Recently, we analyzed the top 10 Web vulnerabilities throughout April 2014, which have been used by many attack campaigns in order to break into Web applications around the world. We gathered that data via our Community Defense – a system where customers share (anonymous) attack data, allowing us to help them prevent new attack techniques as they appear.
While crunching the numbers, one of the most interesting bits of information that we discovered was about aging.
Vulnerabilities never seem to die. There are always a few unpatched systems, deprecated or simply owned, by unaware organizations. This plays well into hackers hands. Instead of chasing 0days, hackers can use existing and recently discovered attack vectors over and over, simply because they know that many organizations don’t patch their vulnerabilities in time and do not have Web application security compensating controls in place. In the April 2014 sample, we discovered vulnerabilities as old as 2010 and 2009, and it probably does not come as a surprise that they are still seen in attack campaigns conducted by private and by industrialized hackers.
April 2014 Top 10 Web Vulnerability Exploitation Attempts:
This table, which represents the top 10 vulnerabilities being exploited against Community Defense protected web applications in April 2014, teaches us how hackers recognize old vulnerabilities as low hanging fruits, understanding the attack potential which does not require buying or developing expensive 0day exploits, as old ones that are widely available work just as well.
You can learn more about Imperva’s Community Defense: