A recent study by a leading web application security vendor has highlighted some interesting statistics about web application attacks. Some of the findings examined below should enable web security practitioners to better anticipate, identify and act against cyber threats.
One of the unsurprising news items is that web application attacks have increased in number. Most notably in the last year SQL Injection attacks have increased by a sizeable 10%, while RFI (Remote File Inclusion) attacks have risen even further with an increase of 24% over last year. A significant change in the duration of attacks has also been observed, with attacks being targeted for 44% longer than they were in the second half of 2012.
While the public perception might be that financial institutions are those most at threat, attacks on these actually account for only 10% of all attack campaigns. The industry being most heavily targeted is in fact the retail sector. The retail sector is receiving 48.1% of all the attack campaigns carried out, which makes sense when you think about the data held by such entities; i.e customer information, including credit card details. With this in mind, it’s no surprise that 40% of SQL injection attacks target retail sites.
It has also been observed that websites using WordPress as their Content Management System (CMS) received 24% more incidents and 60% more Cross Site Scripting (XSS) attacks than all other CMS platforms combined. This comes as no surprise, considering that WordPress is by far the most popular CMS platform. The XSS attacks can be attributed to the multitude of plugins available to WordPress users.
There are some noticeable difference in the type of attacks against the different infrastructures; PHP applications suffer almost three time as many XSS attacks and two times as many Directory Traversal attacks while ASP applications receive almost twice as many SQL Injection attacks. This is expected, since PHP and ASP are the most popular web application frameworks.
Where the attacks are coming from
Having studied the sources of web application attack traffic, a recent industry study found that the majority is generated in the US and that the majority of the attacking hosts reside within the US. When sorted by type of attack, only XSS attacks were found to be more frequently originating from elsewhere; the United Kingdom.
However, it’s likely that this data is misleading as from industry experience, it’s known that many attackers from other countries use US hosts for their attacks, due to them being closer to the attack targets. This makes sense for the attacker as it gives them a greater chance of remaining undetected and also maximizing the available bandwidth of the attack.
So what should be done?
Given that attacks continue to increase, it’s paramount that web security practitioners stay on top of the latest threats, regularly checking web applications for known vulnerabilities. A web vulnerability scanner such as Acunetix is usually the first step in this routine; Acunetix can identifying and pinpointing the largest amount of known vulnerability variants. Given the seriousness of a data security breach, practitioners should base their security measures on the worst case scenario to give the best lines of defense against such attacks. So in addition to regularly running a scanner, manual tools, some of which are built into Acunetix, should also be used to give even more thorough testing of security.
Reference is made to the Imperva Web Application Attack Report #5 (WAAR), October 2014