It seems quite easy today to find statistics around which vulnerabilities exist on websites. Some companies performing automated scans make that kind of information available online, from data they collected from their scans.

The first thing one should notice about these statistics is that they give information about vulnerabilities, not about actually exploited threats. If the flaws are available, they are not necessarily exploited.
It is also important to note that automated scans have a reduced scope compared to manual tests: some types of flaws cannot be detected by automated tools. The content of statistics coming from these sources are therefore limited in scope and do not reflect the actual threats landscape.

Finding statistics around attacks (hence actually exploited vulnerabilities) is a bit more complex. Some companies have however conducted some studies, polls, or collected data companies are OK to share. Here is some of them.

The “Web Application Attack Report – WAAR” 4th edition, realised by Imperva (1) gives us some interesting information. It has been realised by observing 70 websites during a 6 months timeframe.

– The retail industry suffers from 2 times more SQL injection attacks than other industries.
– Where some websites receive 4 or more attack campaigns a month, some are constantly under attack (one of the observed websites has been under attack during 176 days out of 180 days, meaning 98% of time)
– One of the websites observed during the analysis received 94 057 SQL injection attacks in only one day (26 attacks per minute)
– The United States retains its rank as the number one source of web attacks (the report does not tell us where the targets were located). China is the 2nd source, but once again, different reports tell the opposite, placing China as #1.

The first finding can be compared with statistics provided by Whitehat Security (2) the same year, showing the Retail industry as having more security vulnerabilities than other industries.
If we look at the amount of data managed by these retail web applications as well as the sensitivity of the data, the retail industry clearly appears as a perfect target for cyber attacks.

Other interesting findings from that report:
– The average amount of days where a website is under attack is 12 (during a 180 days observation)
Average attack duration: 5 min.

Second interesting report: “State of Software Security” volume 5, by VeraCode (3).
That report is more vulnerability detection focused, and does not give us a lot about exploited vulnerabilities, but makes an interesting link with the OWASP Top 10: only 13% of the websites are compliant with the OWASP Top 10.
It is important to note that the Top 10 lists the vulnerabilities that should be fixed in priority, taking average business and technical potential impacts into consideration.

32% of web application that have been tested are vulnerable to SQL injection attacks.
“So… what?” What does SQL injection mean? Well, the most frequent outcome of an SQL injection attack is data theft. For example, let’s have a quick look at the biggest known SQL injection attacks:

Gamigon, in July 2012:
11 million hashed passwords + 8.2 million email addresses stolen

LinkedIn, in June 2012:
6.6 million passwords stolen

Really interesting data is also made available by the WASC (Web Application Security Consortium) (4). Their WHID database (Web Hacking Incident Database) tells us the following statistics:

Top 10 of web application attacks outcome:
1. Information Leakage
2. Downtime
3. Defacement
4. Planting of malware
5. Monetary loss
6. Disinformation
7. Disclosure only
8. Account takeover
9. Phishing
10. Worm

Top 10 of attacked industry sectors:
1. Government
2. Web 2.0
3. Retail
4. Finance
5. Media
6. Entertainment
7. Technology
8. Education
9. Politics
10. Internet

A lot of other statistics can be extracted from the WHID, you’re invited to play with the real time statistics tool.