Customer-configured rules are now the biggest contributor to mitigated traffic as organizations adopt web application firewalls (WAFs) and improve at configuring\/locking down their applications. That\u2019s according to Cloudflare\u2019s Application Security Report: Q2 2023, based on HTTP traffic observed by the firm between April and June. The research also found that CVEs dating back almost a decade are still being widely exploited to compromise machines that may be unpatched and running vulnerable software, while HTTP anomalies are the most common attack vector on API endpoints.\n\nApplication owners relying on geolocation blocks\n\nOver the course of the last two quarters, Cloudflare has observed WAF-mitigated traffic surpassing DDoS mitigation, with the former now accounting for approximately 57% of all mitigations. Most of this increase has been driven by WAF custom rule blocks rather than WAF managed rules, indicating that these mitigations are generated by customer-configured rules for business logic or related purposes, according to the firm. Organizations are also adopting positive security models by allowing known good traffic as opposed to blocking only known bad traffic, according to Cloudflare.\n\nUpon reviewing rule field usage across WAF custom rules, Cloudflare found that application owners are increasingly relying on geolocation blocks. In fact, 40% of all deployed WAF custom rules use geolocation-related fields to make decisions on how to treat traffic. While geolocation controls are unlikely to stop a sophisticated attacker, they are efficient at reducing the attack surface, Cloudflare noted. Another notable observation is the usage of bot management-related fields in 11% of WAF custom rules, a trend steadily increasing over time as more customers adopt machine learning-based classification strategies to protect their applications, the firm said.\n\nOld CVEs still widely exploited, API traffic continues to grow\n\nHTTP anomaly is the most common attack category blocked by WAF managed rules, contributing 32% of WAF managed rules mitigated traffic overall, according to the research. SQLi moved up to second position (13%), surpassing directory traversal (10%). Furthermore, old CVEs are still being exploited en masse, with Log4J and Atlassian Confluence code injection responsible for the vast majority of attack traffic seen, Cloudflare said.\n\nFiltering on denial of service (DoS) blocking, the firm found that most mitigated traffic is attributable to one rule: 100031\/ce02fd. This rule has a description of Microsoft IIS \u2013 DoS, Anomaly:Header:Range \u2013 CVE:CVE-2015-1635 and pertains to a CVE dating back to 2015 that affected a number of Microsoft Windows components resulting in remote code execution.\n\nCloudflare observed a continued growth in API traffic, with 58% of total dynamic traffic classified as API related, a 3% increase compared to Q1. What\u2019s more, 65% of global API traffic is generated by browsers, the report said. Meanwhile, HTTP anomalies remain the most common attack vector on API endpoints (64%), followed by SQLi injection attacks (11%) and XSS attacks (9%).\n\nAccording to a May 2023 report by API security company FireTail, more than half a billion records have already been exposed via vulnerable APIs, and 2023 is on track to be a record-high year for API breaches.