In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web brings.
Worms and Browser Vulnerabilities
2005 brought the first web application worm (not web server) and a couple of spin offs. Of course the trend will continue although I suspect 2006 will bring more criminal aspects. Currently the only web application worms (that we've seen) attach to irc servers and seem to belong to some 'hacking/script kid' groups.
The year 2005 has also brought a 'TON' of browser based vulnerabilities in most browsers including Netscape, Internet Explorer, FireFox, and more. A mix of web application, and browser based worms probably will begin in 2006. Some of you remember the Nimda worm and since then a worm exploiting a server/client hasn't been identified. Frankly I'm surprised we haven't seen any since but with the recent interest in browser based vulnerabilities I suspect this idea is going to catch on, and not just with hacking groups but also organized crime. The potential here is endless (See Prediction #2 for an example of what I'm talking about).
Phishing and Cross Site Scripting
Phishing has become more widespread with no slowdown in sight. In 2005 multiple presentations including one by Jeremiah Grossman at Blackhat, and another by Billy Hoffman outlined the combination of phishing and cross site scripting. These talks touched on the ability by an attacker to use known exploits in a browser to have interactive sessions with the attacker, as well as perform backend network scanning/exploitation via the XMLHTTP AJAX functionality that most browsers support. For years Cross Site Scripting has been a 'joke' to many people in the security industry. With new uses for cross site scripting being found everyday I see the potential for XSS exploding, including being included as a payload for future worms (traditional, and web based) to help execute phishing attacks.
Web Application Backdooring
Millions of web applications process billions of dollars per year in transactions. Understanding how these applications work is fairly trivial since a large majority of them are off the shelf open source, or fairly cheap. We've seen people in the past install trojans, and rootkits to help gain control over a users system in order to steal data including credit cards, social security numbers, game keys ;) etc... We've also seen breaches at large financial organizations were data was being stolen via website vulnerabilities such as SQL Injection. Something we haven't heard much about is web application backdooring. This happens when an attacker exploits a vulnerable web server, and modifies an existing web application to perform new duties, or copy transaction information. For years people have been tracking application integrity with applications such as tripwire to see if an application has been modified although this isn't practical in a large percentage of situations were a website is going through constant changes.
Just like any application you must ensure that the data that you're processing is properly sanitized. I suspect that we'll be seeing wide scale abuse of RSS feeds in the near future. Having done some research on this myself (which I hope to publish soon) 2006 is going to be a very interesting year.
The Web Application Security space isn't dying any time soon :)