Web-based Attacks & Best Practices

Learn about web-based attacks and best protection practices.

According to Accenture’s Annual Cost of Cybercrime Study, web-based attacks are among the top reasons businesses lose revenue. Not only is it essential to recognize that cybercrime is increasing and becoming more sophisticated each year, but it’s also vital to understand the risks of cyber threats within your organization’s environments.

Web-based attacks are one of the top threats facing SMBs. We’re sharing more details on these types of cyberattacks and recommendations to protect against them.




We are all familiar with web application programs – email, social media platforms, and any e-commerce websites in today’s digital age. We utilize these types of applications daily without needing to install them locally on your computer. Any website that includes requests for data – such as login credentials – is a web application; it extracts your data input and reflects them onto the user interface.


Web-based attacks focus on using an internet browser and a business’s website as an attack launchpad to start criminal acts, such as stealing customer data and financial records by injecting malicious code or compromising the website to infect visitors. A few examples of web-based attacks include:

  • Cross-scripting (XSS): A threat actor uploads a piece of malicious script code onto a company’s website to swipe data or perform other unauthorized activities. While this strategy is relatively unsophisticated, it remains quite common. Such an attack can damage a brand.
  • Drive-by downloads: A cyber attacker looks for unsecured websites and inserts malicious coding into HTTP or PHP code on one webpage. The malicious script might install malware on a web visitor or direct them to an external website controlled by the hacker. Unlike other cyberattacks, drive-by attacks don’t require digital action by a user, such as clicking on a download button. These types of attacks are a result of unsuccessful application updates or lack of updates.
  • SQL-injection (SQLi): Another relatively simple attack in which a hacker submits destructive code into a field or fields on a web submission form. Suppose a business’s systems fail to sanitize this information. In that case, the exploit can review sensitive database data, modify the data, execute administration operations (such as shutdown), recover data files, and, in some cases, issue commands to the operating system.


In February 2018, personal details (usernames, emails, and hashed passwords) of nearly 150 million Under Armour’s MyFitnessPal app users became compromised in one of the biggest hacks in history. While the stolen customer details may not seem of high-value, email address databases are incredibly beneficial to cybercriminals. As a result, email addresses can be sold on the dark web and used by mass spammers.

Under Armour discovered the breach on March 25, and the apps’ users were informed four days later. Following the disclosure of the breach, Under Armour’s shares dropped almost 4% in after-hours trade. Not only did Under Armour take a stock hit, but they also endured the cost of the stolen data. The average price for each lost or stolen record containing confidential information averages $148.

Additionally, many businesses and individuals host their websites on WordPress. This year, hundreds of thousands of WordPress websites were targets in a large-scale cyberattack by exploiting known cross-site scripting (XSS) vulnerabilities. These vulnerabilities were within WordPress plugins and themes installed on users’ sites. The hackers’ goal was to gain access to login credentials and completely take over the sites.

Web-based attacks can happen to anyone at any time. These cyberattacks target businesses that host their websites on a platform such as WordPress, and even organizations with health application offerings like MyFitnessPal.


It’s critical to understand that web-based attacks start within a website’s code. Counteracting such code from rendering is a general security measure that businesses should be adopting. A good starting point for mitigating web-attacks within your network is inviting a security profession to audit your website’s code for possible gaps that hackers can exploit. Also, they can provide recommendations for the next steps.

The inevitable fate of web-based attacks can wreak havoc on an organization’s network in no time. The security protection solution includes investing in and engaging with the right trained professionals to assess your network and provide necessary recommendations. Check out our cybersecurity services to get started today.

Follow along in this series, where we’ll dive deeper into distributed denial of services (DDoS) attacks, real-world examples, and how to protect your organization best.