Updated: Websites are being hit by up to 25,000 attacks per hour from automated botnets
A little-known type of attack called directory traversal is currently the most frequently used method of assaulting web applications, according to a study by IT security firm Imperva.
The study found that web applications were attacked about 27 times an hour, or once every two minutes on average, with peaks of 25,000 attacks per hour or seven per minute.
The Web Application Attack Report (WAAR) was based on a study of the top 30 web applications and on more than 10 million individual attacks from December 2010 to May 2011.
“The sheer volume of attacks that can be carried out in such a short period of time is almost unimaginable to most businesses,” said Amichai Shulman, lead researcher and CTO of Imperva, in a statement. “The way hackers have leveraged automation is one of the most significant innovations in criminal history.
“You can’t automate car theft, or purse stealing. But you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact.”
The company said it is key for security professionals to understand which types of attacks are most likely to be employed.
“It’s impossible to have effective risk management without understanding which vulnerabilities are most likely to be exploited,” Shulman stated.
At the top of the list was directory traversal, used in 37 percent of attacks, followed by cross-site scripting at 36 percent, SQL injection at 23 percent and remote file inclusion at 4 percent. The attacks were often used in combination, Shulman said.
US originates attacks
Directory traversal, also known as path traversal, involves exploiting weaknesses in security validation safeguards to surreptitiously access files that aren’t meant to be accessible.
The study also found that most attacks originated from the US, with more than 61 percent of the attacks originating from US-based bots. China was second, with nearly 10 percent of attacks originating there, followed by Sweden and France. The location of those controlling the bots, however, was less clear, the company said.
Last winter Imperva said cyber-warfare and smartphone attacks would be top security trends for this year.
The security firm highlighted that government-sponsored cyber attacks will become more sophisticated, building on techniques learnt from the the commercial hacker industry, such as automation and viral distribution. Attacks such as the infamous Stuxnet worm are likely to become more common, with hackers aiming to gain control of critical infrastructure.
The company has also warned of the danger from cyber-criminals seeking to exploit public excitement around big events such as the royal wedding in April.
Update: an earlier version of this article erroneously said that sites were suffering peak attack volumes of 25,000 per minute. This has been corrected to 25,000 per hour.