October 2019 AppSec Intelligence Report

This report summarizes Contrast Labs' analysis of real world application attack and vulnerability data from October 2019. It utilizes data from attacks that Contrast Security observed over the previous months and highlights the key trends found. 

Developers, product owners, AppSec, and security engineers can use this information to better understand application security threats, adjust security controls, and improve their security posture. 

Through reading this report on a monthly cadence, AppSec teams can gain a better understanding of the possible types and origins of attacks and attackers.

Visit our website to learn more about how Contrast Security continuously measures both vulnerabilities and attacks in parallel across your application portfolio.

KEY OBSERVATIONS

• The most prevalent serious vulnerabilities across the applications we observed were Cross-Site Scripting, Arbitrary Server Side Forwards, and Cross-Site Request Forgery.
• The most common attack types were SQL Injection, Cross-Site Scripting (XSS), and Path Traversal for the third month in a row.
• Less than 1% of these attacks were connected to a vulnerability within an application. The other 99+% were probes and did not connect with a corresponding vulnerability within the target application, illustrating the importance of teams needing to be able to distinguish between ineffective and effective attacks.

VULNERABILITIES

Custom Code Vulnerabilities

Applications had an average of 5 open, serious vulnerabilities in October. This number decreased from an average of 6 open, serious vulnerabilities in September.

The top 5 most prevalent serious vulnerabilities reported in custom code for the first time during October:

• Cross-Site Scripting (XSS): Vulnerabilities that occur when untrusted data ends up in an HTML page without proper validation and escaping.
• Arbitrary Server Side Forwards: Vulnerabilities that allow a web application to accept a modified input that could cause the web application to forward the request to as untrusted URL.
• Cross-Site Request Forgery: Vulnerabilities that allow a malicious actor to force a user to complete unwanted commands.
• SQL Injection: Vulnerabilities exists anytime a developer takes untrusted data (like something you submit in a URL or a web form) and concatenates it into a database query. 
• Path Traversal: A vulnerability that allows users to control which files are opened and read by an application.

Vulnerabilities by Language

On average, Java and .NET applications reported the largest number of the following attacks:

• Java
  • Cross-Site Scripting
  • Arbitrary Server Side Forwards
  • Cross-Site Request Forgery
  • Path Traversal
  • XML External Entity Injection (XXE)
• .NET
  • Cross-Site Scripting
  • SQL Injections
  • XML External Entity Injection (XXE)
  • Xpath Injection
  • Untrusted Deserialization

ATTACKS

Custom Code Attacks

Attacks on custom code made up 99% of attacks last month.

The chart below shows the likelihood of a vulnerability having been reported for an application and the likelihood of an attack on those vulnerabilities in the month of October. 

The three most common attack types in October:

• SQL Injection
• Carefully crafted inputs that alter the SQL queries an application uses in order to steal data or execute code.
• Represented 53% of all attacks in October, up from September and around the same levels we saw in August.
• Targeted 59% of applications.
• Cross-site Scripting (XSS)
• XSS attacks inject malicious scripts into benign and trusted websites.
• Represented 2% of attacks in October, down about 50% from September.
• Targeted 57% of applications.
• Path Traversal
• Attacks fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server.
• Represented 1% of all attacks in October, down from 1% of attacks in September.
• Targeted 48% of applications.

89% of applications were targeted by one of these three types during the month.

The chart below shows how the percent of applications targeted changed for each attack type month to month. 

Library Attacks

The top attacks on CVEs were CVE-2017-5638, CVE-2010-4476, and CVE-2013-2251.

There were no recorded attacks on CVE-2013-2251 during September. However, these attacks have spiked again, targeting 2% of applications last month. First identified in 2013, CVE-2013-2251 is an improper input validation vulnerability in Apache Struts 2. Make sure that your team is proactive in identifying and blocking these rising attacks over the next month.

The charts below show the percent of applications of attacked, by CVE targeted last month and how this percent changed month to month. 

Attack Vectors by Language

Injection attacks continued to dominate, with Java applications targeted by the highest number of Command Injection attacks and .NET applications targeted by the highest number of SQL injection attacks in both September and October.

The charts below show the percent of applications attacked, by vector last month for both Java and .Net applications.

Attacks by Geolocation

October saw attacks from 127 countries. The greatest number of attacks originated from the United States, India, Canada, the Netherlands, and the Philippines.

The map below illustrates the number of attacks originating from each country with the most saturated color representing the most attacks and the least saturated representing the least attacks. We observed no attacks from the countries filled in gray.