May 20, 2014

Through the Eyes of Community Defense: Web Vulnerabilities Never Seem to Die

Recently, we analyzed the top 10 Web vulnerabilities throughout April 2014, which have been used by many attack campaigns in order to break into Web applications around the world. We gathered that data via our Community Defense – a system where customers share (anonymous) attack data, allowing us to help them prevent new attack techniques as they appear.

While crunching the numbers, one of the most interesting bits of information that we discovered was about aging.

Vulnerabilities never seem to die. There are always a few unpatched systems, deprecated or simply owned, by unaware organizations. This plays well into hackers hands. Instead of chasing 0days, hackers can use existing and recently discovered attack vectors over and over, simply because they know that many organizations don’t patch their vulnerabilities in time and do not have Web application security compensating controls in place. In the April 2014 sample, we discovered vulnerabilities as old as 2010 and 2009, and it probably does not come as a surprise that they are still seen in attack campaigns conducted by private and by industrialized hackers.

April 2014 Top 10 Web Vulnerability Exploitation Attempts:

2014-05-20 11_06_23-Imperva Defense Center Panorama

This table, which represents the top 10 vulnerabilities being exploited against Community Defense protected web applications in April 2014, teaches us how hackers recognize old vulnerabilities as low hanging fruits, understanding the attack potential which does not require buying or developing expensive 0day exploits, as old ones that are widely available work just as well. 

You can learn more about Imperva’s Community Defense:

  • Our Hacker Intelligence Report validating crowd sourced threat intelligence in the web application space, here.
  • The Community Defense product page, here.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.