The WAAR on Web Apps: Key Findings from our 2015 Web Application Attack Report

WAAR_250_percentv3

2015 was the sixth year in a row that we released our Web Application Attack Report, known affectionately here at Imperva as WAAR. Each year we find new threats, continuing trends, and a deeper understanding of how hackers are attacking our web applications. 2015 was no different, and the results are illuminating.

Our approach

We compile our annual WAAR by analyzing all of the applications protected by Imperva Web Application Firewalls (WAFs). In an ideal world, there would be no need for this report, because attacks wouldn’t make it past the many security mechanisms deployed ahead of the WAF. But until then, our best strategy is to learn more about the attacks in order to prevent and protect against them.

From January 1 to June 30, 2015, we analyzed 297,954 attacks and 24,158,771 alerts on almost 200 web applications. Here’s what we found.

Key findings

  • Threats are growing in number and complexity. A typical application suffered 3 times more SQL Injection attacks and 2.5 times more Cross-Site Scripting attacks in 2015 vs. 2014. At least 75% of applications we analyzed were targeted by all eight of the attack types that we considered.
  • Shellshock was the year’s mega trend. Shellshock vulnerability was first made public in September 2014, and simply exploded in 2015. 100% of apps that we analyzed were hit by Shellshock attempts, and the RCE attack patterns examined in the WAAR appear to have become the new norm.
  • Blocking-by-reputation is yielding good results. Detect-by-reputation alerts comprised 78% of total alerts in 2015, up from 40% in 2014. These malicious requests are blocked without the application’s involvement or WAF computational resources, adding tight security without additional strain.
  • Attacks on content management systems continue – especially WordPress. This year’s WAAR saw the continued trend of high volume CMS attacks. Content management systems in general were attacked 3 times more often than non-CMS applications, and WordPress in particular was attacked 3.5 times more often overall, and 7 times more for spam and RFI attacks than non-CMS apps.
  • Attack vectors vary by vertical. Different industries saw different prevalence of attack vectors, including high levels of spam in travel, HTTP in shopping apps, SQL Injection attacks in the economy industry, and XSS in healthcare.

The WAAR report goes into much more detail on each of these points and more, including detailed geographic breakdowns and case studies on some of the more intensive attacks we observed during the report period. It’s a data-based, detailed look at the state of cyber security today, and a must-read for any business interested in what’s happening, and how to protect yourself.

You can download the complete report for free here.