Online fraud can cause millions of dollars in losses due to fines, lawsuits, and customer attrition. JavaScript Hijacking and CSRF injection are two new attack methods used to commit Web fraud. Both attacks frequently target AJAX and other Web 2.0 applications because of security weaknesses inherent to these new technologies. This paper details effective techniques to prevent these application attacks without rewriting Web application code.
Danger From Below: The Untold Tale of Database Communication Protocol VulnerabilitiesAttackers are taking advantage of database protocol vulnerabilities to compromise databases. Based on extensive research and testing, this paper describes areas of database vulnerability and presents potential methods for mitigating the risk associated with SQL protocol attacks.
How Safe Is It Out There?This article presents a statistical analysis of results obtained from numerous application level penetration tests performed by Imperva experts for various customers over a period of four years.
SQL Injection Signatures EvasionResearch done at Imperva's Application Defense Center shows that providing protection against SQL injection using signatures alone is not enough. This paper demonstrates various techniques that can be used to evade SQL injection signatures, including advanced techniques that were developed during the research, and explains why it is not possible to adequately protect an application against SQL injection using signatures.
Web Application Worms: Myth or Reality?This paper discusses the possibility of automated, self-propagating attacks on custom Web application code. It shows that such attacks are not only feasible but that their theoretical success rate is far greater than worms targeting commercial infrastructure.
Blind SQL Server InjectionUntil today, exploiting SQL server injection attacks depended on having the Web Server return detailed error messages or having any other source of information. As a result, many security administrators suppressed these error messages, assuming this would protect them from SQL server injection exploitation. This white paper shows, however, that suppressing the error messages does not provide real protection. Imperva ADC research reveals a set of techniques that can be easily used to bypass error suppression, making it clear that more substantial measures must be taken against SQL server injection attacks.
HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources using other HTTP methods. For example, many Web applications enforce GET and POST access controls, but ignore other HTTP methods such as HEAD. HTTP Verb Tampering enables malicious users to bypass security controls to access or manipulate restricted resources.
View complete definition