Type of Network Attack Diagram
DT in the Wild
Surprisingly, this was amazingly WAAR’s most observed attack technique, taking up 37% of the top four most prevalent attack types. This too is an attack technique we do not hear much about. But the prevalence of the attacks forces us to take a closer look at this technique.
What we found is DTs are commonly used for reconnaissance. When the hacker extracts enough information about the targeted victim, it can proceed to carry out an additional attack. In particular, this attack was mainly used in conjunction with RFI attacks: the DT maps out the vulnerabilities for a subsequent RFI attack to exploit.
Search Engine Poisoning (SEP)
SQLi in the Wild
According to the Privacy Rights Clearinghouse, over 312 million records were compromised by external hacking events since 2005. Some 262 million of these consisted of breaches at TJX, Heartland Payment Systems and RockYou – all SQLi attacks. While the SQLi vulnerability celebrated its 10th anniversary this year, we can see it still tops the charts and accounts for at least 83% of all successful hacks. Earlier this year, a SQLi attack against Sony resulted in the compromise of 77 million credit cards. Even Lady Gaga’s site was hacked by SQLi.
As the WAAR report showed, SQLi attacks represented of 23% of all overall attacks – both successful and not. In the past nine months, different monitored Web applications suffered 50-100 attacks per hour, and about 1,100 daily attacks on average. However, during an attack, the rate of attack spiked and occasionally there were days where 8,000 SQLi attack attempts were concentrated against the applications.
Web Attack Technique #2: Remote File Inclusion (RFI)
In this setting, a Web application is programmed to upload an external file. However, if the application is vulnerable to a Remote File Inclusion attack, the hacker can replace that reference with any file of her own. Once the malicious script is uploaded, the server is under control of the hacker. The hacker can glean information, manipulate data and even upload a malicious executable.
RFI in the Wild
The following snippet is taken from the LulzSec chat logs. It shows that RFI was one of the techniques used by the group to conduct their attacks.
lol – storm would you also like the RFI/LFI bot with google bypass i was talking about while i have this plugged in? lol – i used to load about 8,000 RFI with usp flooder crushed most server 😀
As we can see, LulzSec used bots to carry out RFI attacks, which led to the crashing of the servers (in other words, using RFI as a technique to conduct a DDoS attack). In fact, this was the technique used to bring down the CIA public website. RFI is not a widely discussed attack and is often overlooked. But Lulzsec proved the consequence of such a vulnerability when they exploited it to help ambush their targets.
According to the WAAR, RFI attacks account for 4% of the top four most prevalent attack types. A large portion of RFI attacks were part of a comprehensive high-volume attack on a Web application during a very short period such as an hour.
Web Attack Technique #3: Directory Traversal (DT)
As the name hints, in a directory traversal attack, a hacker traverses the Web application’s file directory in an attempt to find hidden files that were inadvertently exposed to the application. Say for example a parent directory should not be accessed. By exploiting a DT vulnerability, a hacker will be able to retrieve information from the directory by using special characters such as the ‘.’, which requests to “traverse” to the file’s parent directory.
DT in the Wild
Surprisingly, this was amazingly WAAR’s most observed attack technique, taking up 37% of the top four most prevalent attack types. This too is an attack technique we do not hear much about. But the prevalence of the attacks forces us to take a closer look at this technique. What we found is DTs are commonly used for reconnaissance. When the hacker extracts enough information about the targeted victim, it can proceed to carry out an additional attack. In particular, this attack was mainly used in conjunction with RFI attacks: the DT maps out the vulnerabilities for a subsequent RFI attack to exploit.
Web Attack Technique #4: Cross Site Scripting (XSS)
A successful Cross Site Scripting attack allows the hacker to execute scripts in a victim’s browser. The script may redirect the visitor to an attacker-controlled website, to steal user credentials or simply to insert hostile content.
XSS is a peculiar attack. With XSS, the attacker abuses the trust between the application and the user. It is not a web attack per se against the server, but rather against the site’s visitors. However, this type of attack still continues to fall under the responsibility of the site administrators since the exploit occurs due to existing flaws on the server side.
XSS in the Wild
Numerous applications suffer from XSS vulnerabilities. Even Microsoft’s fastest growing product to date – Sharepoint- has been found vulnerable to this attack, and Redmond’s latest patch included a fix to this. Hackers are quick to leach onto this type of vulnerability and LulzSec has been known to also use XSS as part of their hacking arsenal
According to the WAAR, this attack was the second most prevalent, accounting for 37% of the top four Web attacks techniques. As mentioned, this attack is targeted against the victim, yet the WAAR which focused on traffic conducted against applications was able to monitor this traffic. What then does this number indicate? The observed traffic was actually the laying of the foundation of a grander scheme – a Search Engine Poisoning (SEP) scheme. SEP abuses the ranking algorithms of search engines to redirect the victim to a malware-serving website. With SEP via XSS, the hacker finds high-ranking sites vulnerable to XSS. With this list in hand, the hacker creates newly constructed URLs to contain the high-ranking site, popular keywords and the relevant XSS code. The hacker then places these specific URLs in forums and discussion groups which get indexed by search engines. Due to the high-ranking of the vulnerable sites, as well as the popularity of the keywords, these crafted URLs show up early in search engine results. A victim who clicks on these links will then be redirected to the attacker-controlled server due to the XSS code.