EBOOK

15 Ways Your Website

is Under Attack
 Web applications are under constant attack.
Web applications are the home of your business on the internet.
The functionality within your website, the structure of your
technology stack, and the code used to build it are under constant
attack from bad actors attempting to compromise your business.
Understanding these types of attacks will help you prevent fraud,
data theft, and online automated abuse while providing a roadmap
on how to protect your business.
Remember that any comprehensive Web application and API
(WAAP) security platform should protect from many or all of
these attacks rather than focus on only one or two categories.

2 15 Ways Your Website is Under Attack imperva.com

QUICK GUIDE – HOW YOUR WEB APPLICATIONS ARE UNDER ATTACK

SECURITY
ATTACK CLASSIFICATION WHY? WHO? SOLUTION IMPERVA
REQUIRED

1 OWASP Top Web Attacks Exploit business through web Criminals Web App
app code vulnerabilities. Firewall

2 OWASP Top 10 API Attacks Exploit business through Criminals API Protection
API vulnerabilities.

3-6 DDoS Attacks (Includes Bring down the IP address, Criminals and DDoS
Ransom DDoS) web application, network or competitors Protection
3. DDoS Of IP address DNS to prevent access.

4. DDoS Of Website
5. DDoS Of Network
6. DDoS Of DNS

7-10 Automated Bot Attacks Exploit functionality and Criminals, Bot Protection
7. Credential stuffing attacks proprietary data published competitors
on websites to abuse the and business
8. Scraping attacks
business and customers in anti- partners
9. Scalping attacks
competitive and criminal ways.
10. 18 Other unique bot attacks

11 Client Side Attacks Continuous real-time single Criminals Client-Side

record data theft. Protection

12-13 Supply Chain Attacks Exploit business through Criminals Client-Side

12. Software supply chain compromised third party Protection
services or code within & Runtime
13. Javascript services
consumer-off-the-shelf Protection
software or open source (RASP)
libraries including formjacking,
magecart and Solarwinds.

14 Legacy Application Zero Exploit vulnerable code in legacy Criminals Runtime

Day Attacks applications in proprietary code, Protection
and any unprotected internal (RASP)
apps from insider threats.

15 Serverless Workloads Attacks Exploit vulnerable code Criminals Serverless

within serverless workloads Protection
in public clouds.

3 15 Ways Your Website is Under Attack imperva.com

1. OWASP Top 10 attacks that target OWASP TOP 10
code vulnerabilities WEB APPLICATION
SECURITY RISKS

Attack explanation 1. Injection

2. Broken authentication
The widely acknowledged OWASP Top 10 lists the risks that are most prevalent on web 3. Sensitive data exposure
applications. Attackers target any security vulnerabilities incorporated during software 4. XML external entities (XXE)
development. The focus is on any code level weaknesses and taking advantage of them 5. Broken access control
to compromise the organization. 6. Security misconfiguration
7. Cross-site scripting (XSS)
Attackers goals 8. Insecure deserialization
9. Using components with
Criminals attack websites looking to perform data theft, compromise the network, known vulnerabilities
deface content, redirect traffic, and deploy malware. 10. Insufficient logging &
monitoring

Protecting from OWASP top 10 risks Source: OWASP TOP 10 Web Application
Security Risk

While fixing vulnerabilities within the code is ideal, this reality is almost impossible to
achieve. Web Application Firewalls (WAF) were created to solve this code vulnerability
problem while also helping organizations meet compliance requirements. For example:
PCI compliance for businesses processing payment and credit cards.

Imperva’s Web Application Firewall is included in Imperva’s Cloud Application

Security Platform and protects from known and unknown attacks, is simple to
deploy, always on, and blocks out of the box. Deployed by thousands of companies
globally, Imperva’s WAF is a perennial leader in Gartner’s Magic Quadrant.

4 15 Ways Your Website is Under Attack imperva.com

2. OWASP API security Top 10 attacks OWASP API SECURITY
TOP 10
Attack explanation API1: Broken object level
authorization
APIs are foundational components of modern mobile, SaaS, and web applications.
API2: Broken user authentication
Their adoption fueled web application innovation. By design they expose application
API3: Excessive data exposure
logic and personally identifiable information (PII). Because of these attributes, and
API4: Lack of resources & rate
because they are largely unprotected, attackers increasingly target APIs.
limiting
API5: Broken function level
Attackers goals authorization
API6: Mass assignment
Criminals attack APIs to achieve a multitude of nefarious goals including data theft,
API7: Security misconfiguration
compromising the network, defacing content, redirecting traffic, deploying malware,
API8: Injection
and denial of service.
API9: Improper assets
management
Protecting from OWASP top 10 API risks API10: Insufficient logging
& monitoring
API security is a challenge for any organization. Protecting APIs with a positive security
Source: OWASP API Security Top 10
model is an advantage for any business.

Imperva’s API Security is included in Imperva’s Cloud Application Security

Platform and protects your APIs with an automated positive security model,
detecting vulnerabilities in your applications, and shielding them from exploitation.

5 15 Ways Your Website is Under Attack imperva.com

3 thru 6. DDoS attacks LAYER 3/4 ATTACKS

• UDP floods
Attack explanation
• NTP amplification
DDoS attacks equate to loss of business. There are four distinct targets that are typically • DNS amplification
under DDoS attack–DDoS of individual IP addresses, DDoS of Website, DDoS of the • Tsunami SYN flood
Network, and DDoS of Domain Name Servers (DNS). • CharGEN amplification
• Memcache amplification

Attackers goals • SSDP amplification

• SNMP amplification
The primary goal of DDoS attacks is business disruption. With hundreds of thousands of • GRE-IP UDP floods
dollars lost per hour of downtime, DDoS attacks have a significant economic impact. Any
• CLDAP attacks
successful attack will bring down the businesses service. Beyond the typical criminal
• ARMS (ARD)
groups who launch diversionary DDoS attacks while attacking a different vulnerability,
• Jenkins
DDoS attacks are also unfortunately used by nefarious competitors to bring rival
• DNS Water Torture
websites down, steal business, and gain market share.
• SYN floods
• TCP RST floods SSL
Protecting from DDoS attacks • negotiation floods
• TCP connect() floods
DDoS solutions must ensure business continuity, with guaranteed uptime, and no
• Fragmented attacks
performance impact. DDoS Protection must stop layer 3, 4, and 7 attacks and protect a
businesses IP addresses, websites, network, and DNS. • TCP ACK floods
• CoAP
• WS-DD
• NetBIOS

LAYER 7 ATTACKS
Imperva’s DDoS Protection is included in Imperva’s Cloud Application Security
• NS Query floods
Platform and is the right defense against any DDoS attack. With an industry leading
• SlowLoris attack
3-second SLA to stop any attack of any size, Imperva ensures 99.999% uptime
• HTTP(S) GET request floods
against any of today’s modern DDoS attacks.
• HTTP(S) POST request floods
• SMTP request flood

6 15 Ways Your Website is Under Attack imperva.com

7 thru 10. Automated bot attacks AUTOMATED THREATS

• OAT-020 Account Aggregation

Attack explanation
• OAT-019 Account Creation
Sometimes known as bad bot attacks, OWASP classifies 21 unique automated threats • OAT-003 Ad Fraud
that are considered the most consistently damaging to businesses. A quarter of all • OAT-009 CAPTCHA Defeat
internet traffic is bad bots. Three of these automated threats are most prevalent— • OAT-010 Card Cracking
credential stuffing, scraping, and scalping attacks. • OAT-001 Carding
• OAT-012 Cashing Out
Attackers goals • OAT-007 Credential Cracking
• OAT-008 Credential Stuffing
Bot attacks are considered some of the hardest to defend against because they are
• OAT-021 Denial of Inventory
sophisticated and their behavior is created to appear human.
• OAT-015 Denial of Service
• CREDENTIAL STUFFING - Every website with a login page is a victim of these • OAT-006 Expediting
attacks by criminals seeking to perform account takeover of user accounts. • OAT-004 Fingerprinting
• SCRAPING - From stealing proprietary content like product descriptions and prices, • OAT-018 Footprinting
competitors scrape content for every product continuously to win in the marketplace. • OAT-005 Scalping
• SCALPING - From concert tickets to sneakers to gaming consoles, scalping bots • OAT-011 Scraping
(aka. Grinchbots and Sneakerbots) hoard items to resell on secondary markets. • OAT-016 Skewing
Launched by arbitrage experts, these bots negatively impact the human customer
• OAT-013 Sniping
experience and force customers to pay exorbitant mark-ups to purchase limited
• OAT-017 Spamming
edition or high demand items.
• OAT-002 Token Cracking
• 18 OTHER BAD BOT THREATS - include gift card abuse, carding, and spamming
• OAT-014 Vulnerability Scanning
malware links into product review forms.
Source: OWASP Automated Threats
Handbook

Protecting from automated bot attacks

Detecting bots is difficult because the sophisticated ones try to appear human and
evade detection. Your bot management solution must protect from every OWASP
automated threat and be accurate in detecting the difference between human and bot
traffic on your website, mobile apps, and APIs.

Imperva’s Advanced Bot Protection is included in Imperva’s Cloud Application

Security Platform and is acknowledged by Forrester as a two time industry leader
in Bot Management and detects all of the OWASP automated threats. It helps
reduce fraud and minimizes the business impact of price scraping and account
takeover bots. Today it is used by companies to mitigate the world’s most difficult
bot problems on websites, mobile apps and APIs.

7 15 Ways Your Website is Under Attack imperva.com

11. Client side attacks CLIENT SIDE ATTACKS

• Formjacking
Attack explanation
• Credit card skimming
This supply chain attack exploits the growth of JavaScript services used in modern • Card skimming
web applications. From chatbots to payment processors, attackers compromise the • Skimmers
source code of these services and steal data from any website where the compromised • Magecart
code is used. • JavaScript supply chain attacks

Attackers goals
Performing a continuous single record data breach wherever the compromised code is
deployed allows for stealthy data theft of credit cards and PII on multiple websites.

Protecting from client side attacks

Many businesses are blind to data being transferred by third party JavaScript services
because they are added by developers or marketing. Any solution should identify any
new services added and prevent unauthorised communications.

Imperva’s Client-side Protection is included in Imperva’s Cloud Application

Security Platform and protects from formjacking, card skimming and magecart
attacks. Discovers any new services added and blocks unauthorised services from
being able to transfer data.

8 15 Ways Your Website is Under Attack imperva.com

12 thru 13. Supply chain attacks SUPPLY CHAIN
ATTACKS
Attack Explanation Software Supply Chain

Supply chain attacks exploit any vulnerabilities in third party services used in modern • Backdoors
web applications. Examples include: • Zero days
• Target server
• SOFTWARE SUPPLY CHAIN ATTACKS (EG. SOLARWINDS) - Zero days or backdoors
• Target client
installed in consumer-off-the-shelf software or open source libraries used within any
• Malware distribution
applications.
• Data theft
• CLIENT-SIDE SUPPLY CHAIN ATTACKS - Compromise of JavaScript services used on
websites globally.
JavaScript Supply Chain

Attackers goals • Formjacking

• Credit card skimming
Software supply chain attacks like Solarwinds can deploy malware, allow espionage,
• Card skimming
and wreak havoc. Client-side supply chain attacks create continuous single record data
• Skimmers
breaches if payment processors are compromised.
• Magecart
• Data theft
Protecting from supply chain attacks
For software supply chain attacks, businesses should consider embedding security
within the application using a Runtime protection (RASP) solution. This provides zero-
day protection for any 3rd party code. Client-side supply chain attacks must identify any
data being transferred by third party JavaScript services. Any solution should identify
any new services added and prevent unauthorised communication.

Imperva’s Client-side Protection is included in Imperva’s Cloud Application

Security Platform and protects from supply chain attacks like formjacking, card
skimming and magecart. Imperva’s Runtime Application Self-Protection (RASP)
helps businesses protect legacy applications from within. RASP is capable of
detecting and preventing zero-day attacks in real-time.

9 15 Ways Your Website is Under Attack imperva.com

14. Legacy application zero day attacks LEGACY APPLICATION
ZERO DAY ATTACKS
Attack explanation • Insider threats

Many legacy applications have zero day vulnerabilities that cannot be fixed. Protecting • Unknown new attacks

them from attacks is difficult because a signature of the attack is unavailable. Insiders • Internal facing app attacks

using the application bypass other security tools and can successfully compromise
Techniques
legacy internal facing applications.
• Clickjacking

Attackers goals • HTTP Response Splitting

• HTTP Method Tampering
Similar to goals of OWASP Top 10 attacks, stealing intellectual property, personally • Large Requests
identifiable information, financial data, and compromising the business. • Malformed Content Types
• Path Traversal
Protecting from legacy application attacks • Unvalidated Redirects
• Software Supply Chain Attacks
Self protecting code or Runtime protection is the security solution to protect legacy
applications, software supply chain attacks, and prevent insider threats attacking Injections
internal facing apps. Runtime Protection must detect zero day attacks and secure
• Command Injection
applications from within no matter where or how they are deployed, on-prem, in the
• Cross-Site Scripting
cloud or via containers.
• Cross-Site Request Forgery
• CSS & HTML Injection
• Database Access Violation
• JSON & XML Injection
• OGNL Injection
• SQL Injection
Imperva’s Runtime Application Self-Protection (RASP) helps businesses protect
legacy applications from within. RASP is capable of detecting and preventing zero- Weaknesses
day attacks in real-time.
• Insecure Cookies & Transport
• Logging Sensitive Information
• Unauthorized Network Activity
• Uncaught Exceptions
• Vulnerable Dependencies
• Weak Authentication
• Weak Browser Caching
• Weak Cryptography

10 15 Ways Your Website is Under Attack imperva.com

15. Serverless workload attacks CLOUD SECURITY
ALLIANCE’S 12 MOST
CRITICAL RISKS
Attack explanation FOR SERVERLESS
APPLICATIONS
The migration to the cloud has seen more companies adopt Function-as-a-service
(FaaS). The problem is that many incorrectly assume the cloud provider provides
• SAS-1: Function Event Data
security while attackers see the opportunity to attack unprotected code within complex Injection
serverless workloads. • SAS-2: Broken Authentication
• SAS-3: Insecure Serverless
Deployment Configuration
Attackers goals
• SAS-4: Over-Privileged
The Cloud Security Alliance’s 12 most critical risks for serverless applications outlines Function Permissions & Roles
what vulnerabilities are targeted and stealing data and exploiting the business remain • SAS-5: Inadequate Function
Monitoring and Logging
the constant goals of bad actors.
• SAS-6: Insecure Third-Party
Dependencies
Protecting from serverless workload attacks • SAS-7: Insecure Application
Secrets Storage
Serverless Protection must provide run-time security in the cloud, handle ephemeral
• SAS-8: Denial of Service &
workloads on functions that are rapidly created and decommissioned, and protect Financial Resource Exhaustion
against widely used libraries from creating software supply chain risks. • SAS-9: Serverless Business
Logic Manipulation
• SAS-10: Improper Exception
Handling and Verbose Error
Messages
• SAS-11: Obsolete Functions,
Cloud Resources and Event
Triggers
Imperva’s Serverless Protection is an innovative security solution for applications
deployed in Amazon Web Services (AWS). It wraps around the function code and • SAS-12: Cross-Execution
Data Persistency
protects against zero day exploits.
• Weak Authentication
• Weak Browser Caching
• Weak Cryptography

11 15 Ways Your Website is Under Attack imperva.com

How Imperva helps stop these attacks
Imperva is an
Imperva Application Security provides multi-layered protection to make applications analyst-recognized,
and websites always available, always user-friendly and always secure. The company’s cybersecurity leader
flagship Web Application & API Protection (WAAP) solution stops advanced cybersecurity championing the
threats from a unified platform with multiple market-leading products: Web Application
fight to secure data
Firewall (WAF), DDoS protection, Runtime Application Self-Protection (RASP), API
security, Advanced Bot Protection, Client-Side Protection, Serverless Protection,
and applications
Content Delivery Network and Attack Analytics. wherever they reside.

Protect your business. Easily.

For a free 30 day trial of Imperva’s Cloud Application Security platform,
go to www.imperva.com.

About Imperva
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it.
Imperva protects the data of over 6,200 customers from cyber attacks through all stages
of their digital journey. Imperva Research Labs and our global intelligence community
enable Imperva to stay ahead of the threat landscape and seamlessly integrate the
latest security, privacy and compliance expertise into our solutions.

15 Ways Your Website is Under Attack imperva.com

Copyright © 2021 Imperva. All rights reserved +1.866.926.4678