In September, total cyberattacks increased by 40 percent compared to August, according to the Contrast Labs September 2019 AppSec Intelligence Report.
SQL Injection
SQL injection involves carefully crafted inputs that manipulate an application’s SQL queries to steal data or execute malicious code.
Cross-Site Scripting (XSS)
XSS attacks inject malicious scripts into otherwise legitimate and trusted websites.
Path Traversal
Path traversal attacks trick a web application into reading and exposing files located outside the application’s or web server’s root directory.
Custom Code Vulnerabilities
Applications had an average of six open, high-severity vulnerabilities in September.
Top Vulnerabilities by Programming Language
Injection vulnerabilities dominated overall. Cross-site scripting was the most prevalent serious vulnerability in Java applications and ranked among the top three vulnerabilities in both .NET and Node.js applications. SQL injection was most common in .NET applications, while command injection was most common in Node.js applications.
Custom Code Attacks
Attacks targeting custom code continued to dominate, accounting for 99 percent of all attacks. The most frequently exploited CVEs included CVE-2017-5638, CVE-2010-4467, and CVE-2017-9791. SQL injection, cross-site scripting, and path traversal attacks— the top attack types against custom code—each targeted 55 percent of applications.
Top Attack Vectors by Language
Injection attacks remained the most common overall. Java applications were targeted by the highest number of command injection attacks, while .NET applications experienced the highest number of SQL injection attacks.
In September, attacks originated from 119 countries. The highest number of attacks came from the United States, followed by India, the Netherlands, Canada, and the United Kingdom.
This report is based on data collected from attacks observed by Contrast Security over the preceding months and highlights key trends in application security.
Source: www.contrastsecurity.com