Web applications have become a common attack target. A new report reveals that one in every five web application security incidents observed in the last five years was attributed to state-affiliated attackers, with losses amounting to $4.3 billion.

Threats loom over web applications

  • According to a report from the F5 Labs, web application exploits were used in 57% of the most significant cybersecurity incidents that occurred in the last five years.
  • Cross-site scripting (XSS) and SQL injection were the most highly exploited web vulnerabilities. While SQL injection vulnerabilities were exploited in 15% to 76% of attacks, the XSS attacks varied between 4% and 54%.
  • The other exploited vulnerabilities include issues related to insecure deserialization, XML External Entities (XXE), and remote code execution.

A blow to the video game industry

Web application attacks against the video game industry witnessed a significant surge as more people turned to online gaming during the pandemic lockdown.
  • A report from Akamai revealed that the industry suffered more than 240 million web application attacks in 2020, which is a 340% increase over 2019.
  • Most of these attacks were carried out by exploiting SQL injection flaws that targeted player login credentials and personal information.
  • This was followed by local file inclusion attacks at 24%, which targeted sensitive details within applications and services. This could further compromise game servers and accounts.
  • Other attacks included cross-site scripting (8%) and remote file inclusion (7%).

Unpatched flaws add more trouble

  • Leaving publicly disclosed vulnerabilities unpatched has always created a gold mine of opportunities for threat actors. Verizon’s 2021 Data Breach incident report highlighted that around 54% of data breaches in EMEA were caused by web application attacks.
  • Interestingly, in an independent study of 146 web applications, researchers found that dozens of web applications were still vulnerable to Kaminsky and IP fragmentation attacks that could lead to account hijacking. Both the attacks leverage the way the websites handle the DNS name resolution.

Can web apps ever be truly secure?

Web application security continues to be a challenge for organizations. With the growing number of online users and the accelerating digital transformation, attacks on web applications can become the single greatest cybersecurity threat. Therefore, organizations must focus on reinforcing the security of web-facing applications against malware and injection-style attacks. This boils down to fixing the code, patching the systems, implementing additional security layers, and keeping a watch on backdoors.

Cyware Publisher

Publisher

Cyware