[Q2 2015] web application attacks

akamai.com

= 9 web application attack vectors

In Q2 2015, Akamai reported on nine different web application attack vectors:
SQLi / SQL injection: User content is passed to an SQL statement without proper validation

LFI / Local file inclusion: Gains unauthorized read access to local files on the web server
RFI / Remote file inclusion: Abuse of the dynamic file include mechanism available in many
programming languages to load remote malicious code into the victim web application
PHPi / PHP injection: Injects PHP code that gets executed by the PHP interpreter
CMDi / Command injection: Executes arbitrary shell commands on the target system
JAVAi / Java injection: Abuses the Object Graph Navigation Language (OGNL), a Java
expression language. Popular due to recent flaws in the Java-based Struts Framework, which
uses OGNL extensively
MFU / Malicious file upload (or unrestricted file upload): Uploads unauthorized files to the
target application that may be used later to gain full control over the system

XSS / Cross-site scripting: Injects client-side code into web pages viewed by others whose
browsers execute the code within the security context (or zone) of the hosting site. Reads,
modifies and/or transmits data accessible by the browser
Shellshock / Disclosed in September 2014: A vulnerability in the Bash shell (the default shell
for Linux and mac OS X) that allows for arbitrary command execution by a remote attacker

2 / [The State of the Internet] / Security (Q2 2015)

= Shellshock attacks

Shellshock accounted for 49% of web application attacks in

Q2 2015
95% of Shellshock attacks targeted a single financial services firm

95% of all attacks over HTTPS in April were attributed to Shellshock

173 million total Shellshock attacks against Akamai customers in Q2

The high rate of Shellshock attacks shifted the balance

between HTTPS and HTTP channels
56% of attacks were over HTTPS in Q2 2015, compared to 9% in Q1
Shellshock attacks are carried out over HTTPS 96% of the time

3 / [The State of the Internet] / Security (Q2 2015)

= other common attack vectors

SQLi attacks accounted for 26% of all web application attacks

Discounting Shellshock attacks, SQLi totaled 55% percent of attacks
More than 92 million SQLi attacks in Q2 2015
The number of SQLi alerts increased by 75% over Q1 2015

LFI attacks accounted for 18% of all web application attacks

63 million alerts in Q2 2015, compared to 75 million in Q1

The remaining six vectors accounted for 7% of all web

application attacks

4 / [The State of the Internet] / Security (Q2 2015)

= top 10 source countries

China was the source of more than half of attacking IPs, with the US in
second place. Countries with a higher population and higher connectivity
are often the source of attack traffic.
7 / [The State of the Internet] / Security (Q2 2015)

= top 10 target countries

Websites based in the US were the most common targets for web
application attacks in Q2 2015. The US is consistently one of the top
targets for malicious actors.
7 / [The State of the Internet] / Security (Q2 2015)

= targeted industries

Retail and financial service were subject to the greatest

number of malicious requests
Shift from Q1 2015, when retail and media/entertainment sectors were the
most popular targets
Shellshock attacks are not included because of their focus on a single
company

SQLi and LFI were the most common attack vectors for retail
and financial services
XSS attacks also targeted primarily retail and financial services
RFI attacks were mostly used against financial services and hotel/travel
MFU attacks overwhelmingly targeted the hotel and travel industry
PHPi attacks focused on targets in retail and the public sector

3 / [The State of the Internet] / Security (Q2 2015)

= WordPress plugin vulnerabilities

The popularity of the WordPress platform has made it a

popular target
Third-party plugins and themes create vulnerabilities
Third-party developers have varying levels of skill
Plugins from third-party websites may not be carefully vetted
Updates to plugins and themes do not undergo stringent review

Akamai tested 1,322 plugins and themes

25 had one or more vulnerabilities, for a total of 49 potential exploits
Most common vulnerabilities were XSS, LFI, and path transversal (PT)
exploits, along with email header injection.

Recommendations for hardening found in the Q2 2015 SOTI

Security Report

5 / [The State of the Internet] / Security (Q2 2015)

= Q1 2015 State of the Internet Security Report

Download the Q2 2015 State of the Internet Security Report

The Q2 2015 report covers:

Analysis of DDoS and web application attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Attack frequency, size, types and sources
Multi-vector mega attacks leveraging UPD and SYN floods
Dangers of third-party WordPress plugins and themes
Analysis of the Onion Router (Tor) project risks
Threat advisories issued in Q2 2015, including OurMine Team and RIPv1

9 / [The State of the Internet] / Security (Q2 2015)

= about stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.

10 / [The State of the Internet] / Security (Q2 2015)