XSS attacks remain top threat to web applications

Cross-site scripting (XSS) attacks remain the top threat to web applications, databases and websites, a study from FireHost reveals

Cross-site scripting (XSS) attacks remain the top threat to web applications, databases and websites, an analysis of 15 million cyber attacks in the third quarter of 2012 has revealed.

Other top attack techniques are directory traversals, SQL injections (SQLi), and cross-site request forgery (CSRF), according to the latest web application attack report by cloud hosting firm FireHost.

The increase in the number of cross-site attacks is one of the most significant changes in attack traffic between Q2 and Q3 2012, the report said. XSS and CSRF attacks rose to represent 64% of the group.

XSS is now the most common attack type, with CSRF now in second. FireHost’s servers blocked more than one million XSS attacks during the third quarter of 2012, up 69% from the previous quarter.

How to deal with SQLi attacks

  • Best practice to target SQLi
  • No quick fix to SQLi attacks
  • SQLi is basically a process problem
  • SQLi attacks fly under security testing radar
  • Quick time to market to blame for many SQLi attacks
  • Development and testing key to reducing SQLi attacks

Cross-site attacks depend on the trust developed between site and user. XSS attacks involve a web application gathering malicious data from a user through a trusted site, often in the form of a hyperlink containing malicious content, while CSRF attacks exploit the trust that a site has for a particular user.

These malicious security exploits can also be used to steal sensitive information such as user names, passwords and credit card details without the site or user’s knowledge.

The severity of these attacks depends on the sensitivity of the data handled by the vulnerable site. This ranges from personal data found on social networking sites, to the financial and confidential details entered on e-commerce sites.

A great number of organisations have fallen victim to such attacks in recent years, including attacks on PayPal, Hotmail and eBay, which fell victim to a single CSRF attack in 2008 that targeted 18 million users of its Korean website.

Read more about XSS attacks

In September 2012 Microsoft and Google Chrome both ran extensive patches targeted at securing XSS flaws, highlighting the prevalence of this growing online threat.

“Cross-site attacks are a severe threat to business operations, especially if servers aren’t properly prepared,” said Chris Hinkley, a senior security engineer at FireHost.

 “It’s vital that any site dealing with confidential or private user data takes the necessary precautions to ensure applications remain protected.

“Locating and fixing any website vulnerabilities and flaws is a key step in ensuring your business and your customers don’t fall victim to an attack of this nature. The consequences can be significant, in terms of both financial and reputational damage.”

Read more on Web application security