How a simple search query puts organizations at risk

According to Imperva’s Web Application Attack Report (WAAR) Edition 4, published in July 2013, websites now face a serious risk of unauthorized login or fraud due to an increase in SQL injection and Cross-Site Scripting (XSS). Over a span of over six months, the report analyzed 70 web applications including government agencies and enterprise sites. The key finding of the report are as follows:

  • Retailers suffer twice as many SQL injection attacks as other industries.
  • While most web applications receive 4 or more web attack campaigns per month, some websites are constantly under attack.
    • One observed website was under attack 176 out of 180 days, or 98% of the time.
    • Imperva observed a single website receive 94,057 SQL injection attack requests in one day.
    • 94,057 equates to 1,567 SQL injection attacks per hour or 26 attack requests per minute, on average

Origin of attacks

All attacks Imperva observed in WAAR 4 were not for the purpose of data theft but triggered by automatic execution of botnets planted by attackers. Ten years ago, attackers acted alone to collect and exploit vulnerability information of various web applications. But today, we see a large number of websites scanning vulnerability information on web applications.

These websites search for any website that contains vulnerabilities such as SQL injection and XSS on a per-domain basis, including top-level domain such as “.jp” or “.com”. Search results include detailed information like the URL of a web site and published dates of web applications.

The operators of these search sites generally adapt a stance that they are scanning and publishing website vulnerability results to aid in improving security, rather than for exploitation or abuse. Nonetheless, it is likely that more malicious attackers have already built a similar system and are harnessing this technology to systematically attack websites.

Reasons behind the attacks

Attackers who try to gain unauthorized access to servers do it primarily to access or tamper with the data for financial or economic motives. One other motive that Imperva has seen in previous hacking events is attackers seeking publicity so they can gain a reputation for their attacks on websites.

Attackers who are in it for the publicity usually use vulnerability search sites to try and access sites found there. Once they know the type of vulnerabilities present in each version, attackers can carry out malicious activities such as falsifying information and streamlining their attacks.

Preventing attacks

Organizations can reduce security risks by minimizing web application vulnerabilities and preventing access to their site’s vulnerability information. Below are two methods that organizations can implement to prevent attacks.

Method 1: Reducing site vulnerabilities

This combination of techniques is a basic approach to reducing vulnerabilities on the web. However, in the case of sites that are renewed daily, it may not be possible to carry out thorough checks. However, it is still advisable to follow these steps:

  • Secure coding of web applications
  • Carry out regular vulnerability assessments for sites containing sensitive information
  • Implement a code work over

Method 2:  Preventing the collection of vulnerability information

As technologies improve, vulnerabilities will be present. However, it is possible to block botnets and attackers by detecting their reconnaissance. A good countermeasure is to use a Web Application Firewall (WAF) that helps with the following functions:

  • IP Reputation: Assess the IP address of the access source and block it if the address was used by attackers/botnets.
  • Signature matching: Detect and block access when it matches characteristics of the known attack patterns or attack tools.
  • IP Geolocation: Control the access by country through the analysis of the access source based on its IP address. Although this function itself cannot prevent the attack by botnet directly, it is possible to limit the access of botnet or attackers by detecting or blocking the access from outside the service area.
  • Bot access measures: Detect and block the access from the access source that is unavailable for cookies (JavaScript). In most cases, cookie are not available for botnets.
  • Combination with Vulnerability Assessment software: With the combination of commercial Vulnerability Assessment software and WAF, it is possible to automatically detect and block attacks by targeting the vulnerabilities of certain web applications based on the results of the assessment software.

Yasutada Sato is Security Engineer at Imperva Japan