to publish soon) 2006 is going to be a very interesting year.
Conclusions
The Web Application Security space isn't dying any time soon :)
Link to this Story:
Link:
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
