Public web applications are an attractive target for hackers. Attacks on web applications open up wide opportunities, including access to internal resources of the company, sensitive information, disruption of the application, and circumvention of business logic. Virtually any attack can bring financial benefits to the attacker and losses, both financial and reputational, to the owner of the web application. In addition, users of web applications are also at risk since successful attacks allow hackers to steal credentials, perform actions on sites on behalf of users, and infect workstations with malicious software. When investigating attacks on web applications, we first of all need to determine which attacks are most popular with attackers and what are the possible motives for their actions, as well as identify the main sources of threats for different industries. Such data allows us to understand what aspects we should pay attention to while ensuring the security of web applications. In addition, we need to consider the distribution of types of attacks and malicious activity depending on the scope of the company, as well as the dynamics of changes in the nature of attacks during the year. In order to collect the initial data of the attacks, we used the data obtained using the application layer firewall.
The popularity of attacks by industry
Most often, there were "Implementing SQL statements" and "Running OS commands." Such attacks were fixed in more than 80 percent of systems. "Path Traversal" was the second most popular among the detected attacks. Attackers try to use the most simple attacks, which do not require special conditions for execution. Basically, a lower percentage of attack detection indicates a higher level of complexity or the need for special conditions for its implementation, such as the function of downloading files in a web application or performing certain actions on the part of users. When ranking the most popular attacks, we eliminated attacks that were carried out by a special software for automated scanning of a Web application for vulnerabilities like Acunetix or sqlmap.
Rating of the most popular attacks (shares of web applications):
- Implementing SQL statements – 83%
- Running OS commands – 83%
- Path traversal – 76%
- Cross-site scripting – 58%
- Denial of service – 32%
- Connecting local files – 21%
- Implementing external entities of XML – 16%
- Uploading random files – 11%
- Cross-site request forgery – 11%
Most attacks in this rating exploit critical vulnerabilities and can lead to a complete compromise of the web application and server, which can allow an attacker to gain access to local network resources. The ratio of the types of attacks vary depending on the industry to which the system under investigation is related. Attackers pursue different goals, while the level of skills and technical capabilities of violators also differ. The figures below show the average number of attacks per day per system, as well as the ratio of the number of attacks performed manually and using utilities for automated scanning
The average number of attacks per day per system:
- Government agencies – 3,351
- Online Stores – 2,081
- Finance – 1,386
- IT – 679
- Transport – 670
- Education – 123
- Industry – 57
The ratio of automated scanning and manual attacks:
- Government agencies – 98%
- Online Stores – 81%
- Finance – 42%
- IT – 36%
- Transport – 34%
- Education – 16%
- Industry – 3%
Most attacks for all industries, except government agencies and online stores, are carried out with the help of specialized software to search for vulnerabilities. Automated scanning includes attempts to perform various types of attacks, such as the implementation of SQL statements and path traversal using ready-made tools for instrumental security analysis. The results of the scan can be used by an attacker to exploit vulnerabilities and further develop the attack vector before gaining access to sensitive information, local network resources and critical systems or to conduct attacks on users. The largest average number of attacks per day – approximately 3,500 attacks – was recorded in public institutions. The automated vulnerability scan constitutes only 18 percent of the total number of attacks. Online stores rank second in this rating: about 2,200 attacks were recorded on a day, while almost all of them were conducted without the use of automated scanning tools. In the financial sphere, we registered about 1,400 attacks per day, among which the automated vulnerability search predominated. Transport resources and IT companies account for an average of about 680 attacks per day, most of which were also automated vulnerability searches. From calculations of the average number of attacks per day for the education sector, the information and analytical center, whose functions include processing the results of state examinations, was excluded. There was an extremely large number of attacks on the web application in schools – more than 20,000 attacks per day. At the same time, the most common attacks were using scan tools for vulnerabilities. Students, having basic knowledge of information security and ways to circumvent protection mechanisms, could use public software for scanning the system. This explains the fact that most of the attacks of this type came from the United States – probably, public utilities or online services used proxy servers located in the US. The purpose of attacks on the information and analysis center, most likely, was access to the results of exams and examination materials. Perhaps the students thought that in this way they could change their scores for the exam. In addition, it can be assumed that the attackers tried to find vulnerabilities, the exploitation of which would allow access to the databases of exam materials for subsequent illegal distribution. For industrial systems, there where about 50 attacks recorded per day, almost all represented an automated vulnerability scan, and only one percent were conducted manually. For government agencies, more than 70 percent of the attacks were path traversal attacks, where bad actors tried to go beyond the current directory of the file system and access files on the server, in order to steal sensitive information.
Conclusion
Most of the attacks committed by intruders are fairly simple both in execution and in detection by the Web Application Firewall. At the same time, there was a significant increase in the number of attacks on web resources, primarily from the IP-addresses of Russia and Turkey. It is recommended that companies, in particular financial institutions, take appropriate measures in advance to protect critical components and ensure the effectiveness of the means of protection used. The research was conducted during a six-month period using Bod Intelligent Antivirus developed by Bod Security. In the second part of the article, we'll discuss examples and sources of attacks.
About the Author: Alex Bod is an information security researcher and co-founder of Bod Security, an intelligent antivirus provider company. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.