In its Web Application Attack Report published Thursday, Imperva's Application Defense Center group analyzed attacks on a subset of 99 applications that were protected by the company's Web Application Firewalls from Aug. 1, 2013 to April 30.
Malicious traffic exposure continues to increase through the years, according to the report, which shows a 10 percent increase in SQL injection attacks and a 24 percent increase in Remote File Inclusion attacks. Furthermore, attacks are 44 percent longer when compared to the previously reviewed period.
The increase in length of attacks may be due to a growing list of vulnerabilities to scan for as part of vulnerability scanning attacks, Itsik Mantin, director of security research at Imperva, told SCMagazine.com in a Thursday email correspondence.
“We've also seen cases where the attack campaign didn't seem to end, which is probably the result of someone specifically targeting a site and trying see any new vulnerable resource that appears and to attack it before the site's security team identifies the issue and fixes it,” Mantin said.
Web application attacks hit retail applications the hardest, with retail websites being targeted in 48.1 percent of all attack campaigns – 40 percent of all SQL injection attack campaigns and 64 percent of all malicious HTTP traffic targeted retail websites, the report indicates. Only 10 percent of attack campaigns targeted financial institutions.
“We don't have definitive causation for this finding,” Mantin said. “One possible explanation is that attackers assume that financial applications utilize proper protection measures and keep up-to-date with publication of cyber-attacks and mitigations, while other applications, even commercial ones, are more prone to negligence and leaving known vulnerabilities in the application.”
The most attacked content management system (CMS) is WordPress – sites running on the platform were hit 24.1 percent more than websites running on all other CMS platforms combined, according to the report. Additionally, WordPress experiences 60 percent more cross-site scripting incidents than sites running on all other CMS platforms combined.
WordPress sites are compromised more so than other platforms because, with 23 percent market share, it is the biggest target, Tony Perez, CEO of Sucuri, told SCMagazine.com earlier this week when discussing compromised WordPress sites increasingly being used for phishing.
Attackers are also using Infrastructure as a Service (IaaS) platforms, the report indicates. As a leader in size and market share, Imperva focused on Amazon Web Services and noted that 20 percent of all known vulnerability exploitation attempts and 10 percent of all SQL injection attempts originated in AWS source IPs.
The majority of web application attack traffic around the globe is coming from the United States.
Imperva proposes “that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets,” according to the report, which goes on to add, “Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines etc., and so this information needs to be looked at in proportion.”
“The ubiquity of attack resources, with the growing number of known vulnerabilities and the growing complexity of web applications, are likely to push the attack campaigns to be longer and denser,” Mantin said. “Some approaches that may limit the volume of these attacks [include] stopping attacks shortly after they begin by blocking all traffic from the attack origin after detection of the attack, and stopping attacks before they begin by using crowd-sourcing and blocking all traffic from sources that were found as generators of malicious traffic (e.g., by Community Defense services).”