akamai.com

[Q2 2015 ] web app l i ca t ion a t tacks

In Q2 2015, Akamai reported on nine different web application attack vectors:

SQLi / SQL injection: User content is passed to an SQL statement without proper validationLFI / Local file inclusion: Gains unauthorized read access to local files on the web serverRFI / Remote file inclusion: Abuse of the dynamic file include mechanism available in many programming languages to load remote malicious code into the victim web applicationPHPi / PHP injection: Injects PHP code that gets executed by the PHP interpreterCMDi / Command injection: Executes arbitrary shell commands on the target systemJAVAi / Java injection: Abuses the Object Graph Navigation Language (OGNL), a Java expression language. Popular due to recent flaws in the Java-based Struts Framework, which uses OGNL extensivelyMFU / Malicious file upload (or unrestricted file upload): Uploads unauthorized files to the target application that may be used later to gain full control over the systemXSS / Cross-site scripting: Injects client-side code into web pages viewed by others whose browsers execute the code within the security context (or zone) of the hosting site. Reads, modifies and/or transmits data accessible by the browserShellshock / Disclosed in September 2014: A vulnerability in the Bash shell (the default shell for Linux and mac OS X) that allows for arbitrary command execution by a remote attacker

= 9 web application attack vectors

2 / [The State of the Internet] / Security (Q2 2015)

= Shellshock attacks

3 / [The State of the Internet] / Security (Q2 2015)

• Shellshock accounted for 49% of web application attacks in Q2 2015

• 95% of Shellshock attacks targeted a single financial services firm• 95% of all attacks over HTTPS in April were attributed to Shellshock• 173 million total Shellshock attacks against Akamai customers in Q2

• The high rate of Shellshock attacks shifted the balance between HTTPS and HTTP channels

• 56% of attacks were over HTTPS in Q2 2015, compared to 9% in Q1• Shellshock attacks are carried out over HTTPS 96% of the time

= other common attack vectors

4 / [The State of the Internet] / Security (Q2 2015)

• SQLi attacks accounted for 26% of all web application attacks• Discounting Shellshock attacks, SQLi totaled 55% percent of attacks• More than 92 million SQLi attacks in Q2 2015• The number of SQLi alerts increased by 75% over Q1 2015

• LFI attacks accounted for 18% of all web application attacks• 63 million alerts in Q2 2015, compared to 75 million in Q1

• The remaining six vectors accounted for 7% of all web application attacks

= top 10 source countries

7 / [The State of the Internet] / Security (Q2 2015)

China was the source of more than half of attacking IPs, with the US in second place. Countries with a higher population and higher connectivity are often the source of attack traffic.

= top 10 target countries

7 / [The State of the Internet] / Security (Q2 2015)

Websites based in the US were the most common targets for web application attacks in Q2 2015. The US is consistently one of the top targets for malicious actors.

= targeted industries

3 / [The State of the Internet] / Security (Q2 2015)

• Retail and financial service were subject to the greatest number of malicious requests

• Shift from Q1 2015, when retail and media/entertainment sectors were the most popular targets

• Shellshock attacks are not included because of their focus on a single company

• SQLi and LFI were the most common attack vectors for retail and financial services

• XSS attacks also targeted primarily retail and financial services• RFI attacks were mostly used against financial services and hotel/travel• MFU attacks overwhelmingly targeted the hotel and travel industry• PHPi attacks focused on targets in retail and the public sector

= WordPress plugin vulnerabilities

5 / [The State of the Internet] / Security (Q2 2015)

• The popularity of the WordPress platform has made it a popular target

• Third-party plugins and themes create vulnerabilities• Third-party developers have varying levels of skill• Plugins from third-party websites may not be carefully vetted• Updates to plugins and themes do not undergo stringent review

• Akamai tested 1,322 plugins and themes• 25 had one or more vulnerabilities, for a total of 49 potential exploits• Most common vulnerabilities were XSS, LFI, and path transversal (PT)

exploits, along with email header injection.

• Recommendations for hardening found in the Q2 2015 SOTI Security Report

Download the Q2 2015 State of the Internet Security Report

• The Q2 2015 report covers:⁄ Analysis of DDoS and web application attack trends⁄ Bandwidth (Gbps) and volume (Mpps) statistics⁄ Year-over-year and quarter-by-quarter analysis⁄ Attack frequency, size, types and sources⁄ Multi-vector mega attacks leveraging UPD and SYN floods⁄ Dangers of third-party WordPress plugins and themes⁄ Analysis of the Onion Router (Tor) project risks⁄ Threat advisories issued in Q2 2015, including OurMine Team and RIPv1

= Q1 2015 State of the Internet –Security Report

9 / [The State of the Internet] / Security (Q2 2015)

•StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.

• Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.

= about stateoftheinternet.com

10 / [The State of the Internet] / Security (Q2 2015)