Basic Web Application Attacks

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.


While representing approximately one-fourth of our dataset, these breaches and incidents tend to be largely driven by attacks against credentials, with the attackers then leveraging those stolen credentials to access a variety of different resources.

What is the same?

Poorly picked and protected passwords continue to be one of the major sources of breaches within this pattern.



1,404 incidents, 1,315 with confirmed data disclosure

Threat actors


External (100%), Internal (1%), Multiple (1%) (breaches)

Actor motives


Financial (95%), Espionage (4%), Fun (1%) (breaches)

Data compromised


Credentials (86%), Personal (72%), Internal (41%), Other (19%) (breaches)

Who dunnit?

While it may liven up our humdrum existence to imagine the threat actors behind breaches as characters from a game of Clue (the cyber version),37 it is more likely to have been an average Jane Doe using stolen credentials or some well-known vulnerability.

This pattern, which accounts for 25% of our breaches, consists largely of leveraging stolen credentials and vulnerabilities to get access to an organizations’ assets. With this beachhead, the attackers can then do a variety of things, such as stealing key information hiding in emails or taking code from repositories. While these attacks aren’t complicated, they certainly are effective and have remained a relatively stable part of our dataset, which prompts us to discuss once again (drum roll, please), the importance of multifactor authentication (MFA) and patch management!38

Relevant ATT&CK techniques

Brute Force: T1110
      – Credential Stuffing: T1110.004
      – Password Cracking: T1110.002
      – Password Guessing: T1110.001
      – Password Spraying: T1110.003

Compromise Accounts: T1586
      – Email Accounts: T1586.002

Exploit Public-Facing Application: T1190

External Remote Services: T1133

Valid Accounts: T1078
      – Default Accounts: T1078.001
      – Domain Accounts: T1078.002

Use Alternate Authentication Material: T1550
      – Application Access Token: T1550.001

Active Scanning: T1595
      – Vulnerability Scanning: T1595.002

2023 Data Breach Investigations Report

Initial access

86% of the breaches, as you can see in Figure 39, involve the Use of stolen credentials. And where better to use those credentials than against the various web servers that contain our sensitive information? The other major part of the puzzle within this pattern is the use of exploits. This is where attackers have an exploit and the victims just happen to have a vulnerability (handy for the criminal). This typically occurs in only about 10% of the dataset, and while that may sound like an insignificant number of breaches, unpatched vulnerabilities are still the bread and butter for many attackers, with 50% of organizations experiencing over 39 Web application attacks this year.39

Breach escalation

Even though we refer to these attacks as “basic,” they’re not simply “one and done” incidents where credentials are leveraged against a web application and the attacker then goes on their merry way. There is often some sort of middle step (Figure 40). For instance, malware is frequently one of the primary means of maintaining persistence (look at us, using them fancy ATT&CK terms), with Backdoor or C2 in about 2% of the incidents. In other cases, the attackers will leverage their current access to conduct additional attacks.

2023 Data Breach Investigations Report


With regard to impact, we commonly see that after Web applications, Mail servers are one of the preferred targets for attackers. This makes sense, because hidden away in our inboxes among the hundreds of unread emails40 there are often key internal documents (41% of breaches involve mail servers) or, sadly, credentials to some other system. The findings for this pattern show that attackers can access Internal data (41%), Medical data (6%) and even Banking data (6%) using simple inbox mining tactics (again, reminding us of the importance of good email and server hygiene).

You can’t eat just one.

One thing you probably don’t hear often is someone saying, “If I only had more usernames and passwords to remember.” Credentials are as ubiquitous as sand in the desert and almost as hard to hold onto. Threat actors seem to have a plentiful supply as well. However, what is missing in our data, and we try to be explicit when it comes to biases and limitations, is that we don’t necessarily know where all these credentials are coming from. But we here on the DBIR team love a good mystery. Did the butler do it? Are aliens real? What about the Yeti? Ghosts? People with strong work ethics? Alas, we will probably never know. We may also never know where the criminals obtained the credentials in the first place. We might have a good idea in terms of the different ways that one would be capable of getting credentials, such as buying them from password stealers who are nabbing them through social engineering or even spraying them in a brute force attack. What we don’t have is the exact breakdown of how many of our breaches and incidents are caused by each. As the old adage goes “What we know is a drop; what we don’t know is an ocean.”

It’s not all bad news, however. Even though there are many ways to steal credentials, we have many ways to protect them as well. One of the best ways (stop me if you have heard this one before) is the use of MFA. Before you recline in your chair and “Well, ACKtually …” us, we do realize there are limitations to some MFA implementations. As you’re undoubtably aware, some very high profile breaches this year demonstrated some of those shortcomings. In some cases, criminals used social engineering to convince users to accept the authentication attempts. In other instances, they stole the session cookie and used it to masquerade as the user. Of course, some MFA bypasses weren’t really bypassing MFA because some of the services weren’t properly configured to ONLY use MFA. As mentioned above, what we can’t really tell you at this time is how much there were of each, as we need to both update our standard VERIS and collect the data. While this would be an awesome opportunity for us to finally settle the score and discuss which MFA is better and which bypasses are leveraged the most, we will have to keep this placeholder for another year.

As the Nation’s Cyber Defense Agency, the Cybersecurity and Infrastructure Security Agency (CISA) sees how our nation’s adversaries operate and what tools they use. While some of these adversaries use advanced tools and techniques, most take advantage of unpatched vulnerabilities, poor cyber hygiene or the failure of organizations to implement critical technologies like MFA. Sadly, too few organizations learn how valuable MFA is until they experience a breach.

Since joining CISA, I’ve made it a priority to raise MFA awareness across all sectors to better protect our nation’s critical infrastructure. Importantly, we need more and better data to understand the scope of, and solutions to, the threats we face in cyber, and we’ve called on our industry partners to provide radical transparency to allow our defenders to better see, understand and ultimately protect our citizens, customers and companies. In particular, it’s critical that “high-value targets” like system administrators and Software as a Service (SaaS) staff use phishing-resistant MFA.

But more and better information is just the beginning.

Working collaboratively, I look forward to seeing what we can do to together to make our nation more resilient, more secure, and to show measurable progress … including in next year’s Verizon Data Breach Investigations Report.

CIS Controls for consideration

Mitigating against stolen credentials by protecting accounts

Account Management [5]
      – Establish and Maintain an Inventory of Accounts [5.1]
      – Disable Dormant Accounts [5.3]

Access Control Management [6]
      – Establish an Access Granting Process [6.1]
      – Establish an Access Revoking Process [6.2]
      – Require MFA for Externally- Exposed Applications [6.3]
      – Require MFA for Remote Network Access [6.4]

Mitigating against vulnerability exploitation

Continuous Vulnerability Management [7]
      – Establish and Maintain a Vulnerability Management Process [7.1]
      – Establish and Maintain a Remediation Process [7.2]
      – Perform Automated Operating System Patch Management [7.3]
      – Perform Automated Application Patch Management [7.4]

If you happen to be interested in how we updated VERIS to capture attacks that bypass MFA, look no further than the list below:

  1. Added a new Action to indicate the take-over of a secondary authentication mechanism (hijack)
  2. Added a new data variety— Multifactor credential—to indicate whether the other factors, aside from credentials, were captured
  3. Added the social variety of Prompt Bombing41 for those attacks that target sending annoying levels of authentication requests to users

Hopefully, the combination of our existing enumerations, along with these new ones, will capture the majority of the cases we encounter. If not, we will re-examine our enumerations with the next version of VERIS.

37 Was the breach caused by the mysterious Spiderlady via a complicated zero day on an internet-facing server? Or was it perpetrated by the Sophisticated Panda using drones inside a Kubernetes cluster?

38 Yes, it is the “Groundhog Day” of InfoSec topics. I bet you can find it in our past reports!

39 One of the advantages to running these types of attacks is that the server never tires, never sleeps, it just throws exploits at everyone continually, night and day—unlike your humble cybersecurity analyst who needs at least four coffees a day and nine hours of sleep.

40 Sorry, Grandma.

41 This sounds like what you would call someone who photobombs people in a timely manner, doesn’t it?

Let's get started.