Abstract

In this modern age of Internet the technology and websites are become more famous and complex at the same time. These sites provide many benefits but with risk to business, brand and data. The main reason of this paper
is to analyze web attacks in past years that have compromised web sites,and its data or also its users. This paper includes the web attacks analysis from Website Hacking Incident Database (WHID) and other information security and news websites. The top web attacks have been identified and also the top categories of web applications are analyzed. But with the technological evolution comes the progress of cybercrime, which develops new ways of attack types, tools and techniques that allow attackers to penetrate more complex or well-controlled environments, and produce increased damage and even remain untraceable

 

Introductiont

tOvertthetpasttfewtyearstitthastbeentattrendtintthetintthetinformationtsecuritytthattthetwebtapplicationstaretundertattacked.tEverydayttheretaretnewtreportstoftcyberattackstontleadingtwebtsites.tBecausetoftmanytvulnerabilitiestexistingtintwebtapplicationstitthastbecometverytsoftttargettfortthetattackerstsotthetbesttmethodttotstoptalltthesetactivitiestaretsecuretwebtdevelopmenttandtwritingtsecuretcode.tHowevertittistnottastmuchteasy.tMoreover,tintthistmoderntaget100%tsecuritytistnottpossibletbuttwetcantprotecttourtwebsitestastmuchtastwetcan.tAlsotitttakestmanyttimestandtittalsotrequiredtmostttalentedtpeopletwhichtistalsotnottpossibletfortthetsmalltsizedtorganizationt.tIntothertwords,twetcantsaytthattsecuritytistrequiredtforteachtwebtapplicationtbuttthetleveltoftsecuritytmaytvarytfromtorganizationttotorganization.totprovidetsecuritytfirsttwetneedttotknowtwhattshouldtbetthetsecuretandtwhy.tThetobjectivetoftthetpapertisttotfindtthettrendtoftattackstontwebtapplicationstandtthettargettoftattackersttotknowtwhattweaknessestaretcommontintwebtapplicationstandtusingtthatttryttotfindtthetbesttsolutiontfortthat.tThistpapertanalysesttoptwebtattackstontdifferenttwebtcategories.t

Researchtmethodologyt

TotfindtalltthetanalysistoftthetwebtattackstwetcollecttdatatfromtthetWHIDtwebthackingtincidenttdatabasetmainlytandtalsotgfromtthetotherthackingtwebsitestlikethacknews.comtabcnews.go.comtthetmaintWHIDtistthetconsortiumtprojecttwhichtmaintainstthetlisttoftthetsecuritytincidentstandtitstgoaltisttotservetthetawarenesstagainsttthetwebtattackstandtgivestthetnewtwaysttotprovidetsecurityttotthetwebsitest.tittgivestthetstatisticstanalysistoftwebtattackst.

Discussiont

Intthistpapertourtfocustwilltbetontthetthesetfourtquestionst

1.      
Whattaretthetmajortattackstoccurringtontthetwebtintrecenttyears?

2.      
Whatttypetoftwebtsitestattractstmaximumtattackers?t

3.      
Whatttypestoftattackstaretcommontontthetmajortcategoriestoftwebtapplicationstliketfinance,teducation,tgovernmenttetc.?

4.      
Dotalltwebtcategoriestobservetthetsamettypestattackstandtneedtthetsametsecuritytlevel?

Literaturetreview

tSotnowtatdaystatsocialtnetworktistthetmappingtandtmeasuringtoftrelationshipstandtflowstbetweentindividuals,tgroups,torganizations,tcomputers,twebsites,tandtothertinformation/knowledgetprocessingtentities.tCyber-attackstbecometmoretcommontintbothtcompaniestoftalltsizestastwelltastsingletindividuals,tyettlittletistuniversallytknowntabouttcyber-crime.t

OnetoftthetwebsitetsecuritytstatisticstreporttoftWhiteHattdepictstthatt86%toftwebsitesttheythavettestedtandttheythavetatleastt1tserioustvulnerabilitiestsotthetaveragetbecomest16.7

SotiftwetneedtsecuretwebtdevelopmenttwetshouldtfollowtthetstepstoftthetsoftwaretdevelopmenttlifetcycletintthistmanytphasestincludetlikettestingtanalysistdesigningtcodingtimplementingtsotwhentthetwebtsitetpassestalltoftthesetphasestittbecometverytsecuretbutttotimplementtsecuritytthroughtthistitttakestmuchtmorettimetandtalsotittistverytcostlytsotnottalltthetclientstcantaffordtthistbuttsometorganizationstmaytdevelopttheirtwebsitestthroughtthistandtittwilltbecometverytsecuretandtverytlowtchancetoftattackstontthesetastItalreadyttoldtthatt100%tsecuritytistnottpossibletintthistinternettworldtsecuritytistrequiredtforteachtwebtapplicationtbuttthetleveltoftsecuritytmaytvarytfromtorganizationttotorganizationtandtthettypetoftwebtapplication.

Webtattackstanalysis

Wetcollecttdatatfromt2012ttot2015tontthetbasistoftwebtattackstlikethowtmanyttimetstthistattackstoccurstintyears

Attackst

2012

2013

2014

2015

SQLI

352

185

112

71

DDOS

151

178

85

30

XSS

68

34

60

02

A/CtHijacking

30

106

88

34

Defacementt

74

120

135

57

Unauthorizedtaccess

10

14

112

1

Directoryttraversal

0

13

2

1

Phishing

9

02

74

0

POS/Malware

11

29

4

31

BRUTEFORCE

0

4

5

0

Codetinjection

0

1

15

0

DNStHijacking

6

29

2

5

Servertvulnerabilities

1

0

129

0

Otherst

97

132

183

35

Unknownt

265

208

188

68

Totalt

1074

1045

853

335

 

SQLI

tIttistbasicallytatcodetinjectionttechniquetittattackstthetdatabasetoftthetwebtitthappenstbecausetoftvulnerabilitiestexisttintdatabaset

DDOS

Ittwilltloadtthetsystemtsotbasicallytittcrosstthetlimittofttotaltvisitorstontthetwebsitetattattimetlogicallytandtthroughtthisttheytattacktthetserver

XSS

tIttistatcrosstsitetscriptingtintthistmalicioustcodetaretinjectedtintotthettrustedtwebsitestsotwhentthetusertopentthis.tIttwilltattacktthetserver.

Accountthijacking

Intthistuser’staccounttisthackedtbytthetattackertfortsometunauthorizedtactivitiestandtthististcarriedtouttbytphishing.bytsendingtfaketemailsttotuserstandtwhentuserstclicktthemttheirtaccountsthacked.

Defacementt

Ittchangestthetvisualtappearancetoftwebsitetwithtthetfulltinterfacetthetattackerstbreaktintotthetservertandtchangestthetoriginaltwebsitetwithtthetfaketone.tWhichthackstthetsystem

Unauthorizedtaccess

Whentsomeonethavetaccessttotthetotherstwebsitestprogramstaccountstbytwrongtmethod

Directoryttraversalt

Ittallowstattackersttothavetaccessttotthetrestrictedtfilestsotbytthisttheytfindtatvalidtemailtaddresstbytthetbrutetforce.

Phishingt

Ittallowstattackersttotstoletthetalltpersonaltdatatoftthetusertsuchtastusernametpasswordstandtcredittcardtdetailstetctbytsendingtatmalicioustcodettotthetusert

Malwaret

Ittistatmalicioustsoftwaretwhichtistusedtbytcybercrimesttotattacktthetpointtoftsalet(POS)t.Ittistbasicallytatantivirustsoftwaretwhentusertinstalltthetfaketonetittstealstalltthetinformationtintthetcomputertandtattackstthetservertalso.

DNStHijackingt

Intthistthetindividualtredirectsttotthetdomaintnametservert(DNS).sotwhentusertcantcontroltthetDNSttheytcantdirecttotherstwhothavetthetsametwebtpagetandthavetsometextratcontenttontittliketadvertisement.

Servertvulnerabilitiest

IttincludestalltthetwebtattackstliketSQLI,tXSS,tinformationtleakage.tSotbasicallytalltthetreasonstwhichtaretthetresponsibletfortalltthetvulnerabilitiestintthetservertandtthentservethacks.

Webtapplicationtcategoriest

Intthistlisttincludetthetwebtapplicationtattackstontthetbasistoftwebtcategories

 

Webtapplicationtcategoriest

2012

2013

2014

2015

Total

Financet

47

98

33

22

200

Governmentt

248

197

197

67

827

Newst

38

23

23

20

150

Educationt

78

56

56

22

229

Software/videotgames

40

47

47

23

169

Healtht

9

31

31

18

57

Ecommercet

31

28

28

15

94

Socialtnetworkingt

69

44

44

5

195

Tourismt

4

8

8

7

23

On-linetentertainmentt

31

9

9

10

67

 

Sotwetcantclearlytseetthattgovernmenttistontthetleadtofteveryttypetoftattacks.

Conclusiont

Sotthetbasictpurposetfortthistpapertisttottelltthetempiricaltanalysistoftthetwebtattacks.tIntthistmoderntagetofttechnologiestwetcannottsecuret100%twebsitetbuttthistanalysistmaythelptthetwebtdevelopersttotnoticetthetwhichtcategoriestoftwebtaretusuallytundertattacktandtgivetattentionttotthosetandtmaketwebsitestthroughtthetpropertphasestoftsoftwaretdevelopmenttlifetcyclet(SDLC).whichtalsotminimizetthetrisktoftwebthack.

Referencest

·        
WebtServicestAttackstandtSecurity-tAtSystematictLiteraturetReview

·        
Web-Hacking-Incident-Database

·        
Cyber-Attackst–tTrends,tPatternstandtSecuritytCountermeasures

·        
WikipediatThetFreetEncyclopedia

·        
http://shodh.inflibnet.ac.in/bitstream/123456789/336/3/03_literature%20review.pdf

·        
ApplicationtVulnerabilitytTrendstReport