Web app attacks demand automated defences, study finds

Automation is the most effective way to tackle multiple prolonged cyber attacks on web applications, a study has confirmed

Automation is the most effective way to tackle potentially thousands of cyber attacks on web applications over several days, a study has confirmed.

Web applications in retail have to be able to deal with up to 46,000 attack requests per incident in SQL injection (SQLi) attacks, for example, according to the latest web application attack report from Imperva.

The average was 749 individual attack requests per attack incident and the average duration per incident was 22 minutes, with the longest attack recorded at just over 9.5 hours.

“These attacks are generated using high levels of automation, which means defence systems should also be highly automated,” said Tal Be’ery, web research team leader at Imperva.

During the six-month study period, some applications received up to 3,000 attacks, while some incidents were made up of as many as 148,000 individual attacks.

The study showed that while most web applications are targeted by around four attack campaigns a month, some are under constant attack, he told Computer Weekly.

One website in the study was under attack 176 out of 180 days, or 98% of the time, while another website was hit by just over 94,000 SQLi attack requests in a single day.

That equates to an average of 1,567 SQLi attacks an hour, or 26 attack requests a minute.

Read more on web application security

IT security a top priority

“These parameters are useful to companies for designing or specifying defence systems, as well as for building valid attack simulations for testing,” said Be’ery.

The report shows that SQLi attacks are extremely prevalent and intense, particularly for online retail organisations, which are hit by twice as many such attacks as other sectors.

In the retail sector, 53% of web application attacks involved SQLi, compared with just 27% across all other sectors.

Conversely, only 1% of attacks in the retail sector were remote file inclusion (RFI) attacks, compared with 14% across all other industries.

The most prevalent type of attacks against non-retail sectors was directory traversal (DT) attacks, making up 36% of attacks, followed by SQLi (27%), and RFI and cross-site scripting (XSS) both at 14%.

“Organisations should look at what they are doing to defend against SQLi attacks, if nothing else, and protecting against this type of attack should be a top priority for online retailers,” said Be’ery.

The value of sharing cyber attack information

The prevalence of SQLi attacks in retail, he said, is an example of how each sector is different, which highlights the importance of organisations sharing cyber attack information with their peers.

Knowing what kind of attacks are being used against others in the same industry helps organisations know what to prioritise and what known sources of attacks to defend against

Tal Be’ery, Imperva

“Knowing what kind of attacks are being used against others in the same industry helps organisations know what to prioritise and what known sources of attacks to defend against,” said Be’ery.

Research has shown that to maximise their return on investment, attackers typically reuse attacks against multiple targets.

“Knowing the source of such attacks is useful as other organisations in an industry can prepare and block anything coming from that source,” said Be’ery.

The procedures for sharing data should also be automated, he said, to ensure all relevant information is available when it is needed.

Geographical location of attack sources can also be relevant, he said. This means that frequent victims of comment spamming, for example, can set filters to highlight all traffic from Eastern European countries.

The study also showed that business logic attacks and email extraction is dominated by African countries, but is growing in Asia and South America.

How to prevent SQL injection attacks

The report recommends that organisations should:

  • Deploy security solutions that prevent automated attacks;
  • Learn from peers in your business sector – what attacks they are facing – and share threat intelligence;
  • Ensure they are capable of detecting and blocking attacks that target known vulnerabilities;
  • Update blacklisting systems frequently;
  • Prepare security measures based on the worst case scenario.


Read more on Web application security