SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

July 2019 AppSec Intelligence Report: Attack Edition

July 2019 AppSec Intelligence Report: Attack Edition

What is this report: This report summarizes Contrast Labs' analysis of real world application attack data from July 2019. It utilizes data from attacks that Contrast observed over the previous months and highlights the key trends found. 

Who should read this: Developers, product owners, AppSec, and security engineers can use the information to better understand application security threats, adjust their security controls accordingly, and improve their security posture. 

Frequency: Through reading this report on a monthly cadence, AppSec teams can gain a better understanding of the possible types and origins of attacks and attackers that you might see.

To learn more about how Contrast directly measures both vulnerabilities and attacks in parallel across your application portfolio, please visit our website.

KEY OBSERVATIONS

  • In July, Contrast saw a 25% increase in total attacks compared to June. This correlated with 35% increase in attacks per application.
  • 9% of these attacks were connected to a vulnerability within an application. The other 91% were probes and did not connect with a corresponding vulnerability within the target application. This is down significantly from June, when 26% of attacks connected to actual vulnerabilities.
  • The most common attack types were SQL Injections, Path Traversals, and Command Injection attacks. 
  • The volume of attacks targeting open source components remained steady compared to last month, with CVE-2013-2251 and CVE-2017-5638 as the most common attacks.

SUMMARY

  • Custom Code Attacks: We saw the continued dominance of SQL-Injection attacks last month. SQL-Injections represented 68% of all attack vectors, targeting 77% of applications. Overall volume of SQL-Injection attacks was up since June when they represented 58% of all attacks, targeting 82% of applications.
  • Open Source (CVE) Attacks: Attacks on CVEs, particularly Struts, continued at similar levels last month. The most common CVE attack in July and June was CVE-2017-5638 (Struts 2 Input Validation).
  • Attack Vectors By Language: SQL Injection attacks were the most common for Java applications in July. .NET applications experienced the highest volume of Command Injection attacks and Node experienced the highest volume of Path Transversal attacks.
  • Geo Location: Attacks originated from across the globe in July, with the most attacks originating from North America, specifically the United States. Netherlands remained the second most common origin country for the second month in a row.

Screen Shot 2019-09-11 at 4.38.06 PM

START FREE TRIAL

CUSTOM CODE ATTACKS

The three most common attack types in July:

  • SQL Injection
    • Carefully crafted inputs that can alter the SQL queries the application uses, and steal data or execute code.
    • Represented 68% of all attacks in July, up from 58% of attacks in June.
    • Targeted 77% of applications.
  • Path Traversal
    • A vulnerability that allows users to control which files are opened and read by an application.
    • Represented 13% of all attacks in July, down from 28% of attacks in June.
    • Targeted 46% of applications.
  • Command Injection
    • Carefully crafted inputs can execute tainted commands.
    • Represented 11% of attacks in July, up from 4% in June.
    • Targeted 21% of applications.

In July, 96% of applications were targeted by one of these three types during the month.

Image 2-1

TOP CVE ATTACKS

Exploiting vulnerable versions of Struts 2 continues to dominate attacks on CVEs.

CVE-2017-5638 (Struts 2 Input Validation) attacks remained the most prevalent attack on a CVE. However, its reign may be over. For the past 3 months, attacks on CVE-2017-5683 have represented an increasingly smaller portion of total attacks. We observed just over 50% of the attack volume in July that we had seen in June.

The next most common CVE targeted in July attacks was CVE-2013-2251. July marked the 6th anniversary of its first publish date and almost a year since an automatic exploit for the vulnerability was announced

Attacks on CVE-2016-4438 (Struts 2 Input Validation), the second most common CVE targeted in June, dropped considerably in July.

TOP ATTACK VECTORS BY LANGUAGE

Image 3-1

ATTACKS BY GEOLOCATION

July saw attacks from 6 continents and 109 countries. 

The largest increase in volume May to June came from the Netherlands, where we observed a 2x increase in attacks. This higher volume remained relatively stable in July.

The map below illustrates the number of attacks originating from each country with the most saturated color representing the most attacks and the least saturated representing the least attacks. We observed no attacks from the countries filled in gray.

Image 4-2

 

START FREE TRIAL

 

Katharine Watson, Data Analytics

Katharine Watson, Data Analytics

Katharine brings a wide range of analyst experience to Contrast. She has a history of devouring large data sets to discover knowledge and produce compelling narratives for a wide range of audiences. She is focused on using data to help tell Contrast’s story. Before joining the Contrast team, Katharine worked as an analyst, consultant, and project manager in both the private and non-profit sectors.

SUBSCRIBE TO THE BLOG

Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook