In the first part of this article, we discussed the popularity, average number and ratio of attacks on web applications. Let’s now focus on some examples and sources.
Examples of Attacks
An example of detecting a Path Traversal attack
The attacker intended to go to the root directory of the server and access the /etc/passwd file, which contains a list of user accounts of the system.
About 17 percent of attacks are attempts to implement SQL statements. A small part (about eight percent) is the “Cross-site scripting” attacks aimed at users of public service portals. Malefactors tried running OS commands in two percent of cases.
Almost three-quarters of attacks on online stores were Path Traversal attacks. Just like on portals that provide public services, attackers attempted to go beyond the current directory of the file system. An essential part (14 percent) is denial of service attacks. For an online store, the threat of a breach of the availability of a web application is critical. Attacks on users (“Cross-site execution of scripts” and “Forgery of cross-site requests”) in total amounted to four percent, an amount for which the introduction of SQL statements also accounted.
In the financial sphere, about 65 percent of the total were “Cross-site execution of scenarios” attacks and “Forgery of cross-site requests” aimed at users of systems. Such attacks are widespread in the financial industry. They pose a danger because they allow attackers to steal cookie values and user credentials (i.e. phishing) as well as perform actions on behalf of legitimate users.
An example of the “Cross-site scripting” attack detection
The attacker tried to display the cookie values to check the vulnerability of the web application for this attack.
Attackers tried to gain access to sensitive information using the Path Traversal attack (15 percent of the total number) and the implementation of SQL statements (seven percent of the total). The share of attacks “Download of arbitrary files” was seven percent. Such attacks are often used to directly execute OS commands, a technique which registered in three percent of cases. In general, the nature and complexity of attacks indicate a higher level of technical training for intruders than other sectors under consideration.
In the IT sector, more than half of the recorded attacks were attempts to implement SQL statements. There were also Path Traversal attacks (20 percent of the total number). In addition, 16 percent were attempts to execute OS commands, and 12 percent of attacks on web applications of IT companies were aimed at system users.
For web applications of transport companies, the number of attacks “Implementing SQL statements” exceeded 50 percent. Thirty-eight percent were information leakage, and six percent the execution of OS commands.
In the education sector, approximately 70 percent of manual attacks were “Implementing SQL statements”. This attack is often fairly simple to perform; it can be used to gain access to the user’s private rooms or the contents of databases. About 30 percent of attacks involved the exploitation of the “Information Leakage” vulnerability, which can allow an attacker to receive sensitive data or learn more about the system.
An example of detection of the introduction of SQL statements
An attacker entered his query to the database in the GET parameter id to test the possibility of exploiting the vulnerability.
Almost two-thirds of attacks on applications of industrial enterprises accounted for distributed denial of service (DDoS) attacks.
An example of detecting three attack chains, including DDoS
The firewall builds these chains automatically by detecting correlations between events that are spaced in time but are part of the same attack.
Sources of Attacks
The largest number of recorded attacks came from the United States and Russian-speaking countries, Russia is at the forefront. The percentage of attacks based in the Netherlands and other Europe countries was quite high, as there are a large number of providers providing proxy server services in these countries.
Sources of external attacks on organizations differed depending on the industry. Most attacks on state institutions were made from Russian IP-addresses, about a third were made from IP-addresses belonging to U.S. providers, and in six percent of cases, the source was the Netherlands.
The source of attacks for online stores in approximately equal shares (about a quarter of the total) were Russia and the United States. More than a third of the attacks went through the IP addresses of the Netherlands.
For attacks on education, as was shown above, public services and utilities for scanning web applications for vulnerabilities were widely used. In order to hide the actual IP address of the source of the attack, such software mainly involved servers located in the United States. The fifth part of the attacks came from Russian IP-addresses.
It is interesting to note that internal attackers were the source of more than a third of attacks on university web applications (on average, for education in this indicator was equal to eight percent). Probably, these were students who have access to the wireless networks of the educational institution as well as access to the local network in classrooms.
In the financial sphere, about 10% of attacks originated from internal violators. It is also possible that the violator in a number of cases might have been the system administrator who conducts testing of defense mechanisms.
Despite a large number of simple attacks, one should take into account that the level of technical training of modern attackers allows them to implement complex, multi-state attacks. In order to identify the chains of such offensives, including the detection of long-term targeted attacks, it is necessary to use correlation analysis tools.
The research was conducted during a six-month period using Bod Intelligent Antivirus developed by Bod Security.
About the Author: Alex Bod is an information security researcher and co-founder of Bod Security, an intelligent antivirus provider company.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.