In the month of September, there was a 40-percent increase in total cyberattacks compared to August, returning to July levels, according to a Contrast Labs September 2019 AppSec Intelligence Report.

The most prevalent serious vulnerabilities across the applications observed were Cross-Site Scripting, XML External Entity Injection and Cross-Site Request Forgery. One percent of these attacks were connected to a vulnerability within an application, representing a .7 percent decrease from last month. The other 99 percent were probes and did not connect with a corresponding vulnerability within the target application, says the report.

Key findings in the report include:

  • The most common attack types were SQL Injection, Cross-Site Scripting (XSS) and Path Traversal for the second month in a row. 
  • Custom Code Vulnerabilities: Applications had an average of six open, serious vulnerabilities in September. 
  • Top Vulnerabilities by Language: Injection vulnerabilities dominated in September. Cross-Site Scripting is the most prevalent serious vulnerability for Java applications and in the top three for .NET and Node applications. SQL Injection and Command Injection vulnerabilities are the most common for .NET and Node applications, respectively.
  • Custom Code Attacks: We saw the continued dominance of attacks on custom code, making up 99 percent of attacks. The top attacks on CVEs were CVE-2017-5638, CVE-2010-4467, and CVE-2017-9791. SQL Injection, Cross-Site Scripting, and Path Traversal attacks, the top attacks on custom code, each targeted 55 percent of applications. 
  • Top Attack Vectors by Language: Injection attacks continued to dominate, with Java applications targeted the highest number of Command Injection attacks and .NET applications targeted by the highest number of SQL injection attacks.
  • Geo Location: Attacks originated across the globe in September, with the most attacks originating from North America, specifically the United States. India and the Netherlands were the next most common origin countries.

The three most common attack types in September:

  • SQL Injection
    • Carefully crafted inputs that alter the SQL queries an application uses in order to steal data or execute code.
    • Represented 42 percent of all attacks in September, down from 55 percent of attacks in August.
    • Targeted 55 percent of applications.
  • Cross-site Scripting (XSS)
    • XSS attacks inject malicious scripts into benign and trusted websites.
    • Represented four percent of attacks in September, returning back to the levels we saw earlier this summer
    • Targeted 55 percent of applications.
  • Path Traversal
    • Attacks fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server.
    • Represented three percent of all attacks in September, down from 17 percent of attacks in August.
    • Targeted 55 percent of applications.

Eighty-seven percent of applications were targeted by one of these three types during the month. The majority of attacks (50 percent) targeted Command Injection vulnerabilities, though these attacks only targeted 32 percent of applications.