News Stay informed about the latest enterprise technology news and product updates.

Web applications caught in a storm of attacks, study finds

A new survey shows not only how attackers are pummeling Web applications using bots, Google and other tools, but also why targeted attacks are getting tougher to trace.

Security experts have warned for months that online outlaws have found greater success and profit in attacks that pummel Web application flaws.

More on Web services

App security defense: Strategies to lock down your Web applications

Case study: Success with SOA and Web services

To that end, a new report from Fortify Software Inc. shows how bots and search engines like Google have become indispensable tools for Web applications attackers and how their handiwork is getting more sophisticated and tougher to trace.

From early January through late June, the Palo Alto, Calif.-based security vendor collected data from corporate IT environments that use its Fortify Application Defense product, which secures J2EE-based applications. The resulting report outlines four trends:

  • Bots are being used in more than half the attacks against Web applications;
  • Attackers are finding flawed Web applications using Google and other search tools;
  • Directed attacks are growing more sophisticated; and
  • Attackers operating from bases around the world are getting better at covering their tracks.
  • Bots wage war on Web apps

    On average, 50% to 70% of attacks against Web applications over a six-month period were launched by bots and bot networks searching for known vulnerabilities.

    "These automated probes seek out unprotected or unpatched components in applications and deliver their malicious code" successfully, the report said. "The effect is much like a storm raging over a landscape: the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit Web applications."

    Over a single week, for example, Fortify monitored applications that were pummeled by seven distinct attacks from separate IP addresses that resulted in 52 attempts to access .php files. "Given the attacks' frequency and content, they most likely originated from machines infected by worms that periodically launched these automated attacks," the report said.

    Brian Chess, Fortify's chief scientist, said he was most surprised to see how much useless data these bots generate in order to mask their attacks.

    "If you're the IT administrator, the bot is generating a lot of data that masks its more interesting activities," he said. "After a while of seeing all this noise, you tend to get bored and walk away, and you may not detect the real damage."

    Bad guys use Google, too

    More than 20% of all security events in the Fortify monitoring pool were the result of hackers accessing Web site vulnerability information stored on search sites like Google, the report said, since search engines collect a wealth of information about every Web site they index. "If a Web site inadvertently reveals sensitive information or advertises the presence of a vulnerability, then Google's index of the site will contain evidence of the flaw," the report said.

    For example, if a page is broken, a Web application may report diagnostic information like a stack trace. Cyberthieves can use that to map out the components and internal structure of a vulnerable application and then pounce on the target.

    "The biggest surprise to people using our product was the number of errors on their Web sites and how much of it is being revealed on Google and other search sites," Chess said. "When Google indexes all this information, the attackers can find you from Google just as the good guys can find you from Google."

    Attacks more sophisticated, widespread

    Application-specific attacks appear less frequent, but Fortify found they are much more sophisticated and even more dangerous to the Web applications that are assaulted. The most common techniques in directed attacks appear to be cross-site scripting, SQL injection and buffer overflows.

    Fortify's research also showed attacks originating from the United States, China, Poland, Australia and many other countries. "The use of anonymizing technologies and proxy servers continues to mask the true locations of Web application attack sources, reflecting their 'invisible' nature," the report said.

    There are a variety of techniques the bad guys use to cover their tracks, like hiding behind a proxy server or a chain of proxy servers, the report said.

    "Various anonymizing technologies have been developed … to make it difficult to determine the origin of an Internet connection," the report said. "In the best cases, they prevent repressive governments from punishing political opponents. In the worst cases, these technologies can be used by malicious hackers to attack other computers with little chance of being physically captured."

    Chess said a vast majority of Web app attacks seem to be coming from the United States. But, he added, "We really have no idea where the attackers are actually sitting."

    This article originally appeared on

    Dig Deeper on Enterprise application development, DevOps and software agility

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.