Skip to content

The Top 10 app-attack trends in the financial sector

The Top 10 app-attack trends in the financial sector

As the financial sector digitally transforms, it is under siege, as data from Contrast’s platform and other reports clearly show.

  • According to Contrast’s platform data, attackers are targeting web apps/application programming interfaces (APIs) at an average of 4,900 attacks per month. 
  • The Contrast platform shows that custom code and libraries are full of vulnerabilities, with an average of 30+ serious vulnerabilities. 
  • App attacks are the leading cause of breach, according to Verizon’s Data Breach Report 2022
  • In 2022, the global average total cost of a data breach was US $4.35 million, according to the 2022 Cost of a Data Breach report by IBM and the Ponemon institute.

Over the month of November, Contrast’s financial services customers endured a myriad of application attacks, including the following Top 10 attack types with their attack totals. 

I. Path traversal — 521,655x

November ushered in a surge of path-traversal attacks.  

A path-traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash” (../) sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash,” “directory traversal,” “directory climbing” and “backtracking.” — OWASP

II. Cross-site scripting — 46,101x

Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. — OWASP

III. SQL injection — 16,085x

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. —OWASP

IV. Command injection — 8,054x

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. — OWASP

V. EL injection — 2,756x

Expression-language (EL) injection entails attacker-controlled data entering an EL interpreter. — OWASP

VI. Padding oracle — 319x

A padding oracle is a function of an application that decrypts encrypted data provided by the client, e.g. internal session state stored on the client, and leaks the state of the validity of the padding after decryption. The existence of a padding oracle allows an attacker to decrypt encrypted data and encrypt arbitrary data without knowledge of the key used for these cryptographic operations. —OWASP

VII. CVE-2017-5638 — 113x

Struts, the open-source web application framework, is vulnerable to remote-command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header: a vulnerability that allows such commands to be executed under the privileges of the web server.

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. — NVD

VIII. HTTP method tampering — 103x

Method tampering (aka verb tampering and HTTP method tampering) is an attack against authentication or authorization systems that have implicit "allow all" settings in their security configuration. This type of attack takes advantage of vulnerabilities in HTTP verb authentication (also known as HTTP method authentication) and access control mechanisms.

HTTP provides a list of methods that can be used to perform specific actions. In the list of HTTP methods, GET and POST are most commonly used by developers to access information provided by a web server. But HTTP also provides several other methods and many of these can pose a critical security risk for a web application, as they allow an attacker to modify the files stored on the web server, delete a web page on the server, and upload a web shell to the server, which can lead to the theft of user credentials. — Contrast Security 

HTTP Verb Tampering tests the web application’s response to different HTTP methods accessing system objects. For every system object discovered during spidering, the tester should attempt accessing all of those objects with every HTTP method. — OWASP Testing Guide

IX. Untrusted deserialization — 76x

Data which is untrusted cannot be trusted to be well formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized. — OWASP

X. CVE-2017-9791 — 5x

The Struts 1 plugin in Apache Struts 2.1. x and 2.3. x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. — GitHub advisory

Given the current threat landscape, intelligent runtime protection is an imperative.  Financial institutions must defend their applications from within by using instrumentation to inject automated trust boundaries.

Click here for a demo.

Get Demo


Tom Kellermann, SVP Cyber Strategy, Contrast Security

Tom Kellermann, SVP Cyber Strategy, Contrast Security