P. 1
ENISA Threat Landscape

ENISA Threat Landscape

|Views: 24,976|Likes:
Published by TechCrunch
The European Network and Information Security Agency's annual report on cybersecurity and threats
The European Network and Information Security Agency's annual report on cybersecurity and threats

More info:

Categories:Types, Research
Published by: TechCrunch on Jan 08, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

01/08/2013

pdf

text

original

This threat category includes well-known attack techniques against web applications such as
SQL injection (SQLi)24

, cross-site scripting (XSS)21

, cross-site request forgery (CSRF)21

, Remote

File Inclusion (RFI)21

etc. The adversaries placing such attacks try to extract data, steal

22

https://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf, accessed 22 November 2012.

23

http://www.infowar-monitor.net/reports/iwm-koobface.pdf, accessed 22 November 2012.

24

https://files.pbworks.com/download/u0CHSgBuXL/webappsec/13247059/WASC-TC-v2_0.pdf, accessed 15 November 2012.

15

ENISA Threat Landscape
Responding to the Evolving Threat Environment

credentials, take control of the targeted webserver or promote their malicious activities by
exploiting vulnerabilities of web applications.
Key findings:

In the last years, the most common attack vector against web applications is SQL
injection. Moreover, SQL injection attacks are popular among hacktivist groups (e.g.
Anonymous), hacker groups (e.g. LulzSec) and cyber criminals (e.g. as mass SQL
Injection campaigns like LizaMoon25

).
A significant increase in reported cross-site scripting attack cases has been observed
during the last years. Moreover, cross-site scripting attacks work on any browsing
technology including mobile web browsers.
The most critical vulnerability for traditional and Web 2.0 applications is cross-site
scripting. However, the resulting risk is lower than SQL injection since attackers do not
appear to leverage them as much in money making scenarios.
SQL Injection is the top attack method for entertainment, retail, technology, media
and education websites. CSRF is the top Attack Method for Web 2.0 and Hosting
Providers websites.
Observed current trend for this threat: Increasing
Detailed findings and references to the analysed material can be found in the Annex.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->