Unlike network firewalls, which operate at layer 3 and layer 4 of the network stack, web application firewalls sit in front of the applications and operate at the application layer (L7). Their job is to monitor HTTP/S traffic to identify requests and responses that break protocol rules or application-specific policies, then filter or block that traffic and secure the application.
Recent research by the NetScaler Cyberthreat Research Initiative team used attack metadata from NetScaler ADCs deployed in enterprise networks to generate insights into the application risks that customers were exposed to. The team’s findings were consistent across most industry verticals and aligned with the threats highlighted in the OWASP Top 10.
In this blog post, we’ll share findings that highlight how pervasive these threats are across a range of industry verticals, from DDoS attacks against critical resources due to buffer overrun to the possibility of installing malware because of inconsistent cookie checks in applications.
The top 5 most prevalent application attacks
NetScaler used NetScaler Web App Firewall analytics to identify the top five attack types seen in customer environments. In conducting our research, we collected and de-identified data from a global customer base across a range of industry verticals during a one-year period (April 2021 to April 2022). The five most common application attack types detected by NetScaler Web App Firewall in customer environments during this period were:
- Direct request (forced browsing)
- Cross-site scripting
- SQL injection
- Buffer overflow
- Cookie consistency
Let’s look at the basics of each attack type. In many scenarios, a web application firewall with the right policy sets configured and deployed in front of the application can help organizations detect and mitigate these attacks.
Direct request (forced browsing) – CWE-425: With direct request attacks, it’s possible to bypass application authentication and authorization and breach or change corporate resources. If not mitigated, a direct request attack can have implications on the confidentiality and integrity of an organization’s data.
Cross-site scripting – CWE-79: Unauthorized scripts injected into a response and executed on a user’s browser can have consequences including:
- Transfer of private information such as cookie session information from the victim to the attacker
- Enable the attacker to send malicious content to an application
- Takeover of the victim’s device
Cross-site scripting attacks pose significant security risks for a business, and web application firewalls should be enabled to protect against this attack type by default.
SQL injection – CWE-89: Exploiting SQL injection flaws allows attackers to change the parameters of SQL commands and gain unauthorized access to data. The growth of database-driven web applications makes this a popular attack type because the vulnerability is easy to detect and exploit and the rewards can be high. Because SQL injection attacks make a direct assault on the valuable data held behind an application, the implications of a SQL injection attack can be serious. Businesses should use a web application firewall that checks SQL grammar to mitigate the attack and reduce false positive ratios.
Buffer overflow – CWE-119: A buffer overflow attack takes advantage of errors in software that enable attackers to execute code that alters the intended flow of an application. Businesses must mitigate this type of attack because it causes unpredictability and instability in application performance and is often used to orchestrate a DDoS attack against resources — or even expose sensitive information.
Cookie consistency – CWE-565: When applications don’t carry out validation and integrity checks for cookies, attackers can easily bypass authentication and launch unauthorized actions against the application. This can lead to input data being modified or can serve as a springboard for other attacks like cross-site scripting and SQL injection, seriously damaging a business’s data integrity and creating data breaches. Exploiting cookies is also a popular way to install ransomware. Ensuring cookie consistency is a basic protection of a web application firewall and should always be enabled.
Attack prevalence consistent across industry verticals
We also analyzed customers by industry vertical to identify any statistically significant patterns in attack type.
Figure 2 shows a breakdown of the customer base by industry vertical. Please note that his analysis does not reflect the total volume of attacks, but rather the percentage of customer environments in which each attack was seen.
Our analysis found a remarkable consistency in the types of attacks across verticals, with only minor variations. Here is the breakdown by percentage of the attack types most frequently experienced by organizations within specific verticals:
Finance
Direct request: 69 percent
Cross-site scripting: 68 percent
SQL injection: 65 percent
Buffer overflow: 58 percent
Cookie consistency: 48 percent
Technology
Direct request: 65 percent
SQL injection: 59 percent
Cross-site scripting: 56 percent
Buffer overflow: 47 percent
Field consistency: 43 percent
Business services
Direct request: 65 percent
Cross-site scripting: 64 percent
SQL injection: 61 percent
Buffer overflow: 42 percent
Cookie consistency: 42 percent
Healthcare
Direct request: 62 percent
Cross-site scripting: 56 percent
SQL injection: 52 percent
Buffer overflow: 52 percent
Cross-site request forgery: 31 percent
Public sector
Direct request: 69 percent
Cross-site scripting: 68 percent
SQL injection: 68 percent
Buffer overflow: 60 percent
Cookie consistency: 52 percent
While there is some variance in the prevalence of the attacks, we did not observe a statistically significant variation in the types of attacks across verticals. From the data, we conclude that:
- The five most common attacks are not targeted efforts against a particular industry vertical but likely opportunistic and typify the environment in which organizations operate today
- Application architecture complexity and legacy technology at the back-end (such as C/C++ based applications, which are more prone to buffer overflow attacks) may be a better indicator of an attack surface than an industry vertical
- Industry sectors like healthcare that tend to put additional checks (identity, for example) in place tend to experience a slightly lower than average number of attacks
- Sectors that have a range of public-facing applications tend to have a slightly higher risk of attack, such as public sector and finance
Organizations must take these threats seriously and implement technologies to repel bad actors. The potential impact of one of these attacks can be severe, from loss of revenue and proprietary data to fines and damage to corporate reputation. The prevalence of these attack attempts across industries highlights the importance of having a web application firewall as one of the tools to help mitigate them.
NetScaler Web App Firewall works the same across physical, virtual, bare metal, and containerized form factors to simplify application delivery through operational consistency. Learn more about NetScaler Web App Firewall.