Most common attacks on web applications

2013-03-06 00:00:00 +0000

This page contains most currently known quantitative data sets on web application attack methods, collected as result (and as an addendum) to a discussion on new OWASP Top 10 in early 2013. Note that these data sets are sometimes of very different nature and often cannot be directly compared. Nonetheless, I strongly believe in most cases they give a pretty good picture on how are applications attacked in real life.

Web Hacking Incident Database (WHID)

Based on ~1300 hacking or data breach reports published in the news since 2000, updated manually. Some reports cover multiple compromised servers (up to 90'000 at once), but each such campaign is counted as one incident here.
Attack methodPercentage
Denial of Service25%
SQL Injection24%
Cross Site Scripting (XSS)8.9%
Brute Force4.8%
Predictable Resource Location 3.8%
Stolen Credentials 3.7%
Unintentional Information Disclosure 3%
Banking Trojan 2.8%
Credential/Session Prediction 2.1%
Cross Site Request Forgery (CSRF) 1.9%
Full data (CSV): WHID attack methods count, WHID attack methods percents. Tables at Google: Web-Hacking-Incident-Database. Project page:


TrustWave 2013 Global Security Report. Based on 450 data breach investigations, below data taken from table "Method of entry", page 13.
Attack methodPercentage
Remote access47%
SQL injection26%
Client-side attack2%
Remote file inclusion2%
Remote code execution3%
Authorization flaw1%
Physical theft1%
Full data (CSV): TrustWave attack methods count, TrustWave attack methods percents

Attack methodPercentage
E107 CMS arbitrary code execution0.92%
OSCommerce arbitrary file inclusion1.4%
SQL injection (SQLi)1.77%
Remote File Inclusion (RFI)2.58%
PHP-CGI attack7.99%
Local File Inclusion (LFI)25.93%
Timthumb WordPress plugin PHP code injection59.41% </table> Source: The Life Cycle of Web Server Botnet Recruitment, 2013 </section>


Data on attempted attacks on websites detected by Imperva.
Attack methodPercentage
Cross-Site Scripting37.1%
Remote access47%
Directory Traversal21.8%
SQL injection14%
Local File Inclusion10.3%
Remote File Inclusion6%
Comment Spam5.8%
Email Extraction5.1%
Source: Web Application Attack Report Edition #2.


Based on defacement reports published by Zone-H. Covers over 90'000 incidents over three months from Dec 2012 till Feb 2013. The ranking is based on unpublished data which I received courtesy of Zone-H.
Attack methodPercentage
File Inclusion53.5%
SQL Injection10.1%
known vulnerability (i.e. unpatched system)6.8%
Other Web Application bug4.9%
undisclosed (new) vulnerability3.9%
Other Server intrusion3.7%
configuration / admin. mistake2.3%
URL Poisoning2.2%
Web Server intrusion2.1% </table> Source: zoneh.meth.perc.csv, zoneh.meth.rank.csv. </section>