Akamai’s Q2 2015 State of the Internet Security Report is now available for download. This is the second quarter in which Akamai has reported web application attack statistics, and the landscape continues to change.
Akamai concentrated analysis on nine common web application attack vectors, chosen from a cross section of common categories. XSS and Shellshock are new additions this quarter.
SQLi: SQL injection attacks
LFI: Local file inclusion
RFI: Remote file inclusion
PHPi: PHP injection
CMDi: Command injection
JAVAi: Java injection exploiting the Object Graph Navigation Language (OGNL)
MFU: Malicious file upload
XSS: Cross-site scripting
Shellshock: A vulnerability in the Bash shell(the default shell for Linux and Mac OS X)
First disclosed in September 2014, Shellshock accounted for more than 49 percent of the web application attacks in Q2 2015, with 173 million Shellshock attacks against Akamai customers. Ninety-five percent of the Shellshock attacks targeted a single financial services firm. The attacks altered the proportion of HTTPS vs. HTTP attacks compared to Q1 2015, when only 9 percent of attacks occurred over HTTPS. Because Shellshock primarily uses HTTPS, in Q2 that number rose to 56 percent.
After Shellshock, the second most common web application attack vector in Q2 was SQLi, which accounted for 26 percent of all attacks and 55 percent of non-Shellshock attacks. SQLi attacks increased by 75 percent compared to Q1 2015.
LFI attacks were the third most common attack vector, at 18 percent of all web application attacks. LFI attacks decreased in Q2, at 63 million alerts compared to 75 million LFI alerts in Q1.
The remaining six categories combined accounted for 7 percent of all Q2 2015 web application attacks.
Web application attacks including XSS, LFI, and CMDi were among the vectors exploited against WordPress sites. The popularity of WordPress as a website and blogging platform makes it an attractive target. Despite the strict review process WordPress has maintained for third-party plugins and themes listed on WordPress.org, downloads from other sources may not be as well vetted. Updates to plugins frequently bypass stringent review as well.
To find vulnerabilities, Akamai tested 1,322 plugins and themes, uncovering 49 potential exploits. The most common were XSS, LFI, and path traversal (PT) exploits. The most surprising finding was the number of email header injection vulnerabilities in the theme. The Q2 2015 report contains a full listing of newly discovered vulnerabilities, along with recommendations for hardening WordPress installs.
For full details and analysis of this quarter’s statistics and emerging trends, download the Q2 2015 State of the Internet Security Report.