X
September 17, 2024
The Contrast Security Runtime Security Platform — the engine that underpins Contrast’s Application Detection and Response (ADR) technology — blocked approximately 47K cybersecurity attacks during the month of August 2024.
It’s a big number. But the thing is, size doesn’t matter.
Rather, it’s the attack sophistication that matters. While any web application firewall (WAF) or content delivery network (CDN) worth its salt should, technically, stop XSS, we are noticing more and more scenarios where these tools are not configured correctly. The modern versions of these technologies should be able to handle the incessant pitter-patter of XSS, as, of course, can Contrast ADR.
What really matters is blocking the subtle attacks: the ones that don’t get as much attention and aren’t as prevalent, but which can cause a lot more damage, given that current tools are ill-equipped at spotting and stopping them.
WAFs can’t reliably detect these attacks; they’re best complemented by Runtime Application Self Protection (RASP) for deeper protection.
In this article, we’ll look at the most frequent attacks ADR blocked in August, including both the low-hanging fruit as well as the slippery fish that infiltrate targets via holes in traditional security stacks. We’ll delve into how ADR responds to one such attack — Log4j — and tease out three of the most impressive takeaways from the numbers.
First up, the big-number attacks:
These are the Top 4 types of cyberattacks Contrast detected during August 2024:
In XSS attacks, threat actors hijack vulnerable applications by inserting malicious scripts into a user’s interactions with the app. An XSS attack targets the scripts running behind a webpage that are being executed on the client-side (in the user’s web browser). Because the unsuspecting browser has no way of knowing that a script shouldn’t be trusted, it will go ahead and execute the XSS script, which can access cookies, session tokens and other sensitive information retained by the browser and used with that site. In short, XSS allows the attacker to commandeer HTML pages, deceive users and steal sensitive data as it assumes control, redirects links and rewrites content on that site.
Contrast Security’s work has shown that 80% of applications have at least one XSS security vulnerability: a stunning finding for a problem that’s been on the OWASP Top 10 list for over a decade.
Between November and December 2023, a threat group tracked as ResumeLooters used XSS scripts to inject phishing forms into at least four legitimate job search websites. Between exploiting XSS vulnerabilities and launching SQL injection attacks against at least 65 websites, the group stole databases containing close to 2.2 million rows, more than 500,000 of which represented user data from employment websites.
Read the white paper: The Case for ADR
The second most-blocked attack in August was method tampering (aka verb tampering or HTTP method tampering). Method tampering is an attack against authentication or authorization systems that have implicit "allow all" settings in their security configuration. This type of attack takes advantage of vulnerabilities in HTTP verb authentication (also known as HTTP method authentication) and access control mechanisms.
HTTP provides a list of methods that can be used to perform specific actions. In the list of HTTP methods, GET and POST are most commonly used by developers to access information provided by a web server. But HTTP also provides several other methods and many of these can pose a critical security risk for a web application, as they allow an attacker to modify the files stored on the web server, delete a web page on the server and upload a web shell to the server, which can lead to the theft of user credentials.
Path traversal, also known as directory traversal, comes in at No. 3 on the attacks-blocked list for August. These attacks entail exploitation of an affected application to gain unauthorized access to server file system folders that are higher in the directory hierarchy than the web root folder. A successful path traversal attack can fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server, including credentials for back-end systems, application code and data, and sensitive operating system files.
If successful, a path traversal attack can lead to the following risks:
June 2024 saw active exploitation of a high-severity, trivially exploited path-traversal flaw in the SolarWinds Serv-U Managed File Transfer Server. At the time, Contrast Security Senior Director of Product Security Naomi Buckwalter noted the potential for the vulnerability to function as a gateway for further attacks.
Coming in at No. 4 is Java Naming and Directory Interface (JNDI) injection. JNDI is a simple Java API that allows clients to discover and look up data and objects via a name: “Simple,” as in, it takes just one string parameter. If that parameter comes from an untrusted source, an attacker can gain remote-code execution (RCE).
In November 2021, the Log4j JNDI vulnerability, which researchers dubbed Log4Shell, was discovered and rapidly exploited. The critical zero-day vulnerability — CVE-2021-44228 — allowed an attacker to use the logging framework Log4j and the lookup feature JNDI within an application to generate special requests to an attacker-controlled server, from which the threat attackers downloaded malicious code into systems, gained access to perform RCE and breached targets without authorization.
Three years after the Log4j vulnerability was discovered in late 2021, Log4j is still among the top exploited vulnerabilities, according to Contrast’s research and findings from other research labs.
One year after Log4Shell, firms were still struggling to hunt down Log4j
Those are the top attacks by number. Now, let’s take a look at the more subtle attacks.
The attacks that can be missed by tooling such as WAFs include any type of injection attack, such as:
None can reliably be intercepted by WAFs. This is where Contrast ADR comes in. It not only handles the obvious stuff (like XSS); it also covers all of the additional blindspots that those sophisticated attacks slip through, giving comprehensive visibility into the application layer that a WAF can only dream of. ADR’s underlying technology, Contrast Runtime Security, is real-time, always-on security for applications and application programming interfaces (APIs) that prevents insecure programming during development and then detects and responds to exploits in production.
Why WAFs struggle to stop these slippery fish
All this talk of attack types tends to make security analysts’ eyes glaze over. We know you just want answers to these questions:
ADR has the answers. Contrast Assess — our Interactive Application Security Testing (IAST) solution — continuously detects and prioritizes vulnerabilities. ADR reports which applications are being attacked in production. ADR enables SecOps to tie those pieces together, down to the exact line of code. It detects whether a vulnerability is actively being exploited. If it is, you need to respond, and ADR gives you the playbook so that you know how.
Regardless of the event type, when ADR detects a vulnerability, threat, incident or attack, it alerts the SOC with full context regarding exactly what happened. This full context gives a security analyst everything they need in order to determine whether the alert matters and, if so, how to drive triage response.
Now, let’s examine how ADR reports and responds to security events.
Below is an example of one type of ADR event: In this case, a detected JNDI injection: specifically, Log4Shell. As you can see in these screenshots, ADR has detected a JNDI injection and has requested a block on the event:
A view of the details screen in that same alert:
ADR’s response to a JNDI injection attack (such as Log4Shell) exemplifies how the technology responds when it detects exploitation attempts. In the case of Log4Shell, ADR triggers the following, comprehensive response — a response that aligns with the NIST Cybersecurity Framework:
Throughout this response, the ADR system maintains continuous monitoring, provides real-time updates to security dashboards, and supports compliance reporting by documenting all detection and response actions.
Besides the number of blocked attacks for August, we promised some takeaways. Of course, there are many insights you can distill from a number as big as 47K blocked attacks. The three biggest takeaways:
“From our analysis, we could still see JNDI traffic coming in. That means it's still exploitable, people,” warns Contrast Security Director of Product Security Naomi Buckwalter.
To see how Contrast ADR can improve your ability to detect and respond to real-time AppSec attacks like Log4Shell, you can request an ADR demo today.
Read more:
Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.
