A Review of Cyber-Attacks on Web Applications and Their Countermeasures

Article Sidebar

PDF
Published: 14 June 2026
DOI: https://doi.org/10.33093/jiwe.2026.5.2.18
Keywords:
Cybersecurity, Web Application, Vulnerabilities, Injection Attacks, Mitigations, Software Design

Main Article Content

Salaheddin Beskri
Tripoli College for Sciences and Technology, Libya
https://orcid.org/0009-0002-5131-5697
Kok Why Ng
Multimedia University, Malaysia

Abstract

Leaders have always wondered where and how precisely Information Technology (IT) can be of value in their organizations. However, the pacing rate of technology development and cutting-edge features that technologies can provide can cause the decision-maker of an organization to rush to invest in technology upgrades without taking risks into account. The risks that may cost the existence of organizations can be caused by an adversary who commits a cyberattack against the IT assets of an organization, seizing leaders' underestimations of the risks of IT upgrades. Inevitably, there will always be new vulnerabilities in IT assets, especially in information systems. This study aims to analyse the most recent cyberattacks and their criticalities. In addition, a review of countermeasures was conducted to withstand the attacks. Furthermore, this study addresses the key factors that contribute to the neglect of vulnerabilities in web applications. This study provides researchers and organizations with a review of recent real-world cyber-attack incidents using industrial reports and case studies as sources. The results of this study will provide practitioners and researchers with blueprint knowledge about cybercrimes and how critical cybersecurity is, especially in the field of software engineering, regardless of the size of the development team.

Article Details

How to Cite
Beskri, S., & Ng, K. W. (2026). A Review of Cyber-Attacks on Web Applications and Their Countermeasures. Journal of Informatics and Web Engineering, 5(2), 290–316. https://doi.org/10.33093/jiwe.2026.5.2.18
Issue
Vol. 5 No. 2 (2026): June 2026
Section
Regular issue
Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

All articles published in JIWE are licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License. Readers are allowed to

  • Share — copy and redistribute the material in any medium or format under the following conditions:
  • Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use;
  • NonCommercial — You may not use the material for commercial purposes;
  • NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material.

References

[1] J. Mackeen and H. Smith, It Strategy: Issues and Practices, Third. New Jersey: Pearson Education, 2015.

[2] Y. Li and Q. Liu, “A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments,” Energy Reports, vol. 7, pp. 8176–8186, Nov. 2021, doi: 10.1016/j.egyr.2021.08.126.

[3] A. I. Mallick and R. Nath, “Navigating the cyber security landscape: A comprehensive review of cyber-attacks, emerging trends, and recent developments,” International Scientific Journal, pp. 1–69, 2024, [Online]. Available: www.worldscientificnews.com

[4] Center for Strategic and International Studies (CSIS), “By USA -This timeline records significant cyber incidents since 2006 with losses more than a million dollars,” Washington, D.C., 2024. Accessed: Dec. 21, 2024. [Online]. Available: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

[5] D. Kaur and P. Kaur, “Empirical analysis of web attacks,” in Physics Procedia, Elsevier B.V., pp. 298–306, 2016, doi: 10.1016/j.procs.2016.02.057.

[6] OWASP Foundation, “Open web application security project (Top ten web application vulnerabilities).” Accessed: Dec. 28, 2025. [Online]. Available: https://owasp.org/Top10/2025/

[7] J. Li and H. Li, “Evolution of application security based on OWASP top 10 and CWE/SANS Top 25 with predictions for the 2025 OWASP Top 10,” in Proceedings of 8th International Conference on Inventive Computation Technologies, ICICT 2025, Institute of Electrical and Electronics Engineers Inc., pp. 1178–1183, 2025, doi: 10.1109/ICICT64420.2025.11004742.

[8] OWASP Foundation, “Web hacking incidents database program,” https://owasp.org/www-project-web-hacking-incident-database/.

[9] Common Vulnerabilities Exposure program (CVE), “Common Vulnerabilities Exposure Program (CVE) database,” https://www.cve.org/Downloads.

[10] A. A. Alobaidi and N. B. Al Dabbagh, “Web attacks and defenses,” Journal of Education and Science, vol. 32, no. 2, pp. 91–100, Jun. 2023, doi: 10.33899/edusj.2023.137855.1319.

[11] B. Riskhan, M. A. Ullah Sheikh, M. S. Hossain, K. Hussain, Z. Zainol, and N. Z. Jhanjh, “Major vulnerabilities of web application in real world scenarios and their prevention,” in ICoICC 2025 - 3rd International Conference on Intelligent and Cloud Computing, Institute of Electrical and Electronics Engineers Inc., 2025, doi: 10.1109/ICoICC64033.2025.11052016.

[12] S. Phanireddy, “Securing modern web applications using AI-driven static and dynamic analysis techniques,” International Journal of Artificial Intelligence, Data Science, and Machine Learning, vol. 6, pp. 73–82, 2025, doi: 10.63282/3050-9262.ijaidsml-v6i2p108.

[13] F. Jimmy, “Assessing the effects of cyber attacks on financial markets,” Journal of Artificial Intelligence General Science, 2024, doi: 10.60087.

[14] A. Hannousse, S. Yahiouche, and M. C. Nait-Hamoud, “Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey,” Elsevier Ireland Ltd, May 01, 2024, doi: 10.1016/j.cosrev.2024.100634.

[15] M. A. Almaiah, L. M. Saqr, L. A. Al-Rawwash, L. A. Altellawi, R. Al-Ali, and O. Almomani, “Classification of cybersecurity threats, vulnerabilities and countermeasures in database systems,” Computers, Materials and Continua, vol. 81, no. 2, pp. 3189–3220, 2024, doi: 10.32604/cmc.2024.057673.

[16] R. A. Khan, S. U. Khan, M. A. Akbar, and M. Alzahrani, “Security risks of global software development life cycle: Industry practitioner’s perspective,” Journal of Software: Evolution and Process WILEY, vol. 36, no. 3, Mar. 2024, doi: 10.1002/smr.2521.

[17] R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic literature review on security risks and its practices in secure software development,” Institute of Electrical and Electronics Engineers Inc., 2022, doi: 10.1109/ACCESS.2022.3140181.

[18] M. F. Sohan and A. Basalamah, “A systematic literature review and quality analysis of javascript malware detection,” Institute of Electrical and Electronics Engineers Inc., 2020, doi: 10.1109/ACCESS.2020.3031690.

[19] T. Rathod, N. K. Jadav, S. Tanwar, A. Alabdulatif, D. Garg, and A. Singh, “A comprehensive survey on social engineering attacks, countermeasures, case study, and research challenges,” Information Processing & Management, vol. 62, no. 1, Jan. 2025, doi: 10.1016/j.ipm.2024.103928.

[20] S. Temara, “The ransomware epidemic: Recent cybersecurity incidents demystified,” Asian Journal of Advanced Research and Reports, vol. 18, no. 3, pp. 1–16, Feb. 2024, doi: 10.9734/ajarr/2024/v18i3610.

[21] S. Khan, I. Kabanov, Y. Hua, and S. Madnick, “A systematic analysis of the capital one data breach: Critical lessons learned,” ACM Transactions on Privacy and Security, vol. 26, no. 1, Nov. 2022, doi: 10.1145/3546068.

[22] X. Zhao, T. Clear, and R. Lal, “Identifying the primary dimensions of DevSecOps: A multi-vocal literature review,” Journal of Systems and Software, vol. 214, p. 112063, 2024, doi: 10.5281/zenodo.7.

[23] J. Schopfel, “Towards a Prague definition of grey literature current definition.”

[24] N. S. Harzevili et al., “A systematic literature review on automated software vulnerability detection using machine learning,” ACM Computing Surveys, vol. 57, no. 3, Nov. 2024, doi: 10.1145/3699711.

[25] J. Svacina et al., “On Vulnerability and Security Log analysis: A systematic literature review on recent trends,” in ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 175–180, Oct. 2020, doi: 10.1145/3400286.3418261.

[26] R. Lin et al., “Vulnerabilities and security patches detection in OSS: A survey,” ACM Comput Surv, Jan. 2024, doi: 10.1145/3694782.

[27] K. Rahman and C. Izurieta, “A mapping study of security vulnerability detection approaches for web applications,” in Proceedings - 48th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2022, Institute of Electrical and Electronics Engineers Inc., pp. 491–494, 2022, doi: 10.1109/SEAA56994.2022.00081.

[28] N. Tewari and G. Datt, “A study on the systematic review of security vulnerabilities of popular web browsers,” in Proceedings of International Conference on Technological Advancements and Innovations, ICTAI 2021, Institute of Electrical and Electronics Engineers Inc., pp. 314–318, 2021, doi: 10.1109/ICTAI53825.2021.9673463.

[29] S. Alazmi and D. C. De Leon, “A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners,” Institute of Electrical and Electronics Engineers Inc., 2022, doi: 10.1109/ACCESS.2022.3161522.

[30] M. Kaniaki, J. Dobaa, and D. Kermek, “Deep learning within the web application security scope-literature review.”

[31] A. De Jesus Dominguez-Garcia, X. Limon, J. O. Ocharan-Hernandez, and J. C. Perez-Arriaga, “Security testing for web applications: A systematic literature review,” in Proceedings - 2023 11th International Conference in Software Engineering Research and Innovation, CONISOFT 2023, Institute of Electrical and Electronics Engineers Inc., pp. 82–91, 2023, doi: 10.1109/CONISOFT58849.2023.00020.

[32] S. Carlos, M. Hugo, and A. Myriam, The evolution from traditional to intelligent web security: Systematic literature review. IEEE, 2020.

[33] T. Y. Khaw, A. Amran, and A. P. Teoh, “Building a thematic framework of cybersecurity: a systematic literature review approach,”, Emerald Publishing, May 07, 2024, doi: 10.1108/JSIT-07-2023-0132.

[34] M. M. Hassan, B. R. Ahmad, A. Esha, R. Risha, and M. S. Hasan, “Important factors to remember when constructing a cross-site scripting prevention mechanism,” Bulletin of Electrical Engineering and Informatics, vol. 11, no. 2, pp. 965–973, Apr. 2022, doi: 10.11591/eei.v11i2.3557.

[35] G. Rodriguez-Galan and J. Torres, “Personal data filtering: A systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealing,” Annales des Telecommunications/Annals of Telecommunications, Dec. 2024, doi: 10.1007/s12243-024-01022-8.

[36] F. Heiding, S. Katsikeas, and R. Lagerstrom, “Research communities in cyber security vulnerability assessments: A comprehensive literature review,” Elsevier Ireland Ltd, May 01, 2023, doi: 10.1016/j.cosrev.2023.100551.

[37] M. Aydos, C. Aldan, E. Coskun, and A. Soydan, “Security testing of web applications: A systematic mapping of the literature,” King Saud bin Abdulaziz University, Oct. 01, 2022, doi: 10.1016/j.jksuci.2021.09.018.

[38] C. N. Siahaan, M. Rufisanto, R. Nolasco, S. Achmad, and C. R. P. Siahaan, “Study of cross-site request forgery on web-based application: Exploitations and preventions,” in Procedia Computer Science, Elsevier B.V., pp. 92–100, 2023, doi: 10.1016/j.procs.2023.10.506.

[39] A. Marchand-Melsom and D. B. Nguyen Mai, “Automatic repair of OWASP Top 10 security vulnerabilities: A survey,” in Proceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020, Association for Computing Machinery, Inc, pp. 23–30, Jun. 2020, doi: 10.1145/3387940.3392200.

[40] E. A. Altulaihan, A. Alismail, and M. Frikha, “A survey on web application penetration testing,”, MDPI, Mar. 01, 2023, doi: 10.3390/electronics12051229.

[41] G. E. Rodriguez, J. G. Torres, P. Flores, and D. E. Benavides, “Cross-site scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, Jan. 2020, doi: 10.1016/j.comnet.2019.106960.

[42] D. Das, N. S. Mathews, and S. Chimalakonda, “Exploring security vulnerabilities in competitive programming: an empirical study,” in ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 110–119, Jun. 2022, doi: 10.1145/3530019.3530031.

[43] J. R. Henriques, J. D’Abruzzo Pereira, and M. Vieira, “Mining vulnerability and code repositories to study software security,” in Proceedings of the 13th Latin-American Symposium on Dependable and Secure Computing, New York, NY, USA: ACM, pp. 11–16, Nov. 2024, doi: 10.1145/3697090.3697103.

[44] A. Ikegami et al., “On the use of refactoring in security vulnerability fixes: An exploratory study on maven libraries,” 2022, doi: 10.1145/353001.

[45] M. F. Safitra, M. Lubis, and A. Widjajarto, “Security vulnerability analysis using Penetration Testing Execution Standard (PTES): Case study of government’s website,” in ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 139–145, Mar. 2023, doi: 10.1145/3592307.3592329.

[46] M. Z. Zakaria and R. Kadir, “Risk assessment of web application penetration testing on Cross-Site Request Forgery (CSRF) attacks and Server-Side Includes (SSI) injections,” in 2021 International Conference on Data Science and Its Applications, ICoDSA 2021, Institute of Electrical and Electronics Engineers Inc., pp. 85–90, 2021, doi: 10.1109/ICoDSA53588.2021.9617554.

[47] R. A. Correa, J. R. B. Higuera, J. B. Higuera, J. A. S. Montalvo, M. S. Rubio, and Alberto Magrenan, “Hybrid security assessment methodology for web applications,” CMES - Computer Modeling in Engineering and Sciences, vol. 126, no. 1, pp. 89–124, 2021, doi: 10.32604/CMES.2021.010700.

[48] M. A. K. Rifat, Y. Sultana, and B. M. Mainul Hossain, “Vulnerabilities assessment of financial and government websites: A developing country perspective,” International Journal of Information Engineering and Electronic Business, vol. 15, no. 5, pp. 42–53, Oct. 2023, doi: 10.5815/ijieeb.2023.05.05.

[49] L. Gallo, D. Gentile, S. Ruggiero, A. Botta, and G. Ventre, “The human factor in phishing: Collecting and analyzing user behavior when reading emails,” Computers Security, vol. 139, Apr. 2024, doi: 10.1016/j.cose.2023.103671.

[50] B. Hulloowan and G. Bekaroo, “Defending against XML External Entity (XXE) attacks: A review and comparative analysis of prevention mechanisms,” in 4th International Conference on Next Generation Computing Applications, NextComp 2024 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 2024, doi: 10.1109/NextComp63004.2024.10779957.

[51] A. Aborujilah, J. Adamu, S. M. Shariff, and Z. A. Long, “Descriptive analysis of built-in security features in web development frameworks,” in Proceedings of the 2022 16th International Conference on Ubiquitous Information Management and Communication, IMCOM 2022, Institute of Electrical and Electronics Engineers Inc., 2022, doi: 10.1109/IMCOM53663.2022.9721750.

[52] C. A. S. Murty, H. Rana, R. Verma, R. Pathak, and P. H. Rughani, “A review of web application security risks: Auditing and assessment of the dark web,” in International Conference on Electrical, Computer, Communications and Mechatronics Engineering, ICECCME 2021, Institute of Electrical and Electronics Engineers Inc., Oct. 2021, doi: 10.1109/ICECCME52200.2021.9591031.

[53] K. Kiashemshaki, M. J. Torkamani, and N. Mahmoudi, “Secure coding for web applications: Frameworks, challenges, and the role of LLMs,” Sep. 2025, [Online]. Available: http://arxiv.org/abs/2507.22223

[54] G. Ali, M. M. Mijwil, B. A. Buruga, and M. Abotaleb, “A comprehensive review on cybersecurity issues and their mitigation measures in FinTech,” College of Education, Al-Iraqia University, 2024, doi: 10.52866/ijcsm.2024.05.03.004.

[55] The Academy of ICT Essentials for Government Leaders, “Information security and privacy,” 2021.

[56] “Conti cyber attack on the HSE Independent Post Incident Review Commissioned by the HSE Board in conjunction with the CEO and Executive Management Team,” Dec. 2021.

[57] M. Aljaidi, “A comprehensive technical analysis of URL redirect attacks: A case study of British Airways data breach,” in 2023 24th International Arab Conference on Information Technology, ACIT 2023, Institute of Electrical and Electronics Engineers Inc., 2023, doi: 10.1109/ACIT58888.2023.10453784.

[58] P. Rob and C. Tom, “How Equifax neglected cybersecurity and suffered a devastating data breach staff report permanent subcommittee on investigations United States senate,” 2018.

[59] N. Manworren, J. Letwat, and O. Daily, “Why you should care about the Target data breach,” Elsevier Ltd, May 01, 2016, doi: 10.1016/j.bushor.2016.01.002.

[60] S. R. Mugu, B. Zhang, H. Kolla, S. R. A. Balaji, and P. Ranganathan, “Lessons from the CrowdStrike Incident: Assessing endpoint security vulnerabilities and implications,” in 2024 Cyber Awareness and Research Symposium (CARS), IEEE, pp. 1–10, Oct. 2024, doi: 10.1109/CARS61786.2024.10778784.

[61] R. Denuwan, “Marriott international data breach,” Research Gate, 2023, [Online]. Available: https://www.researchgate.net/publication/372524901

[62] “Leadership for it security & privacy across HHS. HHS. Cybersecurity program office of information security,” 2022.

[63] J. Sorn, P. Carroll, of Pang, S. Bhunia, M. Salman, and P. A. Regis, “Exploring the CAM4 Data Breach: Security Vulnerabilities and Response Strategies,” in Proceedings - 2024 IEEE/ACM 24th International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2024, Institute of Electrical and Electronics Engineers Inc., pp. 174–179, 2024, doi: 10.1109/CCGridW63211.2024.00028.

[64] “SWIFT systems and the SWIFT customer security program,” Baku, Azerbaijan, 2021.

[65] PowerSchool company, “Notice of power school data breach for individuals in the united states,” Incident Notice.

[66] Van der Meulen, “Directorate general for internal policies policy department c: citizens’ rights and constitutional affairs cybersecurity in the European Union and beyond: Exploring the threats and policy responses STUDY,” 2015.

[67] Global Privacy Assembly (GPA), “International enforcement cooperation working group,” 2021.

[68] M. Shcherbakov, “Code-reuse attacks in managed programming languages and runtimes,” KTH Royal Institute of Technology, Stockholm, 2024.

[69] S. Mansfield-Devine, “The Ashley Madison affair,” Elsevier, no. 9, pp. 8–16, Sep. 2015, [Online]. Available: http://tools.ietf.org/html/

[70] “Line between cyberthreats and physical impact continues to blur,” 2023.

[71] M. Jay and L. Coli, “Cybersecurity and deposit insurance: An introduction,” Nov. 2024. [Online]. Available: https://www.fsb.org/wp-content/uploads/P130423-3.pdf

[72] A. L. Katherine, S. H. Justin, and A. F. Elizabeth, “Second amended statement of charges and notice of hearing in the matter of first American title insurance company,” New York, Jun. 2021.

[73] “Cybersecurity trends & predictions 2024,” Mar. 2024.

[74] S. Waelchli and Y. Walter, “Reducing the risk of social engineering attacks using SOAR measures in a real world environment: A case study,” Computers & Security, vol. 148, Jan. 2025, doi: 10.1016/j.cose.2024.104137.

[75] CrowdStrike Inc, “Crowdstrike 2025 global threat report 2,” 2025.

[76] Fortinet, “Cyberthreat predictions for 2025 an annual perspective from FortiGuard Labs REPORT,” 2025.

[77] CrowdStrike Inc, “Global cybersecurity outlook 2025,” Jan. 2025.