The Five Most Prevalent Web Threats Today

© Imperva, Inc. 2017 All Rights Reserved

And What You Can Do About Them

Introduction ����������������������������������������������������������������������������������� 3

Threat Number One—Bots and Web Scraping ������������������������� 4

Threat Number Two—DDoS ���������������������������������������������������������� 6

Threat Number Three—Cross- Site Scripting ������������������������������ 8

Threat Number Four—SQL Injection �����������������������������������������10

Threat Number Five—Malware ���������������������������������������������������11

CONTENTS

Threats to web applications continue to grow. As shown

by reports such as Krebs’s Immutable Truths About Data

Breaches, as well as those from SC Magazine and others we

regularly monitor, criminals attack websites to steal data or

extort payment. Our 2016 Global DDoS Threat Landscape

Report, indicates that DDoS attacks — a particularly nasty

type of web threat — have doubled in the last year alone.

This guide looks at the five most prevalent web threats you need to prepare for.

• Bots and web scraping

• DDoS attacks

• Cross-site scripting (XSS)

• SQL injection

• Malware

It’s essential that organizations put systems and processes in

place to defend against these attacks. Our research indicates

that none of these attack types are going to abate anytime

soon.

This e-book will provide you with a snapshot of the web

threat landscape, serving as a primer on the state of web

security. Once you understand the threats, you’ll be better

prepared to assess solutions and select appropriate tools to

mitigate each type.

INTRODUCTION

3

4

Internet bots are software agents programmed to perform

automated tasks. Beneficial bots include search engine bots, such as the Googlebot.

Not all bots are beneficial, though. A prominent subset of bots is used for malicious purposes. In fact, Imperva research

indicates that up to one-third of internet traffic is generated by these bad bots. Bad bots can perform a variety of tasks

that compromise website security or site performance.

These include:

When it comes to site scraping bots, certain types of web

scraping are legitimate (e.g., market researchers using forum

and social media data), but many are not. Site scraping bots

can extract large quantities of data from sites and slow the

performance of sites that remain unprotected. So-called

headless browser bots can even masquerade as humans as

they fly under the radar of many security solutions.

For example, competitors can scrape your data to undersell

or steal copyrighted content. In more blatant acts, scrapers

have been known to replicate entire website content

elsewhere.

THREAT NUMBER ONE—BOTS AND WEB SCRAPING

01

How web scrapers harvest pricing information from your site

Source:https://www.incapsula.com/web-application-security/web-

scraping-attack.html

• Site scraping

• Vulnerability probing

• Launching DDoS attacks

• Distributing spam

5

Targeted businesses that depend on competitive pricing or

contracts can suffer significant financial damage. Malicious bots are often combined by the thousands into what is

known as a “botnet”. Botnets give perpetrators the ability to

launch large attacks by controlling and directing the botnet

to attack on demand.

Recently, with the proliferation of internet-connected devices,

cybercriminals are creating botnets from large numbers of

connected devices like home routers, closed circuit TVs and

DVRs to launch DDoS attacks. The compromised devices are

known as “zombies,” their owners being unaware that their

infected systems are playing a role in a perpetrator’s scheme.

These schemes include vulnerability scans, where high-

powered zombie computing resources surreptitiously scour

the internet for millions of potential targets left unpatched.

Lastly, bots can be used to distribute spam. So-called

spambots collect email addresses from various sources on

the Internet and sends junk or spam emails automatically in

large quantities. Spambots may be used by perpetrators to

carry out attacks on a website or servers. Spambots create

fake accounts and send unsolicited messages for advertising,

hacking or even fraudulent businesses. Many websites and

hosts use anti-spam programs to protect their websites from

spam.

Anti-bot solutions can be used to detect and block bad bots

while allowing beneficial bots to continue to do their job. These solutions can also offer web site managers the ability

to limit specific bots that may interfere with site performance.

Impersonator bots lead malicious activity, accounting for almost a quarter

of bad bot activity. Source: https://www.incapsula.com/blog/bot-traffic-report-2016.html

6

Distributed denial of service (DDoS) attacks can occur when

zombie systems —the precursors to botnets often numbering

in the hundreds of thousands of devices—are simultaneously

leveraged to flood a single target. Because the attack traffic originates from so many points, blocking a single IP address

has no effect. It can be almost impossible to discriminate

between legitimate users and DDoS attack traffic. In attacks involving the IoT, millions of compromised devices can be

recruited to create a powerful attack botnet.

There are three types of DDoS attacks:

Volumetric attacks include UDP floods, ICMP floods, and other spoofed-packet floods. They saturate network bandwidth, and their magnitude is measured in billions of

bits per second (Gbps).

Protocol attacks include SYN floods, fragmented packet attacks, ping of death, Smurf DDoS and others. This attack

type consumes server resources such as network firewalls and load balancers, or communication equipment. These

DDoS attacks are measured in millions of packets per second

(Mpps).

THREAT NUMBER TWO—DDOS

A huge and unexpected spike in traffic is detected as a DDoS attack and blocked by Incapsula. Source: https://www.incapsula.com/ddos/ddos-

attacks/

02

7

Application layer attacks include low-and-slow barrages

such as GET/POST floods, as well as application-saturating attacks that target Apache, Windows or OpenBSD

vulnerabilities and are measured in requests per second

(rps). They’re seemingly legitimate requests, but their goal is

to crash your web server.

Many other DDoS attack types exist including Slowloris, NTP

amplification, HTTP flood and zero-day DDoS attacks.

Perpetrators may warn their victims with a ransom note before

they launch a DDoS attack. They often demand payment in

the form of Bitcoins to call off the attack.

DDoS attacks can be mitigated with on-premises or cloud

solutions that can identify and separate attack traffic from legitimate visitors. The growth in the size and frequency of

DDoS attacks makes cloud solutions particularly relevant.

A ransom note from Armada Collective announcing an impending DDoS

attack Source: https://www.incapsula.com/blog/how-to-respond-to-

ddos-ransom.html

8

By injecting harmful scripts or code into a web application,

cross-site scripting (XSS) attacks are one of the most

common high-risk vulnerabilities. Frequent targets include

sites that let users share content—including blogs, social

networks, video sharing platforms and message boards. For

example, versions of WordPress that have not been updated

are known to be vulnerable.

Subsequent visitors to a compromised site accept the

malicious script as having originated from a reliable source.

Not being able to detect that a script is malicious, the visitor’s

browser executes it.

THREAT NUMBER THREE—CROSS-SITE SCRIPTING (XSS)

Cross site scripting attacks introduce malicious script that steals each

visitor’s session cookies. Source: https://www.incapsula.com/web-

application-security/cross-site-scripting-xss-attacks.html

03

9

The impact of an exploited XSS vulnerability is significant. Attackers can deface a compromised website, introduce

misleading content or even redirect visitors to other sites

that expose them to online fraud. An XSS assault can activate

trojan horse programs and modify page content, misleading

users into willingly surrendering their private data. In this

scenario, session cookies could be revealed, enabling a

perpetrator to impersonate valid users and abuse their

private accounts.

To solve the XSS threat, a web application firewall (WAF) is commonly used to mitigate the injection of malicious scripts

onto web servers.

A reflected XSS attack uses a malicious script reflected off a web application to attack a victim’s browser. Source: https://www.incapsula.

com/web-application-security/reflected-xss-attacks.html

10

By circumventing a web application’s validation systems, a

structured query language (SQL) injection uses malicious

code to query and in some cases hijack a database. Often

with full control of the database, the attacker has access to

data never intended to be available to them. It might include

sensitive company data, user lists, intellectual property or

personal identifiable information (PII).

SQL queries are used to execute data retrieval, perform

data updates and record removal commands. Previously,

perpetrators had to manually type a SQL query during an

attack. But automated hacker tools are now widely available,

the result being the SQL injection arena has become an even

greater threat.

When determining the potential cost of a SQL injection

attack, you should also consider the loss of customer trust

that will occur when phone numbers, addresses and credit

card details are stolen. The good news is that there are

effective ways to prevent SQL injection attacks from taking

place, as well as protecting against them, once they occur.

Similar to solving the cross site scripting threat, a web

application firewall (WAF) can be used to filter out malicious SQL queries in addition to other malicious traffic.

THREAT NUMBER FOUR—SQL INJECTION

Malicious traffic including SQL injection attacks is filtered out with a web application firewall. Source:https://www.incapsula.com/web-application-

security/application-security.html

04

11

Malware is any software that has malicious intent, often

targeting entire networks by way of authentic software such as

a web application or a browser. Malware can take advantage

of any system vulnerability and is classified depending on attack intent. Common malware types include ransomware,

worms, trojans, rootkits, adware and spyware.

Malware is most often introduced into a web site without the

knowledge of the site owner. Many systems are susceptible

to malware attacks due to unpatched operating systems. But

far more frequently, it arrives as an email attachment or is

unwittingly downloaded from a malicious website.

Ransomware as a service (RaaS) is increasing as a popular

hacker business model. In this case, hackers license existing

malware to run a RaaS attack. If it’s successful, the malware

author gets a percentage of the ransom.

Worms were originally designed to infect a computer,

clone itself, and then infect additional computers via other

platforms such as email.

Trojans appear legitimate, but they are typically packaged

with additional malware—including backdoors, rootkits,

ransomware and spyware.

THREAT NUMBER FIVE—MALWARE

05

Source: https://www.incapsula.com/web-application-security/social-

engineering-attack.html

12

Often distributed through social engineering like phishing,

an installed rootkit can grant itself access to sensitive

parts of an application, enabling file execution and system configuration changes. Anti-malware solutions are thwarted. A rootkit can easily gain network access through user

credential theft, giving the perpetrator free reign to install

additional malware.

Forced advertising or adware can infect your system when

you visit a compromised website where its malware-laden

adware, using a browser vulnerability, installs itself.

Spyware is used to steal sensitive information which is sent

to a third party without the user’s knowledge or consent.

Like other threats, the likelihood that malware will make

its way onto your server can be mitigated with a WAF. In

addition, web security solutions can detect the presence

of malware already installed on servers by intercepting

malware communication attempts.

An example of a phishing email. Source:https://www.incapsula.com/

web-application-security/phishing-attack-scam.html

13

04

CONCLUSIONProtecting your site against common threats is essential.

In addition to incurring financial losses, if your website is breached your visitors and customers may lose personal

information. On top of everything else, your reputation

is at stake. Especially in the e-commerce business, even a

short outage or performance slowdown may drive users

to a competitor’s site. Providing a safe and satisfying user

experience helps ensure that visitors trust your site and

return to it.

By auditing your site’s security posture against these five most-prevalent web threats you’ll be able to create or

augment your security plan. The Center for Internet Security

is one non-partial source that provides many resources to

get you started. Tools that offer early detection and real-time

visibility help ensure that every threat is deterred.

Imperva Incapsula offers cloud-based web application and network

security solutions. Source: https://www.incapsula.com/web-application-

security/application-security.html

Start Your Trial Today

Questions about web application security? Contact us

Find out how you can protect your website against the threats

mentioned in this report with a free 14-day trial.

• It’s easy

• No software to download or equipment to install

• Implementation requires only a simple DNS change