Monthly ADR Report: Application attacks jump 30%; method tampering up 800%

The number of attacks on individual applications are up significantly month to month, according to research from Contrast Security. The Contrast Labs team found that, on average, applications faced 77 real attacks in February — “real” attacks, as in, those that got past the web application firewall (WAF) and reached an exploitable vulnerability. In a second major finding, attackers went after one application nearly 700,000 times. 

Every month, in this ADR Report, Contrast Labs reports the attack trends we see across our apps and those of our customers. We anonymize and average the attacks so that readers can see what and where adversaries are focused. 

Here are the most notable findings from February 2025:

Insight Number One: Monthly attacks up 30%

Contrast saw real attacks on applications jump from 59 to 77 from January to February, a 30% increase. Since Contrast embeds threat sensors inside applications, we know when an attack is happening. The 77 attacks represent attacks that reached a vulnerability and would have executed, only to be blocked by Contrast ADR.

What is code instrumentation? 

The increase in attacks was across companies and techniques, including untrusted deserialization, Object Graph Navigation injection (OGNL injection), method tampering and path traversal . There was also a massive increase in cross-site scripting (XSS) attacks, but for a different reason, which we will explain in the second insight. 

Insight Number Two: 680,000 attacks launched by one threat actor

When we first looked at the February attack data, we were surprised to see a huge number next to XSS. In January, this type of attack accounted for tens of thousands of attacks. In February, 680,000. Digging into it, we found that the attacks came from one IP address owned by AWS. The attacker targeted one app at one company, and Contrast ADR blocked these attacks. Of note, this is the second month in a row that we’ve seen one app at one company targeted many, many, many times over a few days. 

Context 

We’ll get to more of the attack data in a moment. We want to start with some context to explain how we use the word “attack.” We are talking only about attacks that reach a confirmed vulnerability and are about to launch their exploit, not “the noise of the internet” type attacks that would never have turned into a noteworthy breach. Contrast tunes out the noise, filtering out the false positives. 

Contrast’s attack data is measured directly from real-world running applications and application programming interfaces (APIs). Our attacks aren’t measured in millions, billions or even trillions, because that’s part of the problem: too much noise. Because Contrast Security instruments the code, we’re not reporting on signatures or theoretical attacks, only what’s actually a dangerous anomaly.

To better explain, take a look at this graphic, which accounts for one month of data per application. For each application, organizations see hundreds of millions of calls to potentially dangerous functions. On average, a WAF alerts about 30,000 times per month.  For some organizations, that’s where alert fatigue begins. Then, there are thousands of non-viable attacks that get past a web application firewall (WAF), also leading to false positives. But what Contrast identifies are the actual, viable attacks that reach a vulnerability. On average, the security operations center (SOC) should be worried about and focus on just a few a month, treating them as incidents.  

Last month — February 2025 — Contrast saw about 480 million calls to potentially dangerous functions per application, as we do every month. When you look at the attacks Contrast ADR identified, you can see an average of 77 reached each individual application or API. Just about 7 of those, on average, became incidents that needed to be investigated. This graph shows the importance of knowing exactly what to investigate to avoid alert fatigue. 

The next image breaks down the types of viable attacks that Contrast ADR identified and stopped. For the sake of comparing month-to-month averages, we have not included the hundreds of thousands of attacks on that one single application we discussed in the beginning of this article. 

You can see the significant rise in untrusted derserialization attacks — up 19% month to month — and method tampering, up 800% from 2 attacks per app per month to 18.  

We’ll have to see if method tampering continues its rise next month. 

Contact Contrast Security if you’d like to see what’s really happening in your application layer. 

Contact us

Read more:

• Contrast blog: 4 ways ADR will slash workload and speed incident response for IR teams
• Monthly ADR Report, January 2025: Attacks up month to month, but especially one app
• Contrast blog: How the SOC can navigate the treacherous waters of application threats with ADR
• Contrast blog: 12 things to know about ADR