Unlike network firewalls, which operate at layer 3 and layer 4 of the network stack, web application firewalls sit in front of the apps and operate at the app layer (L7). Their job is to monitor HTTP/S traffic to identify requests and responses that break protocol rules or app-specific policies, then filter or block that traffic and secure the app.

Recent research by the Citrix Cyberthreat Research Initiative (CTRI) team used attack metadata from NetScaler ADCs deployed in enterprise networks to generate insights into the application risks that customers were exposed to. The team’s findings were consistent across most industry verticals and aligned with the threats highlighted in the OWASP Top 10.

In this blog post, we’ll share findings that highlight how pervasive these threats are across a range of industry verticals, from DDoS attacks against critical resources due to buffer overruns to the possibility of installing malware because of inconsistent cookie checks in apps.

The Most Prevalent App Attacks

Citrix used Web App Firewall analytics to identify the Top 5 attack types seen in customer environments, collected from a global customer base across a range of industry verticals during a one-year period (April 2021 to April 2022). The collected data was de-identified to conduct the research. The five most common app attack types detected by Web App Firewalls in customers' environments during this period were:

1. Direct request (forced browsing)
2. Cross-site scripting
3. SQL injection
4. Buffer overflow
5. Cookie consistency

Figure 1. Percentage of customers that experienced each attack type

Let’s look at the basics of each attack type. In many scenarios, a web app firewall with the right policy sets configured and deployed in front of the app can help organizations detect and mitigate these attacks.

Direct request (forced browsing) – CWE-425: With direct request attacks, it’s possible to bypass app authentication and authorization and breach or change corporate resources. If not mitigated, this can have implications on the confidentiality and integrity of an organization’s data.

Cross-site scripting – CWE-79: Unauthorized scripts injected into a response and executed on a user’s browser can have consequences including:

• Transfer of private information from the victim to the attacker such as cookie session information
• Enable the attacker to send malicious content to an app
• The takeover of the victim’s device

These pose significant security risks for a business, and web app firewalls should be enabled to protect against this attack type by default.

SQL injection – CWE-89: Exploiting SQL injection flaws allows attackers to change the parameters of SQL commands and gain unauthorized access to data. The growth of database-driven web apps makes this a popular attack type because the vulnerability is easy to detect and exploit and the rewards can be high. Because SQL injection attacks make a direct assault on the valuable data held behind an app, the implications of an attack can be serious. Businesses should use a web app firewall that checks SQL grammar to mitigate the attack and reduce false positive ratios.

Buffer overflow – CWE-119: This attack type takes advantage of errors in software that enable attackers to execute code that alters the intended flow of an app. Businesses must mitigate this type of attack because it causes unpredictability and instability in performance and is often used to orchestrate a DDoS attack against resources — or even expose sensitive information.

Cookie consistency – CWE-565: When apps don’t carry out validation and integrity checks for cookies, attackers can easily bypass authentication and launch unauthorized actions against the app. This can lead to input data being modified or can serve as a springboard for other attacks like cross-site scripting and SQL injection, seriously damaging a business’s data integrity and creating data breaches. It is also a popular way to install ransomware. Ensuring cookie consistency is a basic protection of a web app firewall and should always be enabled.

Attack Prevalence Consistent Across Industry Verticals

We also analyzed customers by industry vertical to identify any statistically significant patterns around attack type.

Figure 2

Figure 2 shows a breakdown of the customer base by industry vertical. Please note, this analysis does not reflect the total volume of attacks, but rather the percentage of customer environments in which each attack was seen.

Our analysis found remarkable consistency in the prevalence of the different attacks across verticals, with only minor variations. Here is the percentage of organizations in each vertical that experienced these attack types.

Finance

Direct Request: 69 percent

Cross-site scripting: 68 percent

SQL injection: 65 percent

Buffer overflow: 58 percent

Cookie consistency: 48 percent

Technology

Direct request: 65 percent

SQL injection: 59 percent

Cross-site scripting: 56 percent

Buffer overflow: 47 percent

Field consistency: 43 percent

Business Services

Direct request: 65 percent

Cross-site scripting: 64 percent

SQL injection: 61 percent

Buffer overflow: 42 percent

Cookie consistency: 42 percent

Health Care

Direct request: 62 percent

Cross-site scripting: 56 percent

SQL injection: 52 percent

Buffer overflow: 52 percent

Cross-site request forgery: 31 percent

Public Sector

Direct request: 69 percent

Cross-site scripting: 68 percent

SQL injection: 68 percent

Buffer overflow: 60 percent

Cookie consistency: 52 percent

While there is some variance in the prevalence of the attacks, we did not observe a statistically significant variation in the types of attacks across verticals. From these data, we can conclude that:

• The five most common attacks are not targeted efforts against a particular industry vertical but are likely opportunistic and typify the environment in which organizations operate today.
• Application architecture complexity and legacy technology at the back-end (e.g. C/C++ based apps, which are more prone to buffer overflow attacks) may be a better indicator of an attack surface than an industry vertical.
• Industry sectors that tend to put additional checks (e.g. identity) in place tend to experience a slightly lower than the average number of attacks (e.g. healthcare).
• Sectors that have a range of public-facing apps tend to have a slightly higher risk of attack (e.g. public sector, finance).

Organizations must take these threats seriously and implement technologies to repel bad actors. The potential impact of one of these attacks can be severe, from loss of revenue and proprietary data to fines and hits to corporate reputation. The prevalence of these attack attempts across industries highlights the importance of having a web app firewall as one of the tools to help mitigate against them.

Web App Firewall has a single code base across physical, virtual, bare-metal, and containers that brings consistency to your deployment model. Learn more about the capabilities of Web App Firewall in our product documentation.