Preventable But Often Ignored, Web App Attacks Expand Their Reach
By Teresa Meek
Web attacks that steal data or deface a website have been around for more than two decades. Although fairly easy to prevent, they still cause problems, and the problems are occurring more frequently.
The attacks, in which hackers gain entry to a site by typing code into form fields, increased 25 percent worldwide over the past year, according to second-quarter data published by Akamai Technologies in its report State of the Internet / Security. The U.S. is by far the largest target, with 218 million incidents in the second quarter alone.
Unless companies take preventive measures, they risk losing data, customers and revenue.
Types of Web App Attacks
Web app attacks insert code on interactive parts of a website, causing the server to release data or execute damaging files. They come in several forms, each of which can hurt a business in its own way.
A cross-site scripting attack, or XSS, inserts code that can deface a website or redirect users to a fake site so hackers can steal their credentials. This happened to eBay a few years ago. XSS attacks accounted for 9 percent of web app attacks over the last quarter, according to the Akamai report.
Also prevalent are local file inclusion, or LFI, attacks, which comprised 33 percent of second-quarter web app attacks. In these, hackers add coded commands to interactive fields requesting access to sensitive files on the web server. In some cases, an LFI attack can execute malicious code.
The most common type of web app attack, and among the most serious, is SQL injection, or SQLi, which accounted for 51 percent of web app attacks in the second quarter. In these, a hacker types commands that can force a server to reveal information stored in databases.
How SQLi Can Hurt
While looking for data to steal, an SQLi attack ties up a server’s resources. This causes information being sought by others, including customers, to load more slowly. The delay may last only milliseconds, but it may be too long for some.
"If a page loads in 30 to 100 milliseconds instead of 10 to 20, that slight delay is enough to cost a business money," said John Summers, enterprise vice president and general manager at Akamai Technologies. "If you’re selling something, customers will go find it someplace else. It can mean millions of dollars lost."
A 100-millisecond delay in load time hurts sales by up to 7 percent, a recent Akamai report found. A delay of two seconds doubles the average number of people who navigate away from a site.
And there’s more to be worried about. While driving customers away, the attack is also pulling information from a database. A single attack may return only a small amount of information. But hackers often attack many times until they’ve extracted the database’s entire contents.
An attack can steal customers’ usernames and account passwords and access their browsing and purchasing history. If a company doesn’t encrypt credit card information, it can grab card data, too.
Generally, attacks can’t steal encrypted data. But if a website developer stores the encryption key improperly, a hacker could find it and use it to download credit card numbers and other private information, Summers said.
Companies can easily stop web app attacks. One way is to program their sites to prevent computer-command language from being inserted into customer-response fields. Another is to install web application firewalls.
These firewalls can scan website traffic and alert a company if visitors come from a part of the world where it doesn’t normally do business.
"If your customer base is 99 percent European and you suddenly get traffic from Australia, you should take caution," Summers said.
Akamai’s firewall system scans for unusual traffic and also rates individual IP addresses, giving a high-risk score to those that have been involved in other attacks. Once alerted to suspicious traffic, a business can apply additional fraud controls before approving interactions.
Taking preventive measures against web app attacks isn’t difficult, but many businesses don’t invest enough resources to make them effective. Others fail to re-evaluate their sites to keep up with the changing landscape of threats.
"It takes time, energy, money and will, and it has not been a priority," Summers said.
In the meantime, hackers are trawling the web looking for websites vulnerable to application attacks. They even have a tool that automates the process of finding pages ripe for an SQLi attack. YouTube videos explain how to use the tool.
In this environment, businesses need to adjust their priorities to prepare for web app attacks, and not just highly publicized attacks, such as those involving distributed denial of service, Summers said.
"Web application attacks can tie up resources, cause delays, cost money, take away customer data and put you in the news," Summers warned. "They don’t shut down your system like a DDoS attack, but in the long term, they have just as much of an effect on your business."
Teresa Meek lives and works in Seattle. With over 15 years of experience in communications, she has also written for the Miami Herald and Newsday.