[2024.11] Web Attack Trend Report | Cloud-Based Platform AIONCLOUD

Weekly web attack trends

Weekly web attack trends allow you to see when web attacks are most prevalent. This can help you plan ahead to prevent and respond to web attacks during peak periods.

The graph below shows the web attacks detected by AIWAF as of November 2024.

In November 2024, we detected over 240,000 attacks per day on average, with the highest number of attacks occurring on a single day.

SQL Injection, the vulnerability with the most attempted attacks in 21 days, has the most detection conditions in our AIWAF. However, SQL Injection attacks are always being monitored because there are many new attack types and evasion methods.

Web attack trends by attack type

Web attack trends by attack type, based on detection logs, allow you to see which attacks were most prevalent during the month. Based on this, you can establish basic web attack response guidelines to prevent and respond to these types of attacks.

The graph below shows the web attacks detected by AIWAF as of November 2024.

Web Attack Trends by Rule

SQL Injection (38.8%) was the most common attack type, followed by App weak (20.15%), Default page (19.92%), and Directory Traversal (8.62%).

SQL Injection is the most diverse and dangerous attack, as it is ranked #1 by OWASP. It is an attack that forces malicious SQL statements into SQL statements that dynamically generate data based on user requests, which can cause vulnerable applications to authenticate or return abnormal SQL results. If you encounter the following syntax in your query values, you should suspect an attack.

APP WEAK indicates a vulnerability within an app that an attacker can exploit to gain unauthorized access or perform malicious actions. These vulnerabilities can be the result of poor coding practices, misconfiguration, or insufficient security measures. As a general rule of thumb, be suspicious of unauthorized files in addition to authorized files when using app programs.

Summary of web attack trend graphs for the last 3 months

August

September

October

Top 30 Attacker IPs

Vulnerability analysis reports

Joomla! CMS Security Bypass (CVE-2023-23752)

1. Overview

CVE-2023-23752 is a vulnerability in Joomla! versions from 4.0.0 through 4.2.7. The vulnerability allows unauthorized access to a web service endpoint due to an incorrect access check. This creates a risk that a malicious user could access data or manipulate the system without authentication.

Source : https://www.idappcom.co.uk/post/joomla-cms-security-bypass-cve-2023-23752

2. Attack types

In Joomla's default routing entries, the APIs under api/index.php, which are REST APIs for developers, are inaccessible by default.

However, certain APIs can be accessed by including public=true in the parameter, which allows access to internal information.

Source: https://xz.aliyun.com/t/12175?time__1311=GqGxRDuDgA0%3D%3DGN4eeTq18e40KD%3DDcnQWoD

Accessible APIs

The above APIs are used to get the most important configuration information for your website, including database accounts and passwords.

3. What to do

Here are some universal responses to the CVE-2023-23752 vulnerability

1) If you are using Joomla! 4.0.0 through 2.7, if you are using the latest security patches.

2) Tightening access controls at the server level and blocking data with a WAF.

4. Conclusion

CVE-2023-23752 is a vulnerability in Joomla! versions from 4.0.0 through 4.2.7 that allows unauthorized access to a web service endpoint due to incorrect access checking. This creates a risk that a malicious user could gain access to the system without authentication or manipulate data.

Among Joomla's default routing entries, the REST API, api/index.php, is blocked from access by default, but including a specific parameter (public=true) allows access to internal information. This API can expose sensitive configuration information such as database accounts and passwords.

In response, you should apply the latest security patches for affected versions, tighten access controls at the server level, and block data through a web application firewall (WAF).

5. References