informa
News

SQL Injection Attacks Represent Two-Third of All Web App Attacks

When Local File Inclusion attacks are counted, nearly nine in 10 attacks are related to input validation failures, Akamai report shows.

Cyberattackers have several vectors for breaking into Web applications, but SQL injection continues to be by far their most popular choice, a new analysis of attack data shows.

For its "State of the Internet" report, Akamai analyzed data gathered from users of its Web application firewall technology between November 2017 and March 2019. The exercise shows that SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks. That's up sharply from the 44% of Web application layer attacks that SQLi represented just two years ago.

Local File Inclusion (LFI) attacks, which, like SQLi, are also enabled by a Web application's failure to properly validate user input, accounted for another 24.7% of attacks. Together, SQLi and LFI attacks represented 89.8% of all attacks at the Web application layer over the 17-month period of Akamai's study.

"The growth of SQLi as an attack vector over the last two years should concern website owners," Akamai noted. "While every application attack vector is stable or growing, none are growing as quickly as SQLi."

SQL injection errors and cross-site scripting (XSS) errors have topped, or nearly topped, the Open Web Application Security Project's (OWASP) list of top 10 Web vulnerabilities for more than a decade. Just this week, in fact, HackerOne published a report showing XSS errors to be by far the most common security vulnerability in Web apps across organizations. Both XSS and SQLi are well understood, and many researchers have catalogued the dangers associated with them for years.

The fact that so many Web apps still have them reflects the relatively scant attention paid to security in the application development stage, says Andy Ellis, chief security officer at Akamai. "It is not that the developers are making errors," he says. "It is system that we put them into that is dangerous."

Developers are under pressure to deliver code and are not given clear security guidelines and libraries to work with. "How many people really understand how to write an application that can talk securely with the database in the backend?" he notes. Few developers can understand security so deeply that a security flaw would actually represent a mistake for them, Ellis says.

Akamai's data shows most Web application attacks originate from inside the US and most targets are US-based as well. Of the nearly 4 billion application-layer attacks that Akamai counted over the 17-month period, some 2.7 billion targeted US organizations. Companies in the UK, Germany, Brazil, and India were also relatively heavily targeted. though nowhere nearly as much as US companies.

Another major takeaway from Akamai's "State of the Internet" report is the sharp uptick in credential-stuffing attacks, where attackers use large datasets of stolen credentials to try and break into corporate accounts. During its analysis, Akamai counted a staggering 55 billion credential-stuffing attacks targeted at organizations in various verticals. In many cases, Akamai found attackers were launching credential-stuffing attacks using credentials that were stolen from websites via SQL injection attacks.

By far, companies in the gaming industry were the most targeted entities in credential stuffing attacks. Some 12 billion of the attacks that Akamai detected were, in fact, directed against organizations in the gaming sector. Each attack that Akamai counted represented an attempt to access an account to which the threat actor did not have legitimate access.

A lot of the interest in gaming companies appears to be the result of attackers viewing gamers as financially viable targets known for spending money on game-related items, including skins, game currency, and updates. Steve Ragan, a threat researcher from Akamai, says one of the more gratifying takeaways from the report is the fact that many gaming companies have taken measures to address the threats by educating users on issues like phishing and two-factor authentication.

"The takeaway is that credential stuffing is not going away," Ragan says. But implementing multifactor authentication can slow it down. "If you do just token multifactor authentication or SMS authentication, it is better than having nothing at all," he says. "Just user names and passwords are not really going to protect you anymore."

Related Content:

 

Recommended Reading:

MODULE B: Latest content for DR

High-Profile Breaches Are Shifting Enterprise Security Strategy

Increased media attention is driving changes in enterprise security strategy -- some positive, some negative.

Increased media attention is driving changes in enterprise security strategy -- some positive, some negative.


7 Smart Ways a Security Team Can Win Stakeholder Trust

By demonstrating the following behaviors, security teams can more effectively move their initiatives forward.

By demonstrating the following behaviors, security teams can more effectively move their initiatives forward.



What Are Some Red Flags in a Vendor Security Assessment?

The last thing you want is a vendor that lies to you about its security practices.

The last thing you want is a vendor that lies to you about its security practices.


MacOS Security: What Security Teams Should Know

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.


Loss of Intellectual Property, Customer Data Pose Greatest Business Risks

The slightly "good" news? Security professionals are a little less concerned about certain threats than last year, according to Dark Reading's "State of Incident Response 2021" report.

The slightly "good" news? Security professionals are a little less concerned about certain threats than last year, according to Dark Reading's "State of Incident Response 2021" report.


Name That Edge Toon: Mobile Monoliths

Feeling creative? Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Feeling creative? Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Oct 04, 2021


Why Windows Print Spooler Remains a Big Attack Target

Despite countless vulnerabilities and exploits, the legacy Windows printing process service continues to be an attack surface in constant need of repair and maintenance, security experts say.

Despite countless vulnerabilities and exploits, the legacy Windows printing process service continues to be an attack surface in constant need of repair and maintenance, security experts say.


10 Recent Examples of How Insider Threats Can Cause Big Breaches and Damage

Theft of intellectual property, sabotage, exposure of sensitive data and more were caused by malicious behavior and negligence at these organizations

Theft of intellectual property, sabotage, exposure of sensitive data and more were caused by malicious behavior and negligence at these organizations


Editors' Choice
Jack Naglieri, CEO and Founder, Panther Labs