Feeds

'Directory traversal' attack becomes premier hack tool

Formerly little-known method now tops rankings

Securing Web Applications Made Simple and Scalable

A lesser-known attack called directory traversal is the single most commonly used technique in real-world web application attacks.

Directory traversal cropped up in 37 per cent of attacks, almost the same as cross-site scripting (36 per cent), and a fair bit ahead of SQL injection (23 per cent). Remote file inclusion figured fourth in the list of web attacks compiled by database security firm at Imperva, featuring in a comparatively small 4 per cent of assaults. Attacks are often both automated and used in combination with each other to scan for and exploit vulnerabilities.

Put crudely, directory traversal attacks rely on exploiting shortcomings in blocking attempts to access files in directories on a host computer that ought not to be accessible through web applications.

Imperva's 2011 web application attack report is based on an analysis of more than 10 million individual attacks across the internet, targeting 30 different commonly deployed enterprise-grade web applications. The study took place in the six months between December 2010 and May 2011 and included attacks witnessed via onion router (TOR) traffic.

The security firm hopes its research will help businesses to get a better handle on real-world attacks they are likely to face, helping them to develop better thought-out risk management strategies in the process.

"Most security research focuses on vulnerabilities, and while this insight is extremely valuable, it doesn’t always help businesses prioritise their security efforts," explained Amichai Shulman, lead researcher and Imperva CTO. "Take a look at the OWASP Top 10, for example. RFI and Directory Traversal were not identified as top vulnerabilities, yet our research shows that these are two of the most common attacks used by hackers to steal data."

Most of the attacks (61 per cent) detected by Imperva originated from bots within the United States, though these machines might have been controlled from anywhere. Attacks from China made up almost 10 per cent of attack traffic. The study found that 29 per cent of the attacks originated from the same 10 most active attack sources, a factor that makes blocking attacks from known bad IP addresses with a bad reputation a far more effective approach than geographical filtering.

Imperva's study can be downloaded here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.