Security Experts:

XSS Attacks Spike In Q4 2012: FireHost

Hosting Provider Says Cross-Site Scripting Attacks Jumped 160 Percent in Q4 2012

Secure cloud hosting company, FireHost, released its Q4 2012 Web application attack statistics on Tuesday, detailing the type and number of attacks hitting its servers in the U.S. and Europe between October and December 2012.

Throughout 2012, FireHost said that it blocked over 64 million malicious cyberattacks, with Cross-Site Scripting (XSS) leading the way in terms of attack types.

Each quarter FireHost reports on what the hosting company calls “The Superfecta”, four of the most dangerous cyberattacks including Cross-site Scripting, Directory Traversal, SQL Injection (SQLi), and Cross-site Request Forgery (CSRF).

Cross-Site Scripting and SQL Injection attacks have become even more prevalent since the third quarter of 2012, FireHost said.

“Three out of the four Superfecta attack types rose in total count between Q3 and Q4 2012 – only Cross-site Request Forgery attacks saw a drop in volume,” FireHost explained. “However, the large increase in Cross-Site Scripting attacks, which rose from just over one million in Q3 2012 to 2.6 million in Q4, – an increase of more than 160 percent – seemingly dwarfs the other three attack types with 57 percent of the Superfecta.”

“The change in frequency of the types of attack between quarters gives you an idea of how cybercriminals are constantly working to identify the path of least resistance,” said Chris Hinkley, CISSP – a senior security engineer at FireHost. “During Q4, ecommerce sites in particular would have been very busy with Christmas sales. Hackers will rapidly go after these high value targets with attacks that are highly automated and, if they are not yielding useful payloads, the attackers are equipped to quickly try a different type of attack.”

“Cross-site attacks are dangerous because of what they do, but also because the three distinct types of each strike from different angles,” Hinkley noted in a recent SecurityWeek column. “Cross-site scripting (CSS) can either be persistent or reflected, and cross-site request forgery rounds out this set of evil triplets that’s wreaking havoc in escalating numbers.”

“Cross-site scripting is harmful in either of its two forms, but persistent cross-site scripting packs slightly more poison due to its widespread reach,” Hinkley explained. “An example of persistent cross-site scripting would be when an attacker posts a comment to a blog that would include a malicious JavaScript payload – essentially embedding it in that page.”

Continuing the trend of Q3 2012, Europe appeared to be the second most likely origin point for malicious traffic blocked by FireHost after North America, which appeared to be the source of 13 percent of attacks. Other regions, FireHost said, saw notable increases in the amount of attacks that are emanating from them, including Africa, Australia, and the Middle East. Malicious traffic from South and Central America were dropped between Q3 and Q4 2012, the company said.

“The escalating increase of XSS attacks in Q4 does not surprise me – any teenager with a web application scanner can initiate these attacks in their free time,” security consultant and famous former hacker Kevin Mitnick said in a statement.

The risks to businesses from the Superfecta varies and depends upon the kind of data that could be stolen in the event of a successful attack, according to Todd Gleason, director of technology at FireHost.

“Itʼs fairly obvious that, if you are a retailer or service provider dealing with private customer data or payment card details, your business will present an attractive target for hackers," Gleason warned. "That being said, we also see attacks that have the potential to simply deface or interfere with and disrupt websites and applications. Even though no data is lost, the reputation of a company can still be seriously damaged.”

Subscribe to the SecurityWeek Email Briefing
view counter