the five most prevalent web threats today five... · 2018-05-20 · the five most prevalent web...
Embed Size (px)
The Five Most Prevalent Web Threats Today
© Imperva, Inc. 2017 All Rights Reserved
And What You Can Do About Them
Introduction ����������������������������������������������������������������������������������� 3
Threat Number One—Bots and Web Scraping ������������������������� 4
Threat Number Two—DDoS ���������������������������������������������������������� 6
Threat Number Three—Cross- Site Scripting ������������������������������ 8
Threat Number Four—SQL Injection �����������������������������������������10
Threat Number Five—Malware ���������������������������������������������������11
Threats to web applications continue to grow. As shown
by reports such as Krebs’s Immutable Truths About Data
Breaches, as well as those from SC Magazine and others we
regularly monitor, criminals attack websites to steal data or
extort payment. Our 2016 Global DDoS Threat Landscape
Report, indicates that DDoS attacks — a particularly nasty
type of web threat — have doubled in the last year alone.
This guide looks at the five most prevalent web threats you need to prepare for.
• Bots and web scraping
• DDoS attacks
• Cross-site scripting (XSS)
• SQL injection
It’s essential that organizations put systems and processes in
place to defend against these attacks. Our research indicates
that none of these attack types are going to abate anytime
This e-book will provide you with a snapshot of the web
threat landscape, serving as a primer on the state of web
security. Once you understand the threats, you’ll be better
prepared to assess solutions and select appropriate tools to
mitigate each type.
Internet bots are software agents programmed to perform
automated tasks. Beneficial bots include search engine bots, such as the Googlebot.
Not all bots are beneficial, though. A prominent subset of bots is used for malicious purposes. In fact, Imperva research
indicates that up to one-third of internet traffic is generated by these bad bots. Bad bots can perform a variety of tasks
that compromise website security or site performance.
When it comes to site scraping bots, certain types of web
scraping are legitimate (e.g., market researchers using forum
and social media data), but many are not. Site scraping bots
can extract large quantities of data from sites and slow the
performance of sites that remain unprotected. So-called
headless browser bots can even masquerade as humans as
they fly under the radar of many security solutions.
For example, competitors can scrape your data to undersell
or steal copyrighted content. In more blatant acts, scrapers
have been known to replicate entire website content
THREAT NUMBER ONE—BOTS AND WEB SCRAPING
How web scrapers harvest pricing information from your site
• Site scraping
• Vulnerability probing
• Launching DDoS attacks
• Distributing spam
Targeted businesses that depend on competitive pricing or
contracts can suffer significant financial damage. Malicious bots are often combined by the thousands into what is
known as a “botnet”. Botnets give perpetrators the ability to
launch large attacks by controlling and directing the botnet
to attack on demand.
Recently, with the proliferation of internet-connected devices,
cybercriminals are creating botnets from large numbers of
connected devices like home routers, closed circuit TVs and
DVRs to launch DDoS attacks. The compromised devices are
known as “zombies,” their owners being unaware that their
infected systems are playing a role in a perpetrator’s scheme.
These schemes include vulnerability scans, where high-
powered zombie computing resources surreptitiously scour
the internet for millions of potential targets left unpatched.
Lastly, bots can be used to distribute spam. So-called
spambots collect email addresses from various sources on
the Internet and sends junk or spam emails automatically in
large quantities. Spambots may be used by perpetrators to
carry out attacks on a website or servers. Spambots create
fake accounts and send unsolicited messages for advertising,
hacking or even fraudulent businesses. Many websites and
hosts use anti-spam programs to protect their websites from
Anti-bot solutions can be used to detect and block bad bots
while allowing beneficial bots to continue to do their job. These solutions can also offer web site managers the ability
to limit specific bots that may interfere with site performance.
Impersonator bots lead malicious activity, accounting for almost a quarter
of bad bot activity. Source: https://www.incapsula.com/blog/bot-traffic-report-2016.html
Distributed denial of service (DDoS) attacks can occur when
zombie systems —the precursors to botnets often numbering
in the hundreds of thousands of devices—are simultaneously
leveraged to flood a single target. Because the attack traffic originates from so many points, blocking a single IP address
has no effect. It can be almost impossible to discriminate
between legitimate users and DDoS attack traffic. In attacks involving the IoT, millions of compromised devices can be
recruited to create a powerful attack botnet.
There are three types of DDoS attacks:
Volumetric attacks include UDP floods, ICMP floods, and other spoofed-packet floods. They saturate network bandwidth, and their magnitude is measured in billions of
bits per second (Gbps).
Protocol attacks include SYN floods, fragmented packet attacks, ping of death, Smurf DDoS and others. This attack
type consumes server resources such as network firewalls and load balancers, or communication equipment. These
DDoS attacks are measured in millions of packets per second
THREAT NUMBER TWO—DDOS
A huge and unexpected spike in traffic is detected as a DDoS attack and blocked by Incapsula. Source: https://www.incapsula.com/ddos/ddos-
Application layer attacks include low-and-slow barrages
such as GET/POST floods, as well as application-saturating attacks that target Apache, Windows or OpenBSD
vulnerabilities and are measured in requests per second
(rps). They’re seemingly legitimate requests, but their goal is
to crash your web server.
Many other DDoS attack types exist including Slowloris, NTP
amplification, HTTP flood and zero-day DDoS attacks.
Perpetrators may warn their victims with a ransom note before
they launch a DDoS attack. They often demand payment in
the form of Bitcoins to call off the attack.
DDoS attacks can be mitigated with on-premises or cloud
solutions that can identify and separate attack traffic from legitimate visitors. The growth in the size and frequency of
DDoS attacks makes cloud solutions particularly relevant.
A ransom note from Armada Collective announcing an impending DDoS
attack Source: https://www.incapsula.com/blog/how-to-respond-to-
By injecting harmful scripts or code into a web application,
cross-site scripting (XSS) attacks are one of the most
common high-risk vulnerabilities. Frequent targets include
sites that let users share content—including blogs, social
networks, video sharing platforms and message boards. For
example, versions of WordPress that have not been updated
are known to be vulnerable.
Subsequent visitors to a compromised site accept the
malicious script as having originated from a reliable source.
Not being able to detect that a script is malicious, the visitor’s
browser executes it.
THREAT NUMBER THREE—CROSS-SITE SCRIPTING (XSS)
Cross site scripting attacks introduce malicious script that steals each
visitor’s session cookies. Source: https://www.incapsula.com/web-
The impact of an exploited XSS vulnerability is significant. Attackers can deface a compromised website, introduce
misleading content or even redirect visitors to other sites
that expose them to online fraud. An XSS assault can activate
trojan horse programs and modify page content, misleading
users into willingly surrendering their private data. In this
scenario, session cookies could be revealed, enabling a
perpetrator to impersonate valid users and abuse their
To solve the XSS threat, a web application firewall (WAF) is commonly used to mitigate the injection of malicious scripts
onto web servers.
A reflected XSS attack uses a malicious script reflected off a web application to attack a victim’s browser. Source: https://www.incapsula.
By circumventing a web application’s validation systems, a
structured query language (SQL) injection uses malicious
code to query and in some cases hijack a database. Often
with full control of the database, the attacker has access to
data never intended to be available to them. It might include
sensitive company data, user lists, intellectual property or
personal identifiable information (PII).
SQL queries are used to execute data retrieval, perform
data updates and record removal commands. Previously,
perpetrators had to manually type a SQL query during an
attack. But automated hacker tools are now widely available,
the result being the SQL injection arena has become an even
When determining the potential cost of a SQL injection
attack, you should also consider the loss of customer trust
that will occur when phone numbers, addresses and credit
card details are stolen. The good news is that there are
effective ways to prevent SQL injection attacks from taking
place, as well as protecting against them, once they occur.
Similar to solving the cross site scripting threat, a web
application firewall (WAF) can be used to filter out malicious SQL queries in addition to other malicious traffic.
THREAT NUMBER FOUR—SQL INJECTION
Malicious traffic including SQL injection attacks is filtered out with a web application firewall. Source:https://www.incapsula.com/web-application-
Malware is any software that has malicious intent, often
targeting entire networks by way of authentic software such as
a web application or a browser. Malware can take advantage
of any system vulnerability and is classified depending on attack intent. Common malware types include ransomware,
worms, trojans, rootkits, adware and spyware.
Malware is most often introduced into a web site without the
knowledge of the site owner. Many systems are susceptible
to malware attacks due to unpatched operating systems. But
far more frequently, it arrives as an email attachment or is
unwittingly downloaded from a malicious website.
Ransomware as a service (RaaS) is increasing as a popular
hacker business model. In this case, hackers license existing
malware to run a RaaS attack. If it’s successful, the malware
author gets a percentage of the ransom.
Worms were originally designed to infect a computer,
clone itself, and then infect additional computers via other
platforms such as email.
Trojans appear legitimate, but they are typically packaged
with additional malware—including backdoors, rootkits,
ransomware and spyware.
THREAT NUMBER FIVE—MALWARE
Often distributed through social engineering like phishing,
an installed rootkit can grant itself access to sensitive
parts of an application, enabling file execution and system configuration changes. Anti-malware solutions are thwarted. A rootkit can easily gain network access through user
credential theft, giving the perpetrator free reign to install
Forced advertising or adware can infect your system when
you visit a compromised website where its malware-laden
adware, using a browser vulnerability, installs itself.
Spyware is used to steal sensitive information which is sent
to a third party without the user’s knowledge or consent.
Like other threats, the likelihood that malware will make
its way onto your server can be mitigated with a WAF. In
addition, web security solutions can detect the presence
of malware already installed on servers by intercepting
malware communication attempts.
An example of a phishing email. Source:https://www.incapsula.com/
CONCLUSIONProtecting your site against common threats is essential.
In addition to incurring financial losses, if your website is breached your visitors and customers may lose personal
information. On top of everything else, your reputation
is at stake. Especially in the e-commerce business, even a
short outage or performance slowdown may drive users
to a competitor’s site. Providing a safe and satisfying user
experience helps ensure that visitors trust your site and
return to it.
By auditing your site’s security posture against these five most-prevalent web threats you’ll be able to create or
augment your security plan. The Center for Internet Security
is one non-partial source that provides many resources to
get you started. Tools that offer early detection and real-time
visibility help ensure that every threat is deterred.
Imperva Incapsula offers cloud-based web application and network
security solutions. Source: https://www.incapsula.com/web-application-
Start Your Trial Today
Questions about web application security? Contact us
Find out how you can protect your website against the threats
mentioned in this report with a free 14-day trial.
• It’s easy
• No software to download or equipment to install
• Implementation requires only a simple DNS change