Application Defense Center

Online fraud can cause millions of dollars in losses due to fines, lawsuits, and customer attrition. JavaScript Hijacking and CSRF injection are two new attack methods used to commit Web fraud. Both attacks frequently target AJAX and other Web 2.0 applications because of security weaknesses inherent to these new technologies. This paper details effective techniques to prevent these application attacks without rewriting Web application code.

This article presents a statistical analysis of results obtained from numerous application level penetration tests performed by Imperva experts for various customers over a period of four years.

Research done at Imperva's Application Defense Center shows that providing protection against SQL injection using signatures alone is not enough. This paper demonstrates various techniques that can be used to evade SQL injection signatures, including advanced techniques that were developed during the research, and explains why it is not possible to adequately protect an application against SQL injection using signatures.

This paper discusses the possibility of automated, self-propagating attacks on custom Web application code. It shows that such attacks are not only feasible but that their theoretical success rate is far greater than worms targeting commercial infrastructure.

Until today, exploiting SQL server injection attacks depended on having the Web Server return detailed error messages or having any other source of information. As a result, many security administrators suppressed these error messages, assuming this would protect them from SQL server injection exploitation. This white paper shows, however, that suppressing the error messages does not provide real protection. Imperva ADC research reveals a set of techniques that can be easily used to bypass error suppression, making it clear that more substantial measures must be taken against SQL server injection attacks.