Cloudflare’s Application Security Report for Q2 2023 has revealed that customer-configured rules now play a significant role in mitigating traffic as organizations adopt web application firewalls (WAFs) and improve their application configurations. The report is based on the analysis of HTTP traffic observed between April and June. Additionally, the study discovered that vulnerabilities that date back nearly a decade are still widely exploited to compromise machines running outdated and vulnerable software. Furthermore, the report found that HTTP anomalies are the most common attack vector on API endpoints.
Cloudflare noticed a notable shift in traffic mitigation, with WAF-mitigated traffic surpassing DDoS mitigation over the past two quarters. Approximately 57% of all mitigations were attributed to WAFs, and most of this increase was due to WAF custom rule blocks rather than WAF managed rules. The findings suggest that these mitigations originate from customer-configured rules designed for business logic or related purposes. Cloudflare also noted that organizations are adopting positive security models by allowing known good traffic instead of just blocking known bad traffic.
Within the realm of WAF custom rules, Cloudflare observed a growing reliance on geolocation blocks by application owners. In fact, 40% of all deployed WAF custom rules utilize geolocation-related fields to make decisions about how to handle traffic. While geolocation controls might not impede sophisticated attackers, they are effective at reducing the attack surface. Another interesting trend identified in the report is the increased usage of bot management-related fields in 11% of WAF custom rules. This suggests that more customers are implementing machine learning-based classification strategies to protect their applications.
The report also shed light on the types of attacks being blocked by WAF managed rules. The most common attack category was HTTP anomaly, which accounted for 32% of all WAF managed rules mitigated traffic. SQLi (SQL injection) surpassed directory traversal to claim the second position at 13%. Additionally, Cloudflare found that old Common Vulnerabilities and Exposures (CVEs) are still being exploited on a large scale. Specifically, the vulnerabilities in Log4J and Atlassian Confluence code injection were responsible for the majority of attack traffic observed.
When examining denial of service (DoS) blocking, Cloudflare discovered that a single rule, 100031/ce02fd, accounted for the majority of mitigated traffic. This rule is associated with Microsoft IIS (Internet Information Services) and relates to a CVE dating back to 2015 (CVE-2015-1635). The vulnerability affected multiple Windows components and allowed for remote code execution.
The report also highlighted the continued growth of API (Application Programming Interface) traffic, with 58% of total dynamic traffic classified as API related, a 3% increase compared to the previous quarter. Additionally, the study revealed that 65% of global API traffic is generated by browsers. Despite this growth, HTTP anomalies remain the most common attack vector on API endpoints, accounting for 64% of attacks. SQLi injection attacks and XSS (cross-site scripting) attacks followed at 11% and 9%, respectively.
In conclusion, the Cloudflare Application Security Report for Q2 2023 underscores the increasing importance of customer-configured rules in mitigating traffic and securing web applications. It also highlights the persistent exploitation of old vulnerabilities and the prevalence of HTTP anomalies as a means of attacking API endpoints. The report provides valuable insights for organizations seeking to enhance their application security strategies and defend against evolving threats.