Despite improvements in code quality, Web servers remain at high risk of being hacked, according to a new paper from researchers who use honeypot technologies to examine how hackers tick.
The Honeynet Project, which provides real systems for unwitting attackers to interact with, says Web applications remain vulnerable for host of reasons. These include poor-quality code, the fact that attacks can be performed using PHP and shell scripts (which is generally easier than using buffer-overflow exploits), and the emergence of search engines as hacking tools. What's more, Web servers can be a gold mine for hackers, in that they have higher bandwidth connections than most desktops and often link to an organization's databases. The group's findings are outlined in a paper titled " Know Your Enemy: Web Application Threats ." Researchers involved in honeynet projects in Chicago, Germany and New Zealand collaborated on the paper.
The report reads at one point: "Web applications commonly face a unique set of vulnerabilities due to their access by browsers, their integration with databases, and the high exposure of related Web servers. The modern Web server setup commonly presents multiple applications running on one host and available via a single port, creating a large surface area for attack."
Code injection, remote code-inclusion, SQL injection and cross-site scripting are cited as common attack modes. Search, spider and IP-based scanning are cited as typical of the discovery techniques used by hackers seeking vulnerable applications.
Hackers attempt to disguise their identities using proxy servers, the Google Translate service, onion routers and other systems, the researchers write.
Defacement, phishing attacks, e-mail spam, blog spam, botnet recruitment and hosting of files were found to be among the hackers' goals.
"By becoming a tool for an attacker to inflict harm on other systems, a site may be opening itself up to liability issues if they have not been paying sufficient attention to security" the report states. "For example, if a machine is joined to a botnet, it may be a participant in a denial-of-service attack against an external site, or may be used to recruit other machines into the botnet."
While the researchers said more of the same is in store for organizations using Web servers and applications, they did offer security recommendations. These include keeping an inventory of applications on Web servers and maintaining patch levels for them, as well as correctly configuring Web servers. Network and host-based intrusion-detection systems also can help, the researchers said.