The bank accounts of small and medium sized companies have become hackers' favourite target during the first half...
of 2010, according to the Web Application Security Consortium.
An analysis of web-hacking incidents by Trustwave's SpiderLabs security research team showed:
- Attacks on small to medium businesses' (SMB's) online banking accounts pushed banks to number three as a hacker target
- Banking Trojans were fast becoming a favourite tool to steal bank credentials
- Application downtime was on the rise due to denial of service (DoS) attacks
- Many organisations had not implemented proper web application logging mechanisms and were unable to identify and correct vulnerabilities.
The most common weaknesses are show in the table below:
|WHID Top 10 for 2010|
|1||Improper Output Handling (XSS and Planting of Malware)|
|2||Insufficient Anti-Automation (Brute Force and DoS)|
|3||Improper Input Handling (SQL Injection)|
|4||Insufficient Authentication (Stolen Credentials/Banking Trojans)|
|5||Application Misconfiguration (Detailed error messages)|
|6||Insufficient Process Validation (CSRF and DNS Hijacking)|
|7||Insufficient Authorization (Predictable Resource Location/Forceful Browsing)|
|8||Abuse of Functionality (CSRF/Click-Fraud)|
|9||Insufficient Password Recovery (Brute Force)|
|10||Improper Filesystem Permissions (info Leakages)|
|Source: Web Application Security Consortium (WASC)|