November 2019 AppSec Intelligence Report

This report summarizes Contrast Labs' analysis of real world application attack and vulnerability data from November 2019. It builds on data that Contrast Security observed over the previous months and highlights to highlight key trends and useful tidbits we discovered.  Developers, product owners, AppSec, and security engineers can use this information to better understand application security threats, adjust security controls, and improve their security posture.  By reading this report on a monthly cadence, AppSec teams can gain a better understanding of the possible types and origins of attacks and attackers.

Visit our website to learn more about how Contrast Security continuously measures both vulnerabilities and attacks in parallel across your application portfolio.

OVERVIEW

• The most prevalent serious vulnerabilities across the applications we observed were Cross-Site Scripting (XSS), Arbitrary Server Side Forwards, and Cross-Site Request Forgery.
• The most common attack types were SQL Injection, Cross-Site Scripting (XSS), and Path Traversal for the third month in a row.
• While the number of new vulnerabilities reported decreased across applications using Contrast in November, applications experienced attacks targeting a wider range of vulnerabilities.
• Less than 1% of these attacks were connected to a vulnerability within an application. The other 99+% were probes and did not connect with a corresponding vulnerability within the target application, illustrating the importance of teams needing to be able to distinguish between ineffective and effective attacks.

The chart below shows the relative likelihood of vulnerabilities reported, as well as attacks by vector last month.

Contrast works by monitoring what the application does in response to normal usage and attacks.

In the chart above, there are vulnerabilities detected with no likelihood of attack. Attackers often launch payloads from scripted tools that look for vulnerabilities, then hone in manually on areas of interest. By watching the inside, Contrast determines when one type of attack, such as an XSS attack, reaches part of the application that uses another vulnerability, such as LDAP. In this case, attackers simply receive confirmation that their attack did not work. Contrast identifies that if another attacker comes along with a different payload (targeting the correct vulnerability class), that this second attacker could succeed and records the correct vulnerability class. 

Contrast still reports, but de-prioritizes the attack as well. These unsuccessful attacks can be statistically common, but have little impact on the security posture for a specific application. In this report, Contrast Labs reports out all attacks and vulnerabilities recorded within real world applications so that security teams can learn what payloads attackers are using and understand the threat landscape at large. 

CONTRAST WATCH LIST

A successful attack on a vulnerability can have wide-scale impact across many different organizations. It is critical for security teams to know about and properly manage library vulnerabilities, while also preparing for potential attacks.

Based upon the research included in this report, Contrast Labs short listed vulnerabilities that pose the highest risk to organizations. The list was created by combining the likelihood of a vulnerability and an attack (see previous chart) with the likelihood of a successful exploit and an impact factor. Below you can find this month's watch list. 

• SQL Injection: While SQL injection attacks rarely reached vulnerable code within applications, they were the most prevalent attack type in November, a common open vulnerability, and have the highest severity level. By exploiting a vulnerability in an app's SQL queries, an attacker can steal data, corrupt a database, spoof identities, tamper with transactions, disclose sensitive information, and even become administrator of the database server.
• Cross-Site Scripting(XSS): A top vulnerability and attack type in November. XXS attacks successfully reached vulnerable code more than 6 times as other attack types. If successful, an attacker can access cookies, session tokens, and other sensitive information retained by the browser.
• Expression Language Injection: The attack most likely to reach vulnerable code, Expression Language Injection attacks targeted 15% of applications last month. A successful Expression Language Injection exploit can lead to complete compromise of the application's data and functionality, as well as the server that is hosting the application.

VULNERABILITIES

Custom Code Vulnerabilities

Applications reported an average of 4 new, serious vulnerabilities in November. This number decreased from an average of 5 new, serious vulnerabilities in October.

The top 5 most prevalent serious vulnerabilities reported in custom code for the first time during November:

• Cross-Site Scripting (XSS): Vulnerabilities that occur when untrusted data ends up in an HTML page without proper validation and escaping.
• Path Traversal: Vulnerabilities that allow users to control which files are opened and read by an application.
• SQL Injection: Vulnerabilities exists anytime a developer takes untrusted data (like something you submit in a URL or a web form) and concatenates it into a database query. 
• XML External Entity Injection (XXE): Vulnerabilities in a weakly configured XML parser.
• Arbitrary Server Side Forwards: Vulnerabilities that allow a web application to accept a modified input that could cause the web application to forward the request to as untrusted URL.

Vulnerabilities by Language

On average, Java and .NET applications reported the largest number of the following attacks:

• Java
  • Cross-Site Scripting
  • Cross-Site Request Forgery
  • Arbitrary Server Side Forwards
  • Path Traversal
  • Verb Tampering
• .NET
  • SQL Injections
  • Path Traversal
  • Cross-Site Scripting
  • Untrusted Deserialization
  • XML External Entity Injection (XXE)

ATTACKS

Custom Code Vulnerabilities Targeted

Attacks on custom code made up over 99% of attacks last month.

The three most common attack types in November were the same as October. We saw large increases in the number of applications targeted by all three types:

• SQL Injection
• Carefully crafted inputs that alter the SQL queries an application uses in order to steal data or execute code.
• Represented 52% of all attacks in November, down less than 1% from October.
• Targeted 76% of applications (up from 59%).
• Cross-site Scripting (XSS)
• XSS attacks inject malicious scripts into benign and trusted websites.
• Represented 3% of attacks in November, down less that 1% from October.
• Targeted 73% of applications (up from 57%).
• Path Traversal
• Attacks fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server.
• Represented 3% of all attacks in November, up from 1% of attacks in October.
• Targeted 61% of applications (up from 48%).

96% of applications were targeted by one of these three types during the month, up from 82% of applications in October.

The chart below shows how the percent of applications targeted changed for each attack type month-over-month. 

CVEs Targeted

The top CVEs leveraged for attacks were CVE-2013-2251, CVE-2017-5638, and CVE-2017-9791.

Between October and November, we saw a spike (up 75%) in CVEs targeted. The chart below shows how the percent of applications with CVEs attacked changed month-over-month. 

Attack Vectors by Language

Attacks targeting injection vulnerabilities continued to be the most prevalent for Java applications in November. In October, Command Injection attacks were the most prevalent. 

Attacks on XSS vulnerabilities were the most common on .Net applications. Both SQL Injection and XSS attacks were in the top three most prevalent attacks, regardless of application language.

The charts below show the percent of applications attacked, by vector last month for both Java and .Net applications.

Attacks by Geolocation

November saw attacks from 121 countries. The greatest number of attacks originated from the United States, India, Canada, the Netherlands, and China. 

China moved up to the 5th most common origin country from tenth last month. We observed a 75% increase of attacks originating in China month-over-month.

The map below illustrates the number of attacks originating from each country with the most saturated color representing the most attacks and the least saturated representing the least attacks. We observed no attacks from the countries filled in gray.