Cross-site scripting attacks remain the top threat to web applications, databases and websites, an analysis of 15 million cyber attacks in the third quarter of 2012 has revealed.
Other top attack techniques are directory traversals, SQL injections, and cross-site request forgery (CSRF), according to the latest web application attack report by cloud hosting firm FireHost.
The increase in the number of cross-site attacks is one of the most significant changes in attack traffic between Q2 and Q3 2012, the report said. Cross-site scripting (XSS) and CSRF attacks rose to represent 64 percent of the group.
XSS is now the most common attack type, with CSRF in second. FireHost’s servers blocked more than one million XSS attacks during the third quarter of 2012, up 69 percent from the previous quarter.
Cross-site attacks depend on the trust developed between site and user. XSS attacks involve a web application gathering malicious data from a user through a trusted site, often in the form of a hyperlink containing malicious content, while CSRF attacks exploit the trust that a site has for a particular user.
These malicious security exploits can also steal sensitive information such as user names, passwords and credit card details without the site or user’s knowledge.
The severity of these attacks depends on the sensitivity of the data handled by the vulnerable site. This ranges from personal data found on social networking sites, to the financial and confidential details entered on e-commerce sites.
A great number of organizations have fallen victim to such attacks in recent years, including attacks on PayPal, Hotmail and eBay, which fell victim to a single CSRF attack in 2008 that targeted 18 million users of its Korean website.
In September 2012 Microsoft and Google Chrome both ran extensive patches targeted at securing XSS flaws, highlighting the prevalence of this growing online threat.
“Cross-site attacks are a severe threat to business operations, especially if servers aren’t properly prepared,” said Chris Hinkley, a senior security engineer at FireHost.