Security Experts:

Automation Fuels Onslaught of Web App Attacks: Report

Attacks designed to compromise users and steal sensitive data are increasing in magnitude and velocity as cybercriminals leverage automated tools, Imperva’s annual Web Application Attack Report (WAAR) reveals.

While automated attacks are by no means a new tactic for cybercriminals, according to the recently released report (PDF), Imperva has seen an increase in the number of SQL injection (SQLi) and cross site scripting (XSS) attacks, as well as an increase in attacks targeting healthcare applications. On the positive side, the number of attacks successfully identified and blocked also increased, the report said.

Web Application attacks

Imperva noted that all of the applications analyzed in the report were attacked, and over 75 percent were targeted by all of the eight attack types the company has identified. The eight attack types include: SQLi, remote file inclusion (RFI), remote code execution (RCE), directory traversal (DT), XSS, spam, file upload (FU), and HTTP reconnaissance.

Given the large number of identified and blocked attacks, the company assumes that hackers are using automation to launch more effective attacks against their targets.

The report also found that the number of specific malicious attacks increased compared to last year and that SQL Injection attacks were 3 times higher, while XSS attacks increased by a factor of 2.5. The security firm also observed that all of the analyzed applications suffered Shellshock attacks in very similar numbers and that both the magnitude and frequency of attacks increased as soon as a vulnerability was made public. 

Content Management Systems (CMS) targets registered 3 times more attacks than non-CMS applications, with WordPress being attacked 3.5 times more than non-CMS applications, and 7 times more for Spam and RFI attacks than non-CMS applications. Health applications were 10 times more popular for XSS attacks than other applications.

The 2015 WAAR report analyzed approximately 300,000 attacks and over 22 million cyber alerts on 198 applications between January 1 and June 30 this year. The report showed that half of the applications registered over 20 SQLi attacks during the timeframe, experiencing an average of 72 malicious requests, with the highest attack magnitude peaking at 400,000 malicious requests.

“This year’s report illustrates that any and every web application may come under attack by cyber criminals, due in large part to the fact that hackers have industrialized – making broad attacks possible – the techniques used to gain access to valuable personally identifiable information. As a result, every web application is at risk,” Amichai Shulman, Co-Founder and Chief Technology Officer of Imperva, said.

In last year’s WAAR, Imperva revealed that WordPress was the most popular target for cybercriminals, as WordPress websites were attacked 24.1 percent more than sites running on all other CMS platforms combined

“In the same way that automation has transformed traditional industries, automation is transforming the economy of cyber attackers, and rewriting the rules of enterprise risk in the process,” SecurityWeek columnist Wade Williamson wrote in a Sept. 2014 column.

“Automated attacks are cheap, tireless, and can target virtually any functionality that we expose to our end-users. Because of their reach, these attacks become both highly probable and enormous in scale. This makes understanding automated threats essential in order to understand IT and enterprise risk.”

Web technologies are inherently vulnerable to automation, and have given rise to a new breed of scripted attacks, Williamson said.

“In its simplest form, the problem boils down to the fact that web front-ends typically must remain exposed to the untrusted Internet, and the source code (web markup) is readily visible to anyone who wants to look. This combination is the ideal breeding ground for automation - an application that is both always accessible and comes with a blueprint showing how the application works. This is the combination that should be concerning to those who manage enterprise risk. Almost all of our applications are migrating to the web, and these applications are almost certain to be hit by automated attacks,” Williamson warned.

“Businesses must pay particular attention to directly protecting data and applications by using security measures like a web application firewall, ideally in conjunction with real-time reputation services,” Shulman said.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.