Web applications and APIs are popular targets for hackers, as they make use of flaws and misconfigurations to extract valuable data.
Verizon's Data Breach Investigation Report (DBIR) found that web apps were used in 80% of security incidents and 60% of breaches in 2023, and now a report from Barracuda claims to have dealt with 18 billion attacks on web apps last year, with over a billion in December alone.
It claims that many carry vulnerabilities or configuration errors, and since they often contain confidential information to businesses, such as personal and financial data, they make for prime attack targets.
Popular targets
Barracuda also found that 40% of IT professionals believe attacks on web apps to be one of the most lucrative for cybercriminals, while 55% thought the same of attacks on APIs.
Web applications include popular productivity tools such as Google Workspace and Microsoft 365, which allow users to work and collaborate on documents from anywhere via their web browser alone.
Barracuda found that most attacks on web applications targeted security misconfigurations (30%). The second most popular attack type was code injections (21%). These include not just SQL injections, but also Log4Shell and LDAP injections. The latter is used in privilege management, such as supporting Single Sign-On (SSO) for applications.
Bot attacks on web apps were also popular last year, with most (53%) being used for volumetric Distributed Denial of Service (DDoS) attacks. These are attacks that make use of IoT devices, and "flood the target with data packets to use up bandwidth and resources." Barracuda points out that "such attacks can be used as a cover for a more serious and targeted attack against the network."
As for vulnerabilities in web apps, Barracuda believes that the ProxyShell flaws originating from 2021 are still being exploited frequently, leading to high-value breaches and even ransomware.
Barracuda claims that "attackers will often target old vulnerabilities that security teams have forgotten about," and that "multiple layers" of security are needed to secure web apps and APIs.
