Basic Web Application Attacks

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.


    4,751 incidents, 1,273 with confirmed data disclosure

    Threat actors  

    External (100%) (breaches)

    Actor motives  

    Financial (65%), Espionage (31%), Grudge (2%), Ideology (1%) (breaches)

    What is the same?  

    This pattern continues to largely be dominated by the Use of stolen credentials to access an organization's internet-facing infrastructure, like web servers and email servers.


    Attacks within this pattern are split between two areas.  The means of accessing the server, such as using stolen credentials, exploiting vulnerabilities and brute forcing passwords constitutes the first. The second represents the specific payload, such as backdoors, which are used to maintain persistence or monetize access.


    Does this make my infrastructure look big?

    In Basic Web Application Attacks (BWAA), we are largely focusing on attacks that directly target an organization's most exposed infrastructure, such as Web servers. These incidents leverage one or the other of two entry points, the Use of stolen credentials or Exploiting a vulnerability. 

    Hopefully, Figure 54 demonstrates the importance of proper password protection since over 80% of the breaches in this pattern can be attributed to stolen credentials. Figure 55 reveals the larger trends in terms of using stolen credentials vs exploiting vulnerabilities. There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years. 

    Figure 55 clearly displays how the vast majority of incidents involving Web applications are using stolen credentials. There is a sprinkling of other vectors in Figure 56, such as Backdoors (useful after you have a foothold), Remote injection (how malware gets on the system after an exploited vulnerability) and, of course, Desktop sharing software.

  • Mail servers under attack

    With regard to what is being targeted, Figure 59 captures the high prevalence of Web applications (which seems obvious based on the title of the section) but also of Mail servers, which represented less than 20% of the total breaches in this pattern. Of those Mail servers, 80% were compromised with stolen credentials and 30% were compromised using some form of exploit. While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches.

  • Basic != not useful

    One might be forgiven for assuming that these types of attacks would largely be the work of enterprising criminals spraying the internet looking for weak credentials. However, it seems that Nation-state actors have also been leveraging this low-cost, high-pay-off strategy with over 20% of our BWAA breaches being attributed to Espionage. If the front door has a weak lock there is no reason to develop a complicated polymorphic backdoor with a fast flux network of C2 servers.

  • Looking back

    Santayana tells us that “those who do not learn from history are doomed to repeat it.” That seems to be the case, as we have continued to see poor password practices as one of the leading causes of data breaches dating back to 2009.

    “From the chart, it is evident that many intrusions exploit the basic (mis)management of identity. Unauthorized access via default, shared, or stolen credentials constituted more than a third of the entire Hacking category and over half of all compromised records. It is particularly disconcerting that so many large breaches stem from the use of default and/or shared credentials, given the relative ease with which these attacks could be prevented.” 2009 DBIR page 17.

Miscellaneous Errors


    715 incidents, 708 with confirmed data disclosure

    Threat actors  

    Internal (100%) (breaches)

    Data compromised  

    Personal (81%), Other (23%), Medical (18%), Bank (8%) (breaches)

    What is the same?  

    People are still fallible, and that fallibility can cause data breaches.


    While this pattern is by definition made up of either Internal or Partner actors, this year’s data shows it is all about your employees. Misdelivery and Misconfiguration are the top two varieties. Misconfiguration is frequently paired with the Discovery Method of “Security Researcher.”


    Misconfiguring the situation

    While most patterns have changed over the years, one constant has been people making mistakes. In 2015, most mistakes were the Misdelivery of Media assets (Documents) while Misconfiguration accounted for less than 10% of breaches.  This year, however, Misconfiguration and Misdelivery have converged. 

    The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls. Many security researchers made a name for themselves by finding these exposed databases on the internet. Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), these errors persist.

    These days Misdelivery data breaches are frequently electronic in nature and consist of email going to the wrong recipients, although physical Documents do remain a problem to some degree. 

    The data types involved in these breaches are still overwhelmingly of the Personal variety. Medical and Banking information are occasionally involved, but they are not the norm. The data tends to be from customers, and it is also the customers who are notifying the breached organizations in a high number of cases. However, Security researchers are still the stars of this Discovery show (although their percentage is down from last year). 

Denial of Service


    8,456 incidents, 4 with confirmed data disclosure

    Threat actors  

    External (100%) (incidents)

    What is the same?  

    Denial of Service continues to be one of the most common types of cybersecurity incidents.


    While these attacks are a nuisance impacting a large range of organizations, some organizations face these attacks on a regular basis which may potentially impact their business function.


    Heavy traffic ahead

    Welcome to the Denial of Service pattern—one that is perhaps all too familiar to many of you, as it continues to be the top type of incident in our dataset. This pattern consists of those annoying attacks where botnets or compromised servers are leveraged in order to send junk data to target computers with the hopes of denying that service by creating a “traffic jam in the pipes.” 

    These types of irksome incidents aren’t isolated to any one industry. As Figure 63 demonstrates there are a wide range of companies from Information Services, Professional Services, Manufacturing and Government (which happens to cover many of the industries we write about). 

    However, while they may be ubiquitous within industries, it does not mean that organizations in these industries are perpetually bombarded with DoS attacks. We found that the median Denial of Service attack lasted less than four hours (Figure 65) and that the vast majority of organizations that are monitored for these attacks experience less than 10 attacks a year. If, on the other hand, you’re one of those unlucky 1% of companies that experience over 1,000 DDoS attacks a year, you’re already aware of this and most likely have a service to help you manage the traffic. 

  • My, how big your DDoS have gotten

    We first became acquainted with DDoS in the 2013 DBIR and it has since become a regular topic of discussion. It is interesting to look back and see how things have changed over the years. For 2013 era DDoS, the median attack was clocking in around 422 Mbps, with a very small number hitting the 100Gbps mark. By 2016, the median value was 1.1 Gbps (doubling from three years prior) and today the median is around 1.3 Gbps.

    We can also see how DDoS has become narrowly centered. From 2013, through 2016, and on to 2021, DDoS has become tightly clustered around the median. We speculate21 that back in 2013, DDoS attacks were ad hoc, whereas today’s DDoS infrastructure is far more formalized and repeatable.

Lost and Stolen Assets


    885 incidents, 81 with confirmed data disclosure

    Threat actors  

    Internal (94%), External (6%) (all incidents)

    Actor motives  

    Financial (98%), Ideology (2%) (incidents)

    Actor motives  

    Personal (77%), Medical (43%), Other (15%), Bank (9%) (incidents)

    What is the same?  

    The type of data affected by these incidents is the same (almost exactly) as last year. External actors typically perpetrate the thefts, while employees are responsible for losing track of their assets.


    Most of the cases in this pattern are classified as “incidents” rather than “breaches, because the nature of the devices stolen makes it difficult to confirm data access. The prevalence of theft in this pattern is driven by the Financial motive—we believe many of the perpetrators of theft are committing the crime with the intention of an immediate payoff by selling the stolen asset.


    Losing it

    In last year’s report, we mentioned that for security incidents (not confirmed breaches), assets were far more likely to be lost by employees than stolen by someone who does not work for the organization. However, when looking at breaches, we see the opposite is true. 

    Stolen assets are more likely to be the causes of cases where we can confirm that data compromise occurred. Still, this is a pattern where most (approximately 90%) of the cases are classified as “security incidents” rather than “breaches,” because confirming that the data was compromised is difficult based on the assets stolen. 

    We found it interesting that, despite the pandemic and the resulting lessening of travel, the Lost and Stolen Assets remained a common pattern in our dataset. It shows that if you entrust portable devices to employees, a certain percentage of them will either misplace their devices or leave them somewhere that they are vulnerable to theft. Leaving items in personal vehicles is a recurring theme in the data. People may just do it closer to home than before.

    Figure 69 shows the devices most often lost or stolen. User devices (including desktops, laptops and mobile phones) are most frequently the type of item that is either lost or stolen. However, Documents still account for a good percentage of these breaches. This occurs most often in the Public Administration and Healthcare industries, which goes some way towards explaining the prevalence of Medical data compromised in these incidents. The government (of almost any country) administers large programs that manage health related data, as of course, do the members of the Healthcare industry. Industries that handle Protected Health Information (PHI) tend to have higher regulatory requirements for reporting breaches, and therefore we have better visibility into these events as well.

  • Organic free range data

    Mobile data is something that appears only sparingly in our data, which seems ironic considering who we are. Unfortunately (or fortunately), mobile phones hover around 1% or less in our breach dataset with the associated causes being somewhat random. This is likely due to bias in the data; when a phone is used to phish creds, it’s likely the email server that gets reported, not the device used to access it. When we see breaches involving malware on mobile phones, it is not uncommon for the malware to be there to collect data. And if that’s your goal, it helps to be quiet and not get caught, especially considering the difficulty it takes to get on the devices in the first place. 

    However, when we look at sensor data, we get a clearer view of the role mobile plays in the security ecosystem. Figure 70 gives an idea of the threats that mobile phones see. 

    Only 42% of devices avoided blocking access to any URL while 84% of devices avoided an unwanted app. However that means the other 58% of devices had at least one malicious URL clicked and 16% of devices had at least one malware or riskware app installed. While that may not sound like a lot, a quick look at your Mobile Device Management console (or a company headcount) will tell you those numbers can add up rapidly.

    And it’s not just texts tempting the telephonic users. Phone honeypot data reveals that 5% of honeypots get at least one call a day, and we’re about 90% sure the honeypots don’t need to refinance their student loans or even own a car with an extended warranty (they prefer leasing). Figure 71 gives an idea about the content of those calls. About a third of them have little to no audio or are silent which sounds to us like vishing (voice phishing) for live numbers. 

    Another 29% are known scams (with 7% of the 29% known to be targeting businesses specifically) and the rest being other stuff or simply unknown.

    Thankfully it’s not as if the targeting of mobile devices is a big surprise to the security community. Sandboxed OSs and high prices for vulnerabilities suggests mobile security inherited a lot of hard-fought lessons learned from personal computers (PC ) and so security has been incorporated into mobile devices from the get-go.

    We point out in the Social Engineering pattern that 82% of breaches involve the human element; something the silicon isn’t going to be mitigating. Eighteen percent of clicked phishing emails come from a mobile device. Admittedly, we can’t say if more or less folks click on mobile vs PC since no-one’s phone is narc’ing on them. Still, since almost a fifth of phishing successes came from mobile devices, that should be good enough confirmation that it needs to be within your security estate.

  • Part of the problem is trying to get users to improve their security behavior. One such approach is providing access to key security information and knowledge quizzes within reach of their thumbs in the form of a mobile app. For one such security dashboard app, 66% of users who accepted the terms and conditions, never interacted with the dashboard. Of those that did, 99% interacted more than once, but as you can see in Figure 72, the median interaction time was 15 seconds. Still, about half of folks came back after minutes, hours, or even months.

    Making information available to the user about their specific security risks is the first step in the journey to changing behavior. The next is helping the user envision the impact of those risks on themselves. Finally, you need to give users the means to improve, which is where training comes in.24 It may feel like throwing spaghetti at the wall to see what sticks, but sometimes that’s what is required to make it better.

Privilege Misuse


    275 incidents, 216 with confirmed data disclosure

    Threat actors  

    Internal (100%), External (4%), Multiple (4%) (breaches)

    Actor motives  

    Financial (78%), Grudge (9%), Espionage (8%), Convenience (6%) (breaches)

    What is the same?  

    Most of the incidents in this pattern result in successful data breaches. These actors are still motivated by greed (financial gain), and are stealing Personal data because it is easy to monetize.


    This pattern is almost entirely insiders using their access maliciously to cause breaches. While Financial is still the leading motive, Espionage, Convenience and just plain Grudges are still represented. Personal data remains the most common data type for these breaches, but Medical data continues to be sought.

  • The Best Laid Plans of Mice and Men

    We get it. You’ve honed your hiring processes to a fine edge. You’re well prepared to ensure that you onboard only the most qualified people to join your organization. And yet, things somehow go wrong despite your best efforts. Privilege Misuse is the pattern where people use the legitimate access granted to them as employees to steal data. They use the legitimate access granted to them as employees to steal data. Often, they act alone, but they sometimes act in concert with others. Either way, you have a data breach and must deal with the fallout.

  • It's Not That Easy

    Far and away the most common Action in this pattern is Privilege abuse. However, Data mishandling also shows up, albeit to a much lesser degree, and is typically associated with the motive of Convenience. Sometimes people do unsafe things to get around a security control designed to protect the data from exposure. While some controls may make it harder for people to get their jobs done, it is important to pair these controls with education to at least let people know the “why” behind the process. Regardless, offering a less laborious process that remains secure would be something to consider if your organization repeatedly suffers this kind of event. 

    In this pattern the threat actor already has access to perform their day-to-day duties, therefore, we do not see Credentials as the data type affected. Instead, Personal data (whether of customers, employees, or even partners) is of the highest interest to those looking to capitalize on their access. 

    Medical data is still taken in 22% of breaches in this pattern. When you realize that the most common industry represented in this pattern is Healthcare, that makes sense. In fact, Healthcare has had an ongoing problem with internal actors accessing their data without a valid reason for a long time. And while it is no longer in the top tier of the patterns in Healthcare, it should not be discounted as a solved problem.

  • 21 Read “guess”

    22 Well, not sounds sounds. Well… You get the picture.

    23 Yes, we spelled out ‘PC’. Look, we both know what a PC is, but the kids these days, with their mobile phones and metaverses. Who knows?! 

    24 And if you’re wondering about how, check out the “Changing Behavior” Appendix!

Let's get started.