Slashdot Mirror

← Back to Stories (view on slashdot.org)

Number of Web Application Hacks Up

Posted by ryuzaki0 on from the i-haxxored-your-netflix-account dept.

An anonymous reader writes "According to an article at Information Week, 'Web site hacks are on the rise and pose a greater threat than the broad-based network attacks...' Citing statistics from the Web Hacking Incidents Database, 'Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.'"

53 comments

  1. Feather in cap. by Anonymous Coward · · Score: 0

    Of course Apache was secure through all this.

  2. Number of hacking attempts by mysqlrocks · · Score: 4, Insightful

    Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003, according to the Web Application Security Consortium.

    And what percentage of "web hacking attacks" are reported to the Web Application Security Consortium? I would venture to guess that a very small number are reported making these numbers statistically meaningless.

    --
    Bradley Holt
    1. Re:Number of hacking attempts by techno-vampire · · Score: 2, Insightful

      That depends. Even if only a small percentage of all web attacks are reported, if that percentage stays stable then a rise in the number reported implies a rise in the total number of attacks. Of course, we don't know if, in fact, the precentage has remained stable or if it's simply that a larger percentage are being reported.

      --
      Good, inexpensive web hosting
    2. Re:Number of hacking attempts by mysqlrocks · · Score: 3, Interesting

      Even if only a small percentage of all web attacks are reported, if that percentage stays stable then a rise in the number reported implies a rise in the total number of attacks.

      Let's assume for a second that 1% of all attacks are reported. That would mean that 16 out of 1600 were reported in 2004 and 58 out of 5800 were reported in 2005. Now, let's say that the percentage of reports increased by 1% point in 2005. So, 1% reported in 2004 and 2% reported in 2005. That would mean that 16 out of 1600 were reported in 2004 and 58 out of 2900 were reported in 2005. So, in this scenario what looked look a 362.5% increase in attacks is actually only a 181.25% increase in attacks. So, a small change in the reported percentage could make a huge difference in the apparent increase. These numbers are so ridiculously low to begin with, I wouldn't be surprised if less than 1% of web attacks are reported. I looked through the list and can think of some attacks I know of to some pretty big sites that weren't reported. Plus, some incidents are pretty generic and don't address a specific attack while others do address specific attacks. So, their definition of a "Web hacking attacks" seems to be quite fluid. Basically what I'm saying is that these numbers are absolutely meaningless.

      --
      Bradley Holt
    3. Re:Number of hacking attempts by Adambomb · · Score: 1

      The number reported would be worthless even if we had every single hack documented UNLESS they also include the total number of operating websites in these years with a significant enough amount of traffic to consider the hack more than an isolated prank. Otherwise what are we even talking about? I'm sure the number of deaths due to car accidents increased a lot between 1890 and 1930....

      --
      Ice Cream has no bones.
    4. Re:Number of hacking attempts by hrtserpent6 · · Score: 2, Funny

      According to to the Web Application Security Consortium, there were 58 web hacking attacks in 2005.

      According to zone-h.org, there were 494,988 web hacking attacks in 2005.

      Close enough.

    5. Re:Number of hacking attempts by Jakeypants · · Score: 1

      Good point. Also, does the definition of "attack" extend to attempted attacks, or does it only apply to successful attacks? If I tried to punch you, but missed, I still attacked you, so I'd say attempts count.

      Plus, out of curiousity, I've tried some SQL injection attacks on web sites. Never anything malicious, just changing selection criteria to see if the site made any attempt to escape quotes and such for SQL parameters. Should those count?

    6. Re:Number of hacking attempts by The_Wilschon · · Score: 1

      Statistically, if some small percentage of attacks is reported, then you could, if you knew on average what percentage is reported, divide the number reported by that percentage and get an estimator of the total number of attacks. However, the variance of that estimator gets much much higher as the percentage gets lower.

      --
      SIGSEGV caught, terminating

      wait... not that kind of sig.
    7. Re:Number of hacking attempts by techno-vampire · · Score: 1

      Please note that I specified that we don't know if the percentage reported has remained stable or not, and your post shows exactly why I made that qualification. Thanx for spelling it out for those who may not have understood the significance.

      --
      Good, inexpensive web hosting
    8. Re:Number of hacking attempts by shezaf · · Score: 1
      As the person behind WHID, let me try to clarify: the criteria for inclusion in WHID are very strict. The goal is to list only incidents that are related to web application layer vulnerabilities and can publicly proved to be so. We do that in order to show that application layer security is an issue without getting into FUD.

      Specifically addressing the defacement incidents reported in zone-h, bear in mind that in nearly all of these incidents there is no public information on the way in which they where carried. A hacked web site does not imply that the hacking utilized an application layer vulnerability. Additionally, many defacements are not targeted and are the result of a wide scan for vulnerable sites and therefore we do not normally include defacements in WHID.

      You can read more about the criteria for inclusion in WHID in the FAQ http://www.webappsec.org/projects/whid/faq.shtml

    9. Re:Number of hacking attempts by shezaf · · Score: 1
      If you are aware of incidents that are not in WHID I would appreciate it if you took the time to write to us about them. There might be a reason that they are not there (in most cases we cannot establish that they are web hacks) or we just missed them. Also, as the FAQ states, if you feel that a reported incident is not classified correctly or should not be included in the database, please write.

      As to the statistical value of the database: the numbers are indeed too small to conclude any accurate conclusion, but I think that they do show a direction.

  3. Don't give the "hackers" that much credit... by Ravatar · · Score: 5, Insightful

    I wouldn't say the focus should be on the fact that there are a higher amount of attacks, rather the focus should be on people writing web applications with security low on their priority list.

    1. Re:Don't give the "hackers" that much credit... by oni · · Score: 2, Interesting

      rather the focus should be on people writing web applications with security low on their priority list.

      I agree, and I think that the reason there are people writing web applications and not thinking about security is that web apps are still thought of by businesses as "pretty things to attract customers" rather than, "part of our network"

      Pretty things are low on the list of priorities for managers, so they hire some kid to make their website.

      I can't say that I've *ever* seen PHP or Perl or ASP code that looked like someone put some thought into it. Even things like indentation. Most of the code I've seen it actually looks like the coder just hit return at random times. And if they aren't making an effort to make their code readable and maintainable, then they probably aren't making an effort to make it secure.

      Oh well, this is just the way things are. I really believe that if it weren't for building codes business owners would hire people off the street to construct their office buildings. "they are just slapping bricks together, what's the big deal?? Why should I pay an archetect big bucks for this? I'll get a high-school kid who will give me an office building in a week for $20."

    2. Re:Don't give the "hackers" that much credit... by 0x0000 · · Score: 2, Informative
      I can't say that I've *ever* seen PHP or Perl or ASP code that looked like someone put some thought into it.

      You obviously haven't seen any of my PHP and Perl code (I've never written ASP). Of course, it may be that you haven't seen my web applications code because I'm not a "web designer" - can't get a job in that industry, which speaks to the truth of your assertions concerning who companies hire to create web applications.

      --
      "The Internet is made of cats."
    3. Re:Don't give the "hackers" that much credit... by Anonymous Coward · · Score: 0

      While that may be true, the average PHP stuff found on Sourceforge etc is utter and complete garbage.

      I've built some decent systems in ASP, but I'll happily acknowldge there were the rare exception, not the rule. The average ASP programmer didn't even know the languages (VBS & JS) were OO.

    4. Re:Don't give the "hackers" that much credit... by drix · · Score: 1

      Just curious, can you provide some examples of code you *have* seen that looks like someone put some thought into it?

      --

      I think there is a world market for maybe five personal web logs.
    5. Re:Don't give the "hackers" that much credit... by jrockway · · Score: 2, Informative

      > I can't say that I've *ever* seen PHP or Perl that looked like someone put some thought into it.

      I think you should pay a visit to the CPAN. It's 4G+ of perl modules that are well documented, fully unit-tested, and largely platform independent. I've seen some bad web applications in my time (all PHP incidentally), but there are plenty of excellent perl programmers writing excellent perl code.

      If you're interested in learning to write good Perl, I suggest you take a look at Damian Conway's book, "Perl Best Practices".

      http://www.amazon.com/gp/product/0596001738/102-74 64862-7276945?v=glance&n=283155

      (And of course read Perl's excellent Fine Manual.)

      --
      My other car is first.
    6. Re:Don't give the "hackers" that much credit... by Lando · · Score: 1

      Also, if your going to read any type of advanced perl, Jeffrey E.F. Friedl, "Mastering Regular Expressions" O'reilly Media is highly recommended. I'm the one doing the recommendation, so there are bound to be other opinions, but I think that it's probably my most important perl book.

      Lando

      --
      /* TODO: Spawn child process, interest child in technology, have child write a new sig */
    7. Re:Don't give the "hackers" that much credit... by Anonymous Coward · · Score: 0

      "You obviously haven't seen any of my PHP and Perl code"

      Link?

      "can't get a job in that industry"

      Resume link?

      Yes, I'm willing to hire off slashdot.

  4. Ugh by Wellington+Grey · · Score: 2, Funny

    From the article: Why is this happening? Several reasons. One is the prevalence of hacking tools online that can be found simply by using the Google search engine.

    So does that mean if I do all my web searches on my windows 98 machine using internet explorer but I use MSN search, not google, I'll be OK?

    -Grey

    --
    Silver Clipboard: Time Management Tips
  5. Someone has a bit of trouble counting... by Phantombrain · · Score: 1, Funny
    Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.

    I have a feeling there are a LOT more than that. Anyone have a calculator to lend them?

    --
    echo YOUR_OPINION > /dev/null
  6. This article is scaremongering by eln · · Score: 2, Insightful

    First off, we're talking 58 attacks in a whole year out of how many millions of websites? Those are pretty good odds.

    Also, the article states this is a big deal partly because more financial institutions are offering services online. But then, they state one of the major reasons for the problem is that web applications are generally not coded with security in mind. If you're coding a web app for a financial institution, and security is not the number one issue on your mind, you should be fired, and the financial institution should be put out of business for hiring your dumb ass in the first place.

    1. Re:This article is scaremongering by wetfeetl33t · · Score: 1

      I'd say that most applications that obviously demand tight security, such as finance, aren't the problem. In these cases, the fact that security is critical is obvious even to the most naive. Remember that a chain is only as strong as its weakest link. It is the other little known, poorly secured backdoors that are the problem.

      --
      Register the editry.
    2. Re:This article is scaremongering by Phantombrain · · Score: 0
      First off, we're talking 58 attacks in a whole year out of how many millions of websites? Those are pretty good odds.

      If you think that is all the hacking attacks there were in a year, you are an idiot. I obviously don't have any specific numbers, but I can assure you there were MUCH more than that.

      --
      echo YOUR_OPINION > /dev/null
    3. Re:This article is scaremongering by tsm_sf · · Score: 1

      If you're coding a web app for a financial institution, and security is not the number one issue on your mind, you should be fired, and the financial institution should be put out of business for hiring your dumb ass in the first place.

      Nevermind that the framework you're working with is inherently insecure. Or that the financial institutions themselves routinely make gigantic errors. It's a house of cards, man. A HOUSE of CARDS!

      --
      Literalism isn't a form of humor, it's you being irritating.
  7. percentage attacks by sendtwogrey · · Score: 1

    What's that percentage attacks / web sites? Is 58 pages in the 64,700,000 pages that Google claims to have found a lot of attacks. ;-)

  8. Am I being stupid again? by Josh+teh+Jenius · · Score: 0, Offtopic

    I was thinking of writing a simple script in PHP using FTP commands & chron tab to brute hack passwords. I assume it could just check against a dictionary of common passwords, and seek syntax clues from the website content.

    It wouldn't be an effective "hacking tool", but it *would* be handy for spotting dumb passwords. This would be handy for me because I have a bad habit of forgetting to disable developer FTP accounts on my server.

    What say you /.? Pandora's box? Good idea? Total crap?

    --
    Math is math. Regular expression is regular expression. The tools are there. The future is now.
    1. Re:Am I being stupid again? by Anonymous Coward · · Score: 0

      Yes, you are being stupid again.

  9. Not surprising... by JavaFTW++ · · Score: 0

    It's not surprising that the number of attacks per year is increasing. Computer usage worldwide is increasing and thus anything associated with usage should increase as well, including hacking attempts. It's just simple stats.

    --
    I won't admit I'm paranoid...or the people listening will know they've won.
  10. Tuttle? by daveo0331 · · Score: 5, Funny

    Who's reporting all these attacks? The city manager of Tuttle, Oklahoma?

    --
    Remember the days when Republicans were the party of fiscal responsibility?
    1. Re:Tuttle? by geobeck · · Score: 1

      LOL... Where are my mod points when I need them?

      --
      Find environmentally and socially responsible products on http://buy-right.net
  11. Danish.... by ZiakII · · Score: 1

    I think the amount of Danish websites that got hacked was higher then 58.... so wtf is TFA talking about?

    1. Re:Danish.... by conJunk · · Score: 1
      no kidding... fta:
      Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003, according to the Web Application Security Consortium.

      those numbers seem rediculously low, and based on what? the tiny little company i work for, i think i've had *at least* that many failed sql injection attacks in my logs this year.

      where the hell are these number coming from?

  12. You've got to be Kidding! by Bananas · · Score: 4, Insightful

    You call double-digit hacks a growing trend? Where do these folks live, under a rock? Don't tell me you've never heard of Attrition.org? Just how many HUNDREDS of sites were defaced in the past?

  13. Hacky Websites are On the Rise Too by blaster151 · · Score: 1

    The premier example being MySpace. With its interruptive, garish UI paradigm and its numerous design flaws (both functional and aesthetic), it appears to be attempting to singlehandedly dumb down the web. Personally, this concerns me a lot more than the occasional, fixable hacks: the overall missed opportunity when millions of users settle for a low-quality, repetitious, limiting experience, as MySpace provides.

  14. huh? by NewmanBlur · · Score: 1

    Only one in 1999? What a wonderful world we lived in. This presents a rather different picture.

    --
    Per ardua ad astra.
    1. Re:huh? by Ravatar · · Score: 1

      99% of those barely quality as "website hacks". In fact, most of the entries found on the first 10 pages or so are just a few people searching the internet for vulnerable gallery software or exploiting well known and already-patched OS vulnerabilities.

      Downloading an exploitive script and using it against 100,000 web pages hoping to hit one or two isn't hacking.

    2. Re:huh? by NewmanBlur · · Score: 1

      I would call this "hacking" in the skills sense, but executing these scripts does result in defacements, which is listed on the reference site.

      --
      Per ardua ad astra.
  15. Just plain silly by EntropyXP · · Score: 0

    This whole article, studay, scartactic or whatever it is is incomplete and as full of plot holes as Waterworld. First of all, what financial institution in the world is going to be dumb enough to admit that their database/website/network was hacked unless they had to report stolen information that was secure? "Thanks for using US BANK's online bill pay! Now hack free for 90 days... err ... 1 day."

    --
    "No one will really be free until nerd persecution ends."
  16. 'Web' H4x0rz. by Anonymous Coward · · Score: 0

    I work for a hosting company(tm).

    Almost every attempt at/successful compromise I see is done through web-based applications. The majority of those seem to be through content management systems/etc., which often aren't as easy to upgrade as normal 'system' stuff.

    So, the real news here isn't. The moral of the story is, keep your software up to date - ALL of it.

  17. AJAX hacks will be cracked by PietjeJantje · · Score: 3, Insightful

    The number of cracks will rise because of AJAX hacking.
    It's not only the interface and usability which takes a leap in complexity if you want to keep stuff working.
    First, you have data communication on the background, for everyone curious to see. Second, there's a leap in usage and development and thus potential for crackers. Last, the average AJAX developer is inexperienced.

    1. Re:AJAX hacks will be cracked by cyngus · · Score: 1

      You sir, are spreading FUD if ever anyone has
      First, you have data communication on the background, for everyone curious to see.
      If you're sending critical data over a non-SSL connection, whether its AJAX or anything else, you deserve what you get.

      Second, there's a leap in usage and development and thus potential for crackers.
      What does this mean? More code is written so there's a greater chance that there will be a bug? True, but this is true with ALL software. Plus, AJAX is usually using an interface or set of parameters that already exist. So, you've already written the validation code for these parameters.

      Last, the average AJAX developer is inexperienced.
      Ummm, I was coding web apps well before AJAX became "the thing". Am I less experienced at writing things for AJAX, yes, it hasn't really been en vogue as long as JSP/Java. Am I a pretty experienced developer and web developer who picked up AJAX because it could enhance his apps, yes. You (and many others) seem to have this concept that AJAX is something truly different from the web application point of view. Its not, on the server side its just another request with parameters that has to be serviced. As I said before, often there the same parameters you're dealing with elsewhere. There is nothing inherently different here, besides AJAX apps are going to be more chatty and you might have some additional executions paths.

    2. Re:AJAX hacks will be cracked by PietjeJantje · · Score: 1
      > You sir, are spreading FUD if ever anyone has

      Uhm, why would anyone spread FUD about what he's currently doing by choice? That's ridiculous and hardly an impressive introduction.

      > Ummm, I was coding web apps well before AJAX became "the thing". Am I less experienced at writing things for AJAX, yes, it hasn't really been en vogue as long as JSP/Java. Am I a pretty experienced developer and web developer who picked up AJAX because it could enhance his apps, yes. You (and many others) seem to have this concept that AJAX is something truly different from the web application point of view.

      You're giving me the "I'm so experienced you can't possibly compherend, newby". Which is funny when thrown at someone from age-old Gopher times ;) Yes I've been where you've been, and beyond. If you can't see it, that's ok and you're stuck. Which is also funny because the same thing happened when Mosaic 0.9b was released. And when Java was released. Maybe you're just afraid that something comes along that changes the value of your skill set.

    3. Re:AJAX hacks will be cracked by cyngus · · Score: 1

      Do I use AJAX, do I think its cool? Yeah, that's why I use it. But you seem to suggest that somehow an AJAX request is different from any other HTTP request a server receives. To the best of my knowledge this is untrue, if I am incorrect, enlighten me.

      Maybe you're just afraid that something comes along that changes the value of your skill set.

      The value of a skill set depreciates over time, just like almost all assets, don't upgrade it and you're f'ed. That's why I learned about AJAX in the first place. I don't say "learned AJAX" because it doesn't actually introduce new concepts, but rather resassembles old ones in a new way. The only thing new about AJAX is the ability to perform actions aynchronously that don't directly change page state.

      PS. I looked at your site. It is interesting, in that its easy to visualize, but why is this new? You've always been able to make one session context aware of others. What's the benefit of reinventing the wheel? I really mean these as questons and not flamebait.

    4. Re:AJAX hacks will be cracked by PietjeJantje · · Score: 1

      Why http when you got gopher?

  18. PHPBB by Anonymous Coward · · Score: 1, Interesting

    How much you want to bet that 80% of them were PHPBB forums? Why the heck do we have to patch these things on a monthly basis?

  19. Sourceforge.com was my fault by sphix42 · · Score: 2, Interesting

    My code was left in their code base when they closed their source years ago, but they didn't compensate me or even try to contact me about it. Very sorry for giving you my time and code, OSDN.

  20. MOD PARENT UP! by __aaijsn7246 · · Score: 1

    Agreed.

  21. A few hacks by Curunir_wolf · · Score: 1, Funny
    I use a few hacks on most of my websites - but I kind of have to, to get them to render in IE correctly. It's not as bad as it used to be, and I could probably eliminate some of them if I used a little less javascript or ... hey - wait a minute - this is talking about web site *attacks*! Not hacks on websites.

    uhh... Nevermind.

    --
    "Somebody has to do something. It's just incredibly pathetic it has to be us."
    --- Jerry Garcia
    1. Re:A few hacks by Anonymous Coward · · Score: 0
      Heh, I thought they were talking about people like me.

      -Anonymous Web Hack

  22. Re:'Web' H4x0rz. (ditto) by Anonymous Coward · · Score: 0

    yep