IoT devices were also the target of hijacks — to lure users encountering web app usage difficulties — to launch distributed denial-of-service attacks.

A cybersecurity services firm has taken note of 2023 as a year where its user base saw more attackers exploiting ‘web application vulnerabilities and misconfigurations’ to extract valuable data.

Adding to observations made by the Open Worldwide Application Security Project, the firm has taken a deep dive into the trends. 

Web applications are computer programs accessed via web browsers. Web apps include productivity tools such as Microsoft 365 or Google Docs or Gmail, whose rich automation and productivity features are a prime target for cyberattackers. When vulnerabilities or misconfigurations are not addressed, these web applications are minefield of cyber risks.

More about the 2023 cyber trends 

Based on user base metrics, the following data reveal the above trend:

    • Most attacks on web applications in the user base had targeted security misconfigurations such as coding and implementation errors (30%) or code injection (21%), where an attacker injects a malicious block of code that is then interpreted/executed by the web app. Other threats such as SQL injections and LDAP injections are also common.
    • The software supply chain for critical apps (including web apps) may also have vulnerabilities, as demonstrated by the Log4Shell vulnerability.
    • Bot attacks on web apps were also commonly detected in the 2023 user base, with 53% being used for volumetric Distributed Denial-of-Service attacks. These attacks used IoT devices and were based on brute force techniques that flooded the target with data packets to use up bandwidth and resources. Such attacks were also used as a cover for a more serious and targeted attack against the network.

According to Tushar Richabadas, Principal Product Manager (Application Security), Barracuda, the firm sharing its 2023 user base findings: “Web applications and application programming interfaces are lucrative attack vectors for cybercriminals” coming under increasing attack in his user base. 

Richabadas noted that attackers will often target old vulnerabilities that security teams have forgotten about, and try and breach an overlooked, unpatched application in order to then spread into the network.