Web applications are attacked one out of three days, report says

A typical Web application gets attacked 137 times in 59 separate days during a six-month period, Imperva says

A typical Web application is the target of an attack at least one in three days on average, according to a report released by data security firm Imperva.

The third edition of Imperva's semi-annual Web Application Attack Report (WAAR), released on Tuesday, is based on an analysis of Internet traffic collected from 50 publicly available Web applications between December 2011 and May 2012. Imperva determined that a typical Web application experienced 59 "battle days" -- days in which at least one attack incident occurred -- during the six-month period.

Many of the monitored applications differed in size and purpose, and most of them were hosted in the U.S. and the European Union, said Amichai Shulman, Imperva's chief technology officer.

Imperva found that for a typical Web application the median number of attack incidents recorded during a six-month period was 137.

An attack incident was defined by the company as a burst of malicious traffic that exceeded a rate of 30 attack requests per five minutes.

This method of counting attacks was significantly different than the one used by the company for its previous WAAR reports, which focused on the total number of attack requests.

The worst case seen by the company involved an application that experienced 1,383 attack incidents spanning 141 battle days, or 80 percent of the days in the six-month period.

The typical attack incident had a magnitude of 195 requests and lasted almost 8 minutes, Imperva said in its report. However, the worst incident lasted 10 times longer than that and involved 8,790 attack requests.

The new methodology of interpreting data revealed that SQL injection (SQLi) was the attack technique most commonly used. The median number of SQLi attacks experienced by a typical Web application was 17.5 and in the worst case it was 320.

This is a significant change, because previous WAAR reports placed cross-site scripting (XSS) and directory traversal attacks ahead of SQLi attacks in terms of frequency.

The new methodology allowed the company's researchers to see things in a different way, Shulman said. "While the number of individual requests for cross-site scripting and directory traversal is higher than for SQL injection, in reality, the number of attacks in which SQL injection is involved is higher."

However, given what other security vendors have reported in the past, the efficiency of SQLi attacks is somewhat questionable. For example, Verizon said in its 2012 Data Breach Investigations Report that SQL injection was used in only 3 percent of data breach incidents.

It's possible that SQL injection, while the most popular attack technique, is not the most successful one, Shulman said. However, "I find it hard to believe that attackers are wasting so much energy over SQL injection if it's not proving to be successful," he said.

Another interesting finding was that the highest number of SQL injection requests originated in France and not the U.S., which is the primary source of other types of attacks like remote file inclusion, directory traversal or local file inclusion.

Some attack types have a well-known geographic bias, Shulman said. For example, many email scraping attacks originate from African countries and comment spam attacks are commonly launched from Eastern Europe and Russia.

However, the fact that a large number of SQL injection attacks originated from France is unusual, Shulman said. "It's the first time we've seen this kind of geolocation bias for SQL injection and I don't have the answer yet [for why it happened]."

Shulman speculated that it might be harder to get abusive servers shut down in France than in other European countries or that attackers might prefer to use Internet Protocol addresses from a country like France, which is not commonly associated with malicious Internet traffic. However, these are just theories, he said.

Imperva tried to use a number of statistical methods to find patterns in the timing of the attacks and actually concluded that they can't be predicted, Shulman said. "The fact that you've been attacked today doesn't say anything about what is going to happen tomorrow."

Companies need to be prepared to protect their Web applications at all times and should be prepared to do so against the worst attacks, not just the average ones, he said.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts