Positive Technologies has revealed how hackers attacked web applications throughout 2016. The aim of our research was two-fold: to determine which attacks are most commonly used by hackers in the wild, and to find out which industries are being targeted and how. With this data, organizations can be more aware of digital threats and protect themselves accordingly.
Out of the data analyzed, Government was by far the most under threat, logging nearly 70x more attacks per day than industrial systems, the sector with the least attacks. For governmental institutions, more than 70% of attempts were Path Traversal attacks. This relatively simple attack allows hackers to access vulnerable file system directories to potentially compromise files stored on servers.
E-commerce sites, characterized by an abundance of web applications, saw the second-highest average number of attacks in the sample day analyzed. The finance sector rounded off the top three in terms of daily attack volumes, with the sample set registering an average of around 1,400 attacks per day. The transportation and IT companies analyzed had to withstand on average about 680 attacks
The most targeted sectors (in terms of attack volume) also saw the highest number of manual attacks. Nearly all (99%) of attacks against e-commerce sites did not use automated
software at all, potentially indicating a diverse range of isolated actors undertaking low-level attempts to exploit web application vulnerabilities.
A similarly high percentage of compromise attempts on governmental web applications also had manual origins. By contrast, most attacks across all remaining industries are performed with the help of specialized vulnerability detection software. Automated scanning includes attempts to perform various attacks such as SQL Injection and Path Traversal using security analysis tools.
The most common attacks detected were SQL Injection and OS Commanding, which allows for a deeper level of compromise. Such attempts were recorded on over 80% of systems. The third-most common attack type was Path Traversal. Taken together, the prevalence of these more “primitive” techniques shows that hackers tend to focus on simple attacks with low barriers to entry.
Here is the summary of key findings:
- Governmental organizations and e-commerce companies showed themselves to be particular targets. These two sectors are also subjected to the highest level of manual (non-automated) compromise attempts.
- Attack types are tailored to specific sectors. For example, e-commerce sees a mix of attempts designed to cause downtime and access internal files. By contrast, 65% of all attacks in the finance sector attempt to steal the login information of website visitors.
- Sectors seeing the lowest attack volumes, conversely, see the highest volume of automated web attacks from hackers, who use specialized software to search for vulnerabilities automatically.
- Easy-to-execute methods such as SQL Injection and OS Commanding are the most commonly used methods across all sectors. Rarer attacks include Arbitrary File Execution and Cross-Site Request Forgery.