Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/13/2019
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

SQL Injection Attacks Represent Two-Third of All Web App Attacks

When Local File Inclusion attacks are counted, nearly nine in 10 attacks are related to input validation failures, Akamai report shows.

Cyberattackers have several vectors for breaking into Web applications, but SQL injection continues to be by far their most popular choice, a new analysis of attack data shows.

For its "State of the Internet" report, Akamai analyzed data gathered from users of its Web application firewall technology between November 2017 and March 2019. The exercise shows that SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks. That's up sharply from the 44% of Web application layer attacks that SQLi represented just two years ago.

Local File Inclusion (LFI) attacks, which, like SQLi, are also enabled by a Web application's failure to properly validate user input, accounted for another 24.7% of attacks. Together, SQLi and LFI attacks represented 89.8% of all attacks at the Web application layer over the 17-month period of Akamai's study.

"The growth of SQLi as an attack vector over the last two years should concern website owners," Akamai noted. "While every application attack vector is stable or growing, none are growing as quickly as SQLi."

SQL injection errors and cross-site scripting (XSS) errors have topped, or nearly topped, the Open Web Application Security Project's (OWASP) list of top 10 Web vulnerabilities for more than a decade. Just this week, in fact, HackerOne published a report showing XSS errors to be by far the most common security vulnerability in Web apps across organizations. Both XSS and SQLi are well understood, and many researchers have catalogued the dangers associated with them for years.

The fact that so many Web apps still have them reflects the relatively scant attention paid to security in the application development stage, says Andy Ellis, chief security officer at Akamai. "It is not that the developers are making errors," he says. "It is system that we put them into that is dangerous."

Developers are under pressure to deliver code and are not given clear security guidelines and libraries to work with. "How many people really understand how to write an application that can talk securely with the database in the backend?" he notes. Few developers can understand security so deeply that a security flaw would actually represent a mistake for them, Ellis says.

Akamai's data shows most Web application attacks originate from inside the US and most targets are US-based as well. Of the nearly 4 billion application-layer attacks that Akamai counted over the 17-month period, some 2.7 billion targeted US organizations. Companies in the UK, Germany, Brazil, and India were also relatively heavily targeted. though nowhere nearly as much as US companies.

Another major takeaway from Akamai's "State of the Internet" report is the sharp uptick in credential-stuffing attacks, where attackers use large datasets of stolen credentials to try and break into corporate accounts. During its analysis, Akamai counted a staggering 55 billion credential-stuffing attacks targeted at organizations in various verticals. In many cases, Akamai found attackers were launching credential-stuffing attacks using credentials that were stolen from websites via SQL injection attacks.

By far, companies in the gaming industry were the most targeted entities in credential stuffing attacks. Some 12 billion of the attacks that Akamai detected were, in fact, directed against organizations in the gaming sector. Each attack that Akamai counted represented an attempt to access an account to which the threat actor did not have legitimate access.

A lot of the interest in gaming companies appears to be the result of attackers viewing gamers as financially viable targets known for spending money on game-related items, including skins, game currency, and updates. Steve Ragan, a threat researcher from Akamai, says one of the more gratifying takeaways from the report is the fact that many gaming companies have taken measures to address the threats by educating users on issues like phishing and two-factor authentication.

"The takeaway is that credential stuffing is not going away," Ragan says. But implementing multifactor authentication can slow it down. "If you do just token multifactor authentication or SMS authentication, it is better than having nothing at all," he says. "Just user names and passwords are not really going to protect you anymore."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
6/14/2019 | 12:31:46 PM
Quality and security of software development have degradedwhen do we call it a crisis?
We have known how to stop injection attacks for fifteen years.  However, sloppy software development and persistent use of shoddy tools like PHP, MySQL, and MongoDB are handing over control of sites and enterprises. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.