REPORT

State of Application
Security 2024
 Table of contents
Table of Contents

3 Executive Summary 17 Client-side risks

4 Key app security findings Data snapshot: Third-party scripts and cookie usage
5 Scope and report methodology 18 Business considerations and recommendations
6 Trends in mitigated traffic 19 Shadow API risks
7 Data snapshot: Mitigated traffic over time 20 Business considerations and recommendations
8 Business considerations and recommendations 21 Conclusion
9 Zero-day trends 22 How Cloudflare can help
10 Business considerations and recommendations 23 Learn More
11 DDoS attack trends 24 Appendices
12 Data snapshot: Largest HTTP DDoS attacks Glossary of key Cloudflare terms
13 Business considerations and recommendations 25 Endnotes
15 Bot traffic trends
Data snapshot: Industries with high bot traffic
16 Business considerations and recommendations

Cloudflare | State of Application Security 2024 2

 Table of contents
Executive Summary

Web applications are central to modern life. For For instance, the increasing speed and volume of However your organization approaches app security,
governments, they are an important channel DDoS attacks indicates that botnets are becoming we hope this report can guide where to prioritize
to communicate information to the public and more common and more efficient at launching DDoS future app security controls — without stifling digital
attacks — the No. 1 attack type against web apps. Is innovation.
provide essential services. For businesses,
your team equipped to detect and stop traffic from
they serve as a source of revenue, efficiency, malicious botnets comprising hundreds of thousands
and customer insights. — or even millions of machines?
However, the apps and application programming Additionally, certain industries face a bigger share of
interfaces (APIs) that move critical data, processes, bot traffic. Other industries find themselves targeted
and infrastructure also represent an expanding attack by a high volume of DDoS attacks. How quickly can
surface. Exploited, unprotected apps can lead to you respond to those threats to avoid financial losses
business disruptions, financial losses, and critical and reputation damage?
infrastructure collapses.
Cloudflare also found that enterprise organizations
The demand for developers to quickly deliver new use an average of 47.1 third-party scripts, as of May
features — such as capabilities driven by large 2024. Is your organization inadvertently exposing your
language models (LLMs) and generative AI — end users to supply chain risks?
magnifies this problem.
As new app risks exceed the resources of dedicated
Powered by one of the world’s largest networks, app security teams, more organizations recognize
Cloudflare on average serves over 57 million HTTP the need for a different approach. Gartner® predicts
requests per second, and blocks 209 billion cyber that, “By 2027, 30% of cybersecurity functions
threats each day as of Q1 2024. The volume, velocity, will redesign application security to be consumed
and variety of this traffic informs the insights explored directly by non-cyber experts and owned by
in this State of Application Security 2024 report. application owners.”

Cloudflare | State of Application Security 2024 3

 Table of contents
Key app security findings
Data collection period: Unless otherwise stated in the endnotes, the time frame evaluated in this report
is the 12-month period from April 1, 2023 through March 31, 2024 inclusive.

#1 attack type Rapid CVE Trust in third- 93% of bots are

Distributed denial-of-service weaponization party code potentially malicious
(DDoS) attacks remain one Cloudflare observed an Enterprise organizations use on One-third (31.2%) of all traffic
of the most common attack attempted exploitation of a average 47.1 third-party scripts — stems from bots—the majority
types against web applications, new zero-day vulnerability just and their web applications make (93%) of which are unverified and
comprising 37.1% of all app-layer 22 minutes after its proof-of- an average of 49.6 outbound potentially malicious.4
traffic mitigated by Cloudflare.1 concept (PoC) was published.2 connections to third-party resources.3

Outdated approaches Cookie consent risks

to API security Enterprise websites use an average
Traditional web application of 11.5 HTTP cookies and a median
firewall (WAF) rules are most of 5 cookies.6 These HTTP cookies
often used to protect API traffic5; may expose end-users to privacy
however, traditional WAF negative risks that application owners are
security model approaches are responsible for monitoring and
not sufficient to protect against minimizing.
modern API threats.

Cloudflare | State of Application Security 2024 4

KEY APP SECURITY FINDINGS Table of contents
Scope and report methodology

At a broad level, Cloudflare mitigated 6.8% of all web application traffic To cover such a wide scope, this report is based on aggregated traffic
during the data collection period.7 “Mitigated” traffic is defined as any traffic patterns (observed from April 1, 2023 - March 31, 2024) across the Cloudflare
that is blocked or is served a challenge by Cloudflare (see the Glossary for global network, including services that:
the full technical definition). The specific threat type and relevant mitigation
• Filter HTTP traffic between a web application and the Internet to stop a wide
technique depends on many factors, such as the application’s potential
range of real-time attacks using a variety of security measures
security gaps, the nature of the victim’s business, and the attacker’s goals.
(Web Application Firewall)
Some examples of attacks on web applications and APIs in 2023-2024 • Mitigate DDoS attacks targeting Domain Name System (DNS) servers
included: (Advanced DDoS Protection)
• The Anonymous Sudan group launched politically motivated DDoS attacks • Act as an intermediary to accept, transform, route, and manage all API calls
against banks, universities, hospitals, airports, social media platforms, (API Gateway)
government agencies, and others worldwide.
• Monitor third-party dependencies in a web application that loads in the client
• Cloudflare observed a record-breaking DDoS attack exploiting a browser and exposes the end user to risk
vulnerability in the HTTP/2 protocol, launched by a botnet of only 20,000 (Page Shield)
machines that rotated IPs to avoid mitigation. • Identify bot activity, bot reputation, bot origin, and other bot behaviors
• T-Mobile disclosed in early 2023 that it experienced a data breach of 37 (Bot Management)
million customer accounts via an exploited API.
• Block users, bots, or applications from over-using or abusing a web property
In other words: the varied nature of such attacks makes web application (Rate Limiting)
security a broad discipline that nonetheless requires specialized tools to stop
specialized attacks.

This data and threat intelligence

from Cloudflare’s network has
been complemented by third-
party sources, which readers
can access using the inline links.

Cloudflare | State of Application Security 2024 5

 Table of contents
Trends in mitigated traffic

Compared to the prior 12-month period, Cloudflare mitigated a higher

percentage of application layer traffic and layer 7 (L7) DDoS attacks
Figure 1: Mitigated traffic by Cloudflare product group9
(6.8% vs. 6%) between Q2 2023 and Q1 2024.8
WAF product mitigations also took over as the No. 1 mitigation technique —
a spot that DDoS protections previously held. 53.9% 0.1%
This change in mitigation rankings may be due to more enterprises using WAF WAF and Bot mitigations Other
(includes identification of
rules to block brute-force attacks or credential stuffing and prevent sensitive data volumetric attacks, credential
from being exfiltrated from apps, or using Cloudflare’s machine learning to block
zero-day vulnerability exploit attempts before disclosure.
stuffing, uploaded malware,
sensitive data exfiltration,
1.7%
and more) Access rules
WAF rules also include custom rules, which help enforce organizational policy
and perform other custom mitigations. 7.2%
Some common use cases for custom rules include: 37.1% IP Reputation
HTTP DDoS rules
• Allowing traffic from search engine bots
• Allowing traffic from specific countries only
• Challenging bad bots
• Configuring token authentication
• Requiring a specific cookie

Definitions of these mitigation types

can be found in the glossary section.

Cloudflare | State of Application Security 2024 6

TRENDS IN MITIGATED TRAFFIC Table of contents
Data snapshot: Mitigated traffic over time

Cloudflare observed an overall increase in mitigated traffic (and by extension, attacks) in the 12-month period leading up to March 31, 2024.
We also saw a spike in attack traffic in January of 2024 this year, and a lower spike during the winter holidays than expected.

Figure 2: Percent of mitigated HTTP traffic on Cloudflare’s global network between Q2 2023 - Q1 202410

11

10

9
Percentage

May 2023 Jul 2023 Sep 2023 Nov 2023 Jan 2024 Mar 2024
Time

Cloudflare | State of Application Security 2024 7

MITIGATION METHODS Table of contents
Business considerations and recommendations

App traffic shows no signs of decelerating as businesses continue to

modernize legacy apps or release new apps:
• To improve application performance for globally distributed data and users Recommendations
• To migrate legacy apps to the cloud, hybrid, or multi-cloud environments
• To augment the user experience with AI-driven insights, recommendations, To help reduce costs associated with scaling infrastructure to serve
and information application growth, organizations should consider serving application
• To modernize back-office processes and functions content and mitigating attacks at the edge. (A group of Cloudflare
customers self-reported that they saved an average of about 30% on
• To build development pipelines from a variety of different tools so that
infrastructure costs by serving and mitigating traffic at the edge).11
developers can focus on coding
Business-driven app development cannot slow down; therefore, the need to
block, challenge, and throttle (i.e., mitigate) malicious or unwanted web app
traffic will likely grow.

Cloudflare | State of Application Security 2024 8

 Table of contents
Zero-day trends

Zero-day exploits (also called zero-day threats) are increasing, as is the speed For instance, when Cloudflare observed exploitation attempts of CVE-2024-27198
of weaponization of disclosed CVEs. at 19:45 UTC on March 4, it had taken attackers just 22 minutes after proof-of-
concept code was published.
• 97 zero-days were exploited in the wild in 2023
• The number of disclosed CVEs between 2022 and 2023 increased by 15%
• More than 5,000 critical vulnerabilities were disclosed in 2023, yet the mean CVE-2024-27198 Vulnerability Timeline | March 4th
time to release a patch for a critical severity web application vulnerability is
35 days
Looking at CVE exploitation attempts against customers, Cloudflare mostly 14:00 UTC 19:23 UTC
observed scanning activity, followed by command injections, and some
Jetbrains releases Rapid7 shares a blog, including
exploitation attempts of vulnerabilities that had PoCs available online (e.g., Teamcities 2023.11.4 update proof-of-concept exploitation
Apache, Coldfusion, MobileIron).12
This trend in CVE exploitation attempt activity indicates that attackers are
going for the easiest targets first, and likely having success in some instances
14:59 UTC 19:45 UTC
given the continued activity around old vulnerabilities.
Jetbrains publicly discloses Cloudflare observes
The speed of exploitation of disclosed CVEs is often quicker than the speed CVE-2024-27198 attempted exploitation
at which humans can create WAF rules or create and deploy patches to
mitigate attacks.

Cloudflare | State of Application Security 2024 9

ZERO-DAY VULNERABILITIES Table of contents
Business considerations and recommendations

By definition a zero-day is a vulnerability for which there is not a patch in place.

A race occurs after disclosure between security professionals trying to defend
applications and attackers trying to exploit applications.
Recommendations
The faster novel attack vectors can be detected and mitigated before they
cause an issue, the more time internal teams have to patch and remediate the
Resource-strapped organizations should prioritize high-risk and actively-
underlying vulnerability. However, sometimes CVE patches are not available for
exploited vulnerabilities first, while also using a WAF deployment that
hours (or days or months).
provides automatic rule updates to cover applications that cannot be
patched quickly enough.

WAF machine learning (ML) models make it easier to block some zero-day
exploits before they are made public and vulnerabilities disclosed.

For example, certain Sitecore CVEs initially disclosed in June 2023 were
not initially identified by Cloudflare Managed Rules — but they were
correctly detected and classified in ‘zero time’ by our machine learning-
based classifiers. Cloudflare also blocked the Ivanti Connect Secure
vulnerability before the vulnerability had even been publicly disclosed.

Cloudflare | State of Application Security 2024 10

 Table of contents
DDoS attack trends

Figure 3: Volume of application DDoS attacks over time13

Worldwide - Data ranges from 2023-04-01 to 2024-03-31

250B
Daily Requests

200B

150B

100B

50B

May 2023 Jul 2023 Sep 2023 Nov 2023 Jan 2024 Mar 2024
Time

DDoS attacks remain the most common attack type against web applications, Specifically, application layer HTTP DDoS attacks increased by 93% YoY and 51%
with DDoS comprising 37.1% of all mitigated application traffic (see Figure 1).9 quarter-over-quarter (QoQ).14
We saw a large increase in volumetric attacks in February and March of 2024.13 As an example, Cloudflare observed a 466% increase in DDoS attacks on Sweden
In this first quarter of 2024 alone, Cloudflare’s automated defenses mitigated after its acceptance to the NATO alliance on March 7, 2024. This mirrored the
4.5 million DDoS attacks — an amount equivalent to 32% of all the DDoS attacks DDoS pattern observed during Finland’s NATO acceptance in 2023.15 The size of
Cloudflare mitigated in 2023. DDoS attacks themselves are also increasing, as illustrated on the next page.

Cloudflare | State of Application Security 2024 11

DDOS ATTACKS Table of contents
Data snapshot: Largest HTTP DDoS attacks

In 2023, Cloudflare mitigated a hyper-volumetric DDoS attack that peaked at

201 million requests per second (rps) – three times larger than any previously-
Figure 4: Largest HTTP DDoS attacks as seen by Cloudflare, by year
observed attack.16
In the “HTTP/2 Rapid Reset” attack, threat actors exploited a zero-day
vulnerability in the HTTP/2 protocol, which is critical to how the Internet and all
websites work. 2019 3M rps

The vulnerability exploit’s potential to incapacitate nearly any server or application

supporting HTTP/2 underscored how menacing DDoS vulnerabilities are for 2020 8M rps
unprotected organizations.

Year
2021 17M rps

2022 26M rps

2023 201M rps

0M rps 50M rps 100M rps 150M rps 200M rps

Million requests per second

Source: Cloudflare’s DDoS threat report for 2023 Q417

Cloudflare | State of Application Security 2024 12

DDOS ATTACKS Table of contents
Business considerations and recommendations

HTTP/2 Rapid Reset and other large DDoS attacks illustrate that DDoS attacks Figure 5: Top industries experiencing L7 DDoS attacks
are being launched more efficiently by botnets. as a share of all Internet traffic18
For example, cyber crime groups on the dark web offer DDoS-as-a-service for
inexpensive prices, even offering “subscribe and save” bundles and support 1 Gaming and gambling
tiers.
Many sites offering DDoS-as-a-service charge as little as $10 USD for a DDoS 2 IT and Internet
attack that lasts an hour as of 2023, or $35-170 USD for a full day use of their
botnets. 3 Cryptocurrency
Given how simple it has become for attackers to launch DDoS campaigns,
businesses in the following industries should be particularly vigilant about 4 Computer Software
maintaining advanced DDoS protections.
5 Marketing and Advertising

6 Telecommunications

7 Retail

8 Adult Entertainment

9 Banking, Financial Services, and Insurance

10 Manufacturing

Cloudflare | State of Application Security 2024 13

DDOS ATTACKS Table of contents
Business considerations and recommendations
(continued)

For DDoS protection provided by a public cloud, a cloud provider typically

sits in front of an organization’s applications and infrastructure and diverts all
traffic to a scrubbing center to be “cleaned.” Only legitimate traffic is sent back
to the customer. Recommendations
This motion can be activated either ‘on-demand’ or ‘always-on.’ However, there
are usually limitations: To realize the full benefits of cloud-based DDoS defense, look for a
scalable, “always-on” service with these capabilities:
• On-demand cloud scrubbing relies on human intervention, adding time to
the mitigation response. Providers may also charge per byte of attack traffic, • Automatic absorbing of malicious traffic as close as possible to the
which is costlier over time. attack origin, to reduce end-user latency and business downtime
• Many always-on DDoS vendors rely on distant scrubbing centers that can • Unmetered, unlimited DDoS attack mitigations, without charging
introduce latency and noticeable delays. penalties for spikes in attack traffic
• Centralized autonomous protections against all DDoS attack types

Cloudflare | State of Application Security 2024 14

 Table of contents
Bot traffic trends

On average, bots comprise one-third (31.2%) of all application traffic processed • Business disruption: Bots can scrape or download content from a website,
by Cloudflare.19 This percentage has stayed relatively consistent (hovering at about rapidly spread spam content, or hoard your online inventory
30%) over the past three years. • Data theft and account takeover: Bots can steal credit card data, login
The term bot traffic may carry a negative connotation, but in reality bot traffic is credentials, and take over accounts
not necessarily good or bad; it all depends on the purpose of the bots. Some are
“good” and perform a needed service — such as customer service chatbots and Data snapshot: Industries with high bot traffic
authorized search engine crawlers. But some bots misuse an online product or
service and need to be blocked. Attackers leveraging bots focus most on industries that could bring them
high financial gains.
Different application owners may have different criteria for what they deem a
“bad” bot. For example, some organizations may want to block a content scraping
bot that is being deployed by a competitor to undercut on prices, whereas an Figure 6: Industries with the highest median daily share of bot traffic21
organization that does not sell products or services may not be as concerned with
Manufacturing/Consumer Goods 68.5%
content scraping. Known, good bots are classified by Cloudflare as “verified bots.”
Cryptocurrency 64.8%
However, the vast majority (93%) of bots we identified were unverified bots, and Security and Investigations 52.2%
potentially malicious.20 Computer and Network Security 48.2%

Industry
US Federal Government 45.9%
Unverified bots are often created for disruptive and harmful purposes, such as
Pharmaceuticals 43.4%
hoarding inventory, launching DDoS attacks, or attempting to takeover an account
via brute force or credential stuffing. (Verified bots are those that are known to be Research 41.2%
safe, such as search engine crawlers). Music 39.1%
Oil and Energy 36.9%
Bad bots — if left unchecked — can cause massive problems: Leisure, Travel and Tourism 35.7%
• Performance impact: Too much bot traffic can put a heavy load on web servers, 0% 20% 40% 60% 70%
slowing or denying service to legitimate users. Median daily share of bot traffic to websites

Cloudflare | State of Application Security 2024 15

BOT TRAFFIC Table of contents
Business considerations and recommendations

As shown in the prior graph, when we analyzed which industries have the
biggest bot problem, we found manufacturing and consumer goods deal with a
staggering 68.5% of all traffic to their websites originating from bots.21
Recommendations
Our findings reinforce what has also been observed by retailers in the consumer
goods industry (for example, inventory hoarding bots buying up shoes or gaming
If your industry tends to experience more bot traffic, consider boosting
consoles before humans get a chance to put the items in their carts), damaging
investments in bot management to preemptively stop credential
brand trust. On the other hand, industries that sell fewer physical goods online,
stuffing, content scraping, content spam, inventory hoarding, and other
such as insurance or hospitality, deal with a bot percentage closer to the Internet
threats from bad bots.
average of 31.2%.21

Look for a bot management service that:

• Accurately identifies bots at scale by applying behavioral analysis,

machine learning, and fingerprinting to a diverse and vast volume of
data
• Integrates easily with your other web application security and
performance services (e.g., WAF, CDN, DDoS)
• Allows good bots, such as those belonging to search engines, to keep
reaching your site while preventing malicious traffic

Cloudflare | State of Application Security 2024 16

 Table of contents
Client-side risks
Most organizations’ web apps rely on separate programs or pieces of code On average, each website has 49.6 connections to JavaScript functions and
from third-party providers (usually in JavaScript). The use of third-party scripts their destinations, and a median of 15.0.24 Each of those connections also poses
accelerates modern web app development and allows organizations to ship a potential client-side security risk.
features to market faster, without having to build all new app features in-house.
Here are some of the top third-party connections Cloudflare customers
commonly use:25
Data snapshot: Third-party scripts and cookie usage
• Google (Analytics, Ads) • Hotjar • tawk.to
In fact, Cloudflare’s typical enterprise customer uses an average of 47.1 third- • Microsoft (Clarity, Bing, • Kaspersky • OneTrust
party scripts, and a median of 20.0 third-party scripts.22 The average is much LinkedIn) • Sentry • New Relic
higher than the median due to SaaS providers, who often have thousands of
• Meta (Facebook Pixel) • Criteo • PayPal
subdomains. Here are some of the top third-party scripts Cloudflare customers
commonly use:23
On average, our customers’ websites used 11.5 cookies and a median of five
cookies. One organization alone used 131 cookies.26 Similar to third-party scripts
• Google (Tag Manager, • jsDelivr • WordPress
and connections loaded in the browser, cookies also come with both client-side
Analytics, Ads, Translate, New Relic Pinterest
• • risks and compliance risks. Specifically, cookies can expose website visitors to
reCAPTCHA, YouTube) • Appcues • UNPKG security risks such as cookie tampering, in which an attacker modifies client-
• Meta (Facebook Pixel, side cookies to perform attacks such as session hijacking in pursuit of account
• Microsoft (Clarity, Bing, • TikTok
Instagram) LinkedIn) takeover or fraud.
• Hotjar
• Cloudflare (Web Analytics) • jQuery While third-party scripts and cookies are here to stay, web application
owners are increasingly responsible for the risk these scripts can expose
While useful, third-party software dependencies are often loaded directly by the their end users to — not to mention the compliance
end-user’s browser (i.e. they are loaded client-side) — placing organizations and and liability implications.
their customers at risk given that organizations have no direct control over their
security measures. For example, in the retail sector, 18% of all data breaches
originate from Magecart style attacks, according to Verizon’s 2024 Data Breach
Investigations Report.

Cloudflare | State of Application Security 2024 17

CLIENT-SIDE RISKS Table of contents
Business considerations and recommendations

Attackers can gain access to modify the code of JavaScript components

used in websites in a variety of ways, such as using stolen account
credentials or exploiting zero-day or unpatched vulnerabilities. Then, they
use this privileged access to launch a downstream attack on every website Recommendations
using that JavaScript code.
As with client-side scripts, website administrators, developers, or
According to new mandates from PCI DSS 4.0, which will take effect in March compliance team members do not always know what cookies are being
2025, organizations with a payment page are required to monitor third-party used by their website.
script attacks and protect their end-users from browser supply chain attacks.
Therefore, look for a service that automatically neutralizes third-party
Cookies also come with client-side and compliance risks (such as cookie script risks, and provides a full, single dashboard view of all the first-party
tampering, as noted earlier) – if an organization fails to meet user privacy cookies being used by your websites.
expectations.
The GDPR’s ePrivacy Directive, for example, mandates that website owners
clearly specify what cookies are being used and for what purposes (and, in
some cases, to obtain a user’s consent before storing those cookies in the
user’s browser).

Cloudflare | State of Application Security 2024 18

 Table of contents
Shadow API risks

Consumers and end users expect dynamic web and mobile experiences Using our proprietary machine learning model that scans not just known API calls,
— powered by APIs. For businesses, APIs fuel competitive advantages — but all HTTP requests (identifying API traffic that may be going unaccounted
greater business intelligence, swifter cloud deployments, integration of new AI for), we found that organizations had 33% more public-facing API endpoints
capabilities, and more. than they knew about. (This number was the median, and it was calculated by
comparing the number of API endpoints detected through machine learning-
However, APIs — which now comprise more than half (58%) of the dynamic
based discovery vs. customer-provided session identifiers.)28
Internet traffic27 processed by Cloudflare — introduce new risks by allowing
outside parties to access an application. This suggests that nearly a third of APIs are “shadow APIs” — and may not be
properly inventoried and secured
Yet, for many, API security has fallen behind the fast pace of API deployment:
bot operators can directly attack the APIs behind workflows such as account
creation, form fills, and payments to steal credentials and more; and AI models’
APIs are vulnerable to attacks.
But you cannot protect what you cannot see. And, many organizations lack
accurate API inventories, even when they believe they can correctly identify
API traffic.

Cloudflare | State of Application Security 2024 19

API RISKS Table of contents
Business considerations and recommendations

Web applications and APIs often work together (for example, an ecommerce website using an
API to process payments). However, APIs’ unique attributes present a unique attack surface:

Who interacts Data Request and Typical

with it formats response structure threats
Recommendations
Human to Flexible (e.g., Flexible, and returns DDoS, malicious
system JavaScript, views bots, OWASP Top As businesses expose more services via APIs, they
HTML, CSS) 10 Web App Risks should augment web app security tools (like WAFs and
Web apps
DDoS), with purpose-built API security and management.
Advanced API security, using unsupervised machine
System to Structured Defined by API Abuse, data learning, helps organizations:
system and machine- schema, and returns exfiltration,
readable (e.g., only data malicious bots, • Discover shadow APIs: Constantly scan for every public
Modern APIs JSON) OWASP Top 10 API in your landscape, even those that are unmanaged
API risks or unsecured
• Prevent data exfiltration: Stop data leaks by
continuously scanning response payloads for sensitive
Despite the fact that APIs present different security challenges compared to web apps, data
we found that 66.6% of API traffic defended by some form of layer 7 security is primarily
protected with traditional negative security WAF rules rather than with specialized API rules • Create a positive security model: Protect APIs by
employing a positive security model.29 only accepting traffic that confirms to your OpenAPI
schemas — while blocking malformed requests and
Traditional WAF negative security model approaches may be unable to detect all attack traffic HTTP anomalies
directed at APIs, especially API-specific attacks like endpoint enumeration or authentication
hijacking. Any WAF used to protect API endpoints should have modern API-specific capabilities
that can enforce a positive security model.

Cloudflare | State of Application Security 2024 20

 Table of contents
Conclusion

The data is clear: the complexity of securing an organization’s Enterprises often have a disjointed patchwork of legacy and point products for
applications and APIs from new risks continues to grow: security that make it hard to connect and protect their SaaS apps, web apps,
and other IT infrastructure. The IT sprawl makes it easier for attackers to find
and exploit vulnerabilities.
• Application layer HTTP DDoS attacks are increasing by volume and size —
and are launched more efficiently by botnets The broad nature of web application and API threats requires specialized
approaches to stop specialized attacks. However, a consolidated, best of
• The majority of bots are untrusted or unverified, which can negatively
breed approach helps ensure better security, latency-free connectivity,
impact the security and performance of web apps
and business growth.
• Attackers are weaponizing disclosed CVEs faster; in one example, within just
22 minutes of PoC publication
• Organizations with a higher reliance on third-party scripts and cookies
may be at higher risk for software supply chain attacks or privacy and
compliance violations

Cloudflare | State of Application Security 2024 21

 Table of contents
How Cloudflare can help

Cloudflare’s connectivity cloud scales to protect people,

apps, and networks everywhere

To reduce complexity while protecting more of the growing

attack surface, Cloudflare unifies protections across users,
apps, APIs, and networks with a connectivity cloud.

A connectivity cloud places one unified security network in

front of web apps and APIs. This:
• Stops a wide range of attacks in real-time using powerful
rulesets, exposed credential checks, and other security
measures
• Prevents attackers from discovering then exploiting IP
addresses, configurations, and IT assets
• Shifts web browsing to the edge (rather than endpoints),
insulating users and devices from web-based threats
• Detects browser-based attacks, including client-side
attacks that target vulnerable JavaScript dependencies
and other third-party scripts ~20% 320+ cities 209B+
of the web protected in 120+ threats
by Cloudflare countries blocked daily

Cloudflare | State of Application Security 2024 22

 Table of contents
Learn more

Built on the backbone of a massive network, our integrated application security portfolio helps
organizations take full control of their security posture.

Key services include:

Cloudflare Web Application Cloudflare DDoS Web Protection Cloudflare Bot Management Cloudflare API Gateway
Firewall (WAF) provides full automates intelligent DDoS using machine learning, automatically discovers,
security visibility, delivers layered mitigation from the edge of our behavioral analysis, and validates, and protects your
protections against OWASP global network — mitigating most fingerprinting to accurately API endpoints. Stop common
attacks and emerging exploits, attacks in three seconds. All plans classify bots. Block credential API attacks, including zero-day
detects evasions and new attacks offer unlimited mitigation of DDoS stuffing, content scraping, exploits, authentication abuse,
with machine learning, blocks attacks, with no cost penalty for inventory hoarding, DDoS, and data loss, DDoS, and other
account takeover, detects data attack-related traffic spikes. other malicious bot activity. business logic attacks.
loss, and more.

Learn more about Cloudflare’s application security and performance solutions.

Cloudflare | State of Application Security 2024 23

APPENDICES Table of contents
Glossary of key Cloudflare terms

Note: the data in this report is calculated based only on traffic tracked across the Cloudflare network and does not
necessarily represent overall HTTP traffic patterns across the Internet.

Custom rules: Allow you to control incoming traffic by filtering requests to a Mitigated traffic: Refers to any eyeball HTTP or HTTPS request that had a
zone. You can perform actions like Block or Managed Challenge on incoming “terminating” action applied to it by the Cloudflare platform. This includes the
requests according to rules you define. following actions: BLOCK, CHALLENGE, JS_CHALLENGE, and MANAGED_
CHALLENGE.
HTTP DDoS attack rules: A set of pre-configured rules used to match known
DDoS attack vectors at layer 7 (application layer) on the Cloudflare global • This does not include requests that had the following actions applied: LOG, SKIP,
network. The rules match known attack patterns and tools, suspicious ALLOW. Starting in 2023, requests that had CONNECTION_CLOSE and FORCE_
patterns, protocol violations, requests causing large amounts of origin errors, CONNECTION_CLOSE actions applied by the Cloudflare DDoS mitigation
excessive traffic hitting the origin/cache, and additional attack vectors at the system were also excluded, as these only slow down connection initiation. They
application layer. accounted for a relatively small percentage of requests.
Access rules: Use IP Access rules to allowlist, block, and challenge traffic • Cloudflare improved the calculation regarding the CHALLENGE type actions
based on the visitor’s IP address, country, or Autonomous System Number to ensure that only unsolved challenges are counted as mitigated. A detailed
(ASN). IP Access rules are commonly used to block or challenge suspected description of actions can be found in the Cloudflare developer documentation.
malicious traffic. Another common use of IP Access rules is to allow services Rate limiting rules: Allow you to define rate limits for requests matching an
that regularly access your site, such as APIs, crawlers, and payment providers. expression, and the action to perform when those rate limits are reached.
IP reputation: This threat score measures IP reputation across Cloudflare Uploaded content scanning: When enabled in the Cloudflare WAF, content
services. This score is calculated based on Project Honey Pot, external public scanning attempts to detect content objects, such as uploaded files, and scans
IP information, as well as internal threat intelligence from our WAF managed them for malicious signatures like malware. The scan results, along with additional
rules and DDoS. metadata, are exposed as fields available in WAF custom rules, allowing you to
Managed rules: Allow you to deploy pre-configured managed rulesets that implement fine-grained mitigation rules.
provide immediate protection against common attacks.

Cloudflare | State of Application Security 2024 24

APPENDICES Table of contents
Endnotes

1. Looking at mitigated application traffic between April 1, 2023 - March 31, 2024, we 7. We analyzed all HTTP requests to applications behind the Cloudflare proxy from April
analyzed which application security rules were being used to mitigate traffic. WAF 1, 2023-March 31, 2024 and categorized based on mitigated or non-mitigated (see
was associated with the most mitigated traffic, but WAF rules block many different “Glossary” for definitions of mitigated traffic).
types of attacks including volumetric attacks, credential stuffing attacks, malicious 8. We compared the percent of mitigated application traffic from April 1, 2023-March 31,
content uploads, and more (detected by hundreds of different rules). The second 2024 with data from our report The State of Application Security in 2023.
most common ruleset triggered for web applications was the DDoS ruleset, which
only identifies DDoS attacks. 9. This chart looks at data aggregated during the April 1, 2023-March 31, 2024 period
from all applications for which Cloudflare serves as a reverse-proxy and deploys
2. Jetbrains disclosed CVE-2024-27198 on March 4th, 2024 at 14:59. Rapid7 at least one application security rule to identify which security rules are being
published a proof-of-concept analysis of CVE-2024-2178 several hours later at triggered most frequently. We then grouped those triggered rules into broader groups
19:23 UTC. At 19:45 UTC, Cloudflare observed an attempted exploitation of the corresponding with their products. This helps us get a sense of what tactics attackers
vulnerability. are trying most frequently.
3. We looked at aggregated customer website data pulled from the Page Shield 10. This chart looks at data aggregated during the April 1, 2023-March 31, 2024 period
product as of May 2024 with hosts that contained the resource_type = ‘script’ from all applications for which Cloudflare serves as a reverse-proxy and deploys at
and resource_type = ‘connection’ to determine the average number of third-party least one application security rule to identify which security rules are being triggered
scripts and connections on each of our customers’ hostnames. We eliminated most frequently. This helps us get a sense of what tactics attackers are trying most
outliers to this dataset, so the number of connections and scripts was found by frequently.
looking at 99.5% of the dataset.
11. This data is derived from customer feedback during case study interviews, specifically
4. We looked at HTTP traffic to all websites behind the Cloudflare reverse proxy for public case studies from DTLR/Villa and Open Access College, as well as 23 survey
the report collection period of April 1, 2023-March 31, 2024 and sorted it by human responses from a customer return on investment survey run by Cloudflare through the
and automated traffic to get the breakdown of bot vs human traffic. To get the TechValidate software.
breakdown of verified vs unverified bot traffic, we compared the bot traffic against
the list that Cloudflare maintains of known “good” bots, also called “verified” bots. 12. We looked at attack attempt activity that resulted in a triggered WAF Managed Rule
(which is used to stop exploits against common and emerging vulnerabilities) within
5. To find this data, we looked at application security rules that were triggered for 30 days of each rule’s publication, in order to not overweight Managed Rules released
public-facing API endpoints protected by Cloudflare during the collection period of earlier in the year. We examined WAF Managed Rules released between April 1, 2023 -
April 1, 2023-March 31, 2024. We then grouped those triggered rules into broader March 31, 2024 and their associated exploit attempt activity.
groups corresponding with their products. This helps us get a sense of what tactics
attackers are trying most frequently. 13. This chart looks at mitigated HTTP traffic over the collection period April 1, 2023-
March 31, 2024, zooming in on the volume of mitigations associated with DDoS rules
6. For the collection period of April 1, 2023-March 31, 2024, we analyzed data from plotted over the year.
the URL Scanner project, looking at the top 5,000 which received the highest
traffic volumes during the data collection period. We chose to analyze the cookies 14. Source: Cloudflare’s Q1 2024 DDoS Threat Report.
for the top 5,000 domains rather than all URLs behind Cloudflare to show data that 15. Source: Cloudflare’s Q1 2024 DDoS Threat Report.
is most reflective of the enterprise audience of this report. 16. This data is drawn from Cloudflare’s discovery and analysis of the HTTP/2 vulnerability
known as “Rapid Reset” and the subsequent wave of hyper volumetric attacks that
resulted.

Cloudflare | State of Application Security 2024 25

APPENDICES Table of contents
Endnotes

17. Source: Cloudflare’s Q3 2023 DDoS Threat Report. 25. Using data from the Cloudflare Page Shield product gathered during May 2024, we
18. This chart is derived by categorizing HTTP DDoS attacks by industries and then ranking collected a list of commonly used third-party connections that our customers are
them by which have the biggest share of all DDoS traffic on the Internet during the implementing into their web applications.
period April 1, 2023-March 31, 2024. 26. Based on the top 5,000 domains from Cloudflare’s Radar Ranking at the end of 2023.
19. We looked at HTTP traffic to all websites behind the Cloudflare reverse proxy for the We chose to analyze the cookies for the top 5,000 domains rather than all URLs behind
report collection period of April 1, 2023-March 31, 2024 and sorted it by human and Cloudflare to show data that is most reflective of the enterprise audience of this report.
automated traffic to get the breakdown of bot vs human traffic. The dataset of Radar’s Domain Rankings aims to identify the top most popular domains
based on how people use the Internet globally, without tracking individuals’ Internet use.
20. To get the breakdown of verified vs unverified bot traffic, we compared bot traffic during
the period April 1, 2023 - March 31, 2024 against the list that Cloudflare maintains of 27. Between April 1, 2023 - March 31, 2024, API traffic with successful responses (200
known “good” bots, also called “verified” bots. status code) represented a median 58% of Cloudflare’s dynamic HTTP traffic. Dynamic
content is content that changes based on factors specific to the user, such as time of
21. We looked at bot traffic for the period April 1, 2023- March 31, 2024 and categorized it visit, location, and device.
by industry, then compared the share of bot traffic to human traffic for each industry to
determine which industries had the highest percentage share of bot traffic. 28. For REST API endpoints, Cloudflare’s API discovery tool from the API Gateway product
found on median 33% more endpoints through machine learning than we discovered via
22. We looked at aggregated customer website data pulled from the Page Shield product as customer-provided session identifiers across all customers’ domains/zones, per account.
of May 2024 with hosts that contained the resource_type = ‘script’ and resource_type =
‘connection’ to determine the average number of third-party scripts and connections on 29. We examined mitigated traffic to public-facing APIs between April 1, 2023 - March 31,
each of our customers’ hostnames. We eliminated outliers to this dataset, so the number 2024 and checked which products and rulesets were being implemented and triggered
of connections and scripts was found by looking at 99.5% of the dataset. most frequently.
23. Using the Radar Year in Review Report (January 1, 2023 - December 31, 2023) and data
from the Cloudflare Page Shield product gathered during the reporting period (April 1,
2023 - March 31, 2024), we collected a list of commonly used third-party scripts that our
customers are implementing into their web applications.
24. We looked at aggregated customer website data pulled from the Page Shield product as
of May 2024 with hosts that contained the resource_type = ‘script’ and resource_type =
‘connection’ to determine the average number of third-party scripts and connections on
each of our customers’ hostnames. We eliminated outliers to this dataset, so the number
of connections and scripts was found by looking at 99.5% of the dataset.

Cloudflare | State of Application Security 2024 26

 Table of contents

© 2024 Cloudflare Inc. All rights reserved.

The Cloudflare logo is a trademark of Cloudflare. All other
company and product names may be trademarks of the
respective companies with which they are associated.

Call: 1 888 99 FLARE

Email: enterprise@cloudflare.com
Visit: cloudflare.com
Cloudflare | State of Application Security 2024 27
REV:BDES-5907.2024JUL01