Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents. WHID's purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack. Trustwave's SpiderLabs is a WHID project contributor.
An analysis of the Web hacking incidents from the first half of 2010 performed by Trustwave's SpiderLabs Security Research team shows the following trends and findings:
WHID Top 10 Risks for 2010
As part of the WHID analysis, here is a current Top 10 listing of the application weaknesses that are actively being exploited (with example attack method mapping in parentheses). Hopefully this data can be used by organizations to re-prioritize their remediation efforts.
|
WHID Top 10 for 2010 |
1 |
Improper Output Handling (XSS and Planting of Malware) |
2 |
Insufficient Anti-Automation (Brute Force and DoS) |
3 |
Improper Input Handling (SQL Injection) |
4 |
Insufficient Authentication (Stolen Credentials/Banking Trojans) |
5 |
Application Misconfiguration (Detailed error messages) |
6 |
Insufficient Process Validation (CSRF and DNS Hijacking) |
7 |
Insufficient Authorization (Predictable Resource Location/Forceful Browsing) |
8 |
Abuse of Functionality (CSRF/Click-Fraud) |
9 |
Insufficient Password Recovery (Brute Force) |
10 |
Improper Filesystem Permissions (info Leakages) |
Download the full report and Join the live Trustwave Webinar Sept. 16th: Web Hacking Incidents Revealed: Trends, Stats and How to Defend (registration required).
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.