Web attacks peak at 38,000 an hour

Web applications are subject to business logic attacks, according to a report by Imperva.

Imperva monitored and categorized attacks across the internet targeting 40 different applications. This allowed them to outline the frequency, type and geography of origin of each attack.

“Business logic attacks are attractive for hackers since they follow a legitimate flow of interaction of a user with the application,” said Amichai Shulman, Imperva’s CTO. “This interaction is guided by an understanding of how specific sequences of operations affect the application’s functionality. Therefore, the abuser can lead the application to reveal private information for harvesting, skew information shared with other users and much more – often bypassing security controls.”

Automated application attacks continue

In the six month period from June – November 2011, the observed web applications suffered attacks in the range of 130,000 to 385,000 per month. At its peak, the application set was under attack at a rate of nearly 38,000 per hour or ten per second.

Attack automation is attractive for several reasons:

• Automatic tools enable an attacker to attack more applications and exploit more vulnerabilities then any manual method possibly could.
• The automatic tools that are available online save the attacker the trouble of studying attack methods and coming up with exploits to applications’ vulnerabilities. An attacker can just pick a set of automatic attack tools from the ones that are freely available online, install them, point them at lucrative targets and reap the results.
• The tools use resources, like compromised servers that are employed as attack platforms, more efficiently.

Attackers exploit five common application vulnerabilities

The five most common application vulnerabilities are: Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS) and Directory Traversal (DT). Cross Site Scripting and Directory Traversal are the most prevalent classical attack types. Why are these vulnerabilities targeted? Attackers prefer the path of least resistance and application vulnerabilities offer a rich target.

Attackers are relying on business logic attacks due to their ability to evade detection

Imperva also investigated two types of Business Logic attacks: comment spamming and email extraction. Comment spamming injects malicious links into comment fields to alter search engine results and potentially defraud consumers. Email extraction simply catalogs email addresses for building spam lists. These attacks accounted for 14% of the analyzed malicious traffic.

The geographic origin of business logic attacks were:

• Email extraction was dominated by hosts based in African countries.
• An unusual portion of the comment-spamming activity was observed from eastern-European countries.