Re: [WEB SECURITY] analyzing web application attack data

["Ryan Barnett" <rcbarnett@xxxxxxxxx>]

Interesting stuff.

As Jeremiah indicated, I am heading up the WASC Distributed Open Web
Proxy Honeypot Project (http://www.webappsec.org/projects/honeypots/).
This is essentially the 2nd generation of my previous deployment that
was highlighted in the Honeynet Project's Scan of the Month Challenge
# 31 - http://www.honeynet.org/scans/scan31/ except in this deployment
we are correlating data from multiple sensors.

The WASC deployment takes a different approach then the ones run by
Fortify, etc... in that they are front-ending valued web targets such
as Banks and the like whereas we are running as an open proxy and not
front-ending anything in particular.  This means that we should see
more general web attack data and these vendors are seeing more attacks
that target ecommerce/banks.  With this different approach in mind, we
are still seeing similar stats to what Fortify highlighed -
BOT/Automated scans, Googlehacking, etc...

If anyone is interested in participating in the WASC honeypot project,
please let me know.  We have been testing out our central logging
infrastructure and I am finalizing our VMware image version of our
Apache open proxy sensor that participants can download it and get up
and running quickly.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

On 7/19/06, Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx> wrote:
> For those interested in statistics and research on real web
> application attacks, Fortify and SecureWorks have posted good data.
> They placed devices in front of some number of public websites and
> logged the results. I'd imagine this is very similar to the work Ryan
> Barnett has been doing. Most information contained won't be a
> shocker, attacks mostly predominated by SQL Injection and XSS issued
> by bot-nets using well-known exploits. There also the more directed
> one-off's attacks.
>
>
> Web Applications Under Attack – Four Eye-Opening Findings
> http://www.fortifysoftware.com/reports/threatreport.jsp
>
> SQL injection attacks against banks on the rise
> http://www.net-security.org/secworld.php?id=4076
>
> SecureWorks Finds SQL Injection Hacker Attacks on the Rise against
> Banks, Credit Unions and Utilities
> http://www.secureworks.com/press/20060718-sql.html
>
>
> Regards,
>
> Jeremiah Grossman
> Founder and CTO
> WhiteHat Security, Inc.
> www.whitehatsec.com
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]