Web Application Vulnerabilities: Situation Is Not Improving



    In recent years, large organizations are increasingly using a variety of web applications - official websites of companies and enterprise resource management systems (ERP), electronic trading platforms, remote banking systems, and government services portals. Enterprise applications based on specialized client software are increasingly being replaced by web versions and cloud services. Therefore, it is not surprising that the vulnerabilities of web applications are becoming one of the main vectors of attacks on corporate information systems. This article presents statistics on the most common vulnerabilities collected by Positive Technologies experts in the process of analyzing the security of web applications in 2014.

    Sources and methodology


    In total, over the year our experts analyzed about 300 web applications. Of these, 40 systems were identified for which an in-depth analysis was carried out with the most comprehensive coverage of inspections. The statistics included only data on external web applications available from the global Internet. Security assessment was carried out by the methods of black, gray and white box using auxiliary automated tools. The detected vulnerabilities were classified according to the corresponding threats according to the WASC TC v system. 2, the degree of vulnerability risk was assessed by CVSS v. 2. The statistics included only vulnerabilities associated with errors in the code and configuration of web applications.

    The studied web applications belonged to companies representing various industries: electronic commerce (30%), finance and banks (22%), industry (17%), information technology (15%) and telecommunications (13%); the study also involved one government agency.

    Most of the sampled web applications are based on PHP (58%) and ASP.NET (25%). The most common web server in this year's study was Nginx (37% of web applications), followed by Apache (26%) and Microsoft IIS (24%). Most of the resources were productive systems (85%), however, test sites that were in the process of development or acceptance into operation were also investigated.

    General Results


    All 40 investigated web applications contain certain vulnerabilities, with a total of 1,194. At the same time, 68% of systems contain high-risk vulnerabilities. This indicator is higher than last year (62%). In addition, in 2013, on average, there were 15.6 vulnerabilities per web application, and in 2014 this number almost doubled to 29.9. Most of the identified vulnerabilities (89%) are caused by errors in the program code, and only 11% of the shortcomings are associated with incorrect configuration of web applications.



    Shares of vulnerable sites depending on the degree of risk of vulnerabilities

    In 2014, the most widespread (73% of systems) was the low-risk vulnerability “Software Identification” (Fingerprinting). The second place (70%) is occupied by the Cross-Site Scripting (XSS) vulnerability, the most widespread in 2013. As a result of exploiting this error in the code, an attacker can organize an attack on users of a web application, for example, in order to gain access to your personal account.

    More than half of websites contain vulnerabilities related to the use of predicted values ​​for user identifiers and sessions (Credential / Session Prediction). The critical vulnerability SQL Injection (SQL Injection) has risen from 6th to 4th place; now it is detected in almost half of web applications (48%). Exploitation of this vulnerability could lead to unauthorized access to important information stored in application databases; in addition, it is often possible to develop an attack up to gaining full control of the server.

    Development Vulnerabilities


    Like last year, PHP applications turned out to be the most vulnerable: 81% of systems written in this language contain critically dangerous vulnerabilities (last year there were 76%). But for ASP.NET-based resources, this figure decreased from 55 to 44%. Each PHP web application contains on average 11 critical vulnerabilities. For ASP.NET, this indicator was 8.4, but in this case the statistics were strongly influenced by one system containing 60 high-risk vulnerabilities: in other ASP.NET-based applications, the average number of vulnerabilities was only 2.

    It can also be noted that the proportion of resources in PHP that are vulnerable to the "Cross-Site Scripting" vulnerability is significantly higher (95%) than the corresponding proportion of resources in ASP.NET (44%). This may be due to the fact that ASP.NET has built-in basic protection mechanisms against this type of attack (Request Validation).



    The most common vulnerabilities (by development tools)

    Server Vulnerabilities


    86% of the investigated Nginx server-based web applications contain high-risk vulnerabilities. The proportion of vulnerable resources based on Microsoft IIS has significantly decreased compared to 2013 and amounted to 44% instead of 71%. The number of vulnerable sites under Apache increased by 10% and amounted to 70%.

    The most common web server administration error is “fingerprinting”. In particular, this vulnerability is found in 8 out of 10 web resources running Apache. This is due to the fact that the standard configuration of the studied servers involves the disclosure of information about the version of the web server in error messages (for example, when accessing a nonexistent resource).

    Industry Vulnerabilities


    The banking sector turned out to be the leader in the number of systems with high-risk vulnerabilities (89%). This may be due to the fact that most of the resources studied were not RB systems or other systems where financial transaction data is processed, so banks paid less attention to ensuring the protection of application data. Also, a high percentage of web applications exposed to critical vulnerabilities is noted for the telecommunications industry (80%). This is followed by industry (71%) and information technology (67%). In e-commerce, the share of systems with high-risk vulnerabilities is also quite high - 42%.

    By the average number of vulnerabilities per system, the sites of industrial enterprises were the least protected, where 18 critical vulnerabilities per application. It is worth noting that the previously mentioned application, in which 60 critical vulnerabilities were identified, was related to the industrial sector. Without it, the corresponding indicator for this sector of the economy is 13.1 vulnerabilities of a high degree of risk to the system, which coincides with the indicator for the banking industry.

    In 2014, the high-risk vulnerabilities “Embedding SQL Statements”, “Embedding XML Entities”, and “Out of the Designated Directory” were more common than other flaws. As in 2013, the critical vulnerability “Injection of SQL statements” was discovered in web applications of all the studied sectors of the economy.



    Shares of vulnerable sites from various industries

    Vulnerabilities on Productive and Test Sites


    Critical vulnerabilities were detected in 71% of productive web resources, for test sites this indicator is 50%. The average number of high-risk vulnerabilities detected in test systems (12.8) is almost two times higher than productive, where an average of 7 critically dangerous vulnerabilities were identified. However, at the same time, on average, more vulnerabilities of an average risk level were revealed in productive systems (20.6 versus 14.3 for test ones).

    A similar situation with the security of systems already in operation clearly demonstrates the need to implement security processes at all stages of the application life cycle (SSDLC).

    Comparison of Testing Methods


    In the course of security studies, Positive Technologies specialists compared the results of testing using the white box method (using internal system data, including source code analysis) with the results of testing using black and gray box methods (when analysis is performed with privileges identical to those of a potential attacker). The proportion of sites containing high and medium risk vulnerabilities turned out to be approximately the same for these testing methods. It can be concluded that the attacker's lack of access to the source code does not make web applications secure.

    On the other hand, source code analysis in addition to black and gray box analysis allows you to identify more vulnerabilities for each application. In particular, white-box testing on average finds 3.5 times more medium-risk vulnerabilities compared to black-and-gray-box methods. Another vivid example: in each resource examined by the black and gray box methods, on average, 4 vulnerabilities of the “Cross-Site Scripting” type were discovered, while the white box method allowed us to identify an average of 29 vulnerabilities of this type.



    The average number of identified vulnerabilities of a certain type per system (by test method)

    In general, today the level of security for web applications remains extremely low - and even worse than last year. Despite this, web application firewalls are almost never used: such a mechanism was used to protect only one of all sites examined in this study.

    The full version of this study, as well as the Positive Research '2015 compilation with all last year's vulnerability research (SCADA, RBS, telecoms, etc.), can be found at www.ptsecurity.ru/lab/analytics

    And if you are interested in modern methods of researching the security of web applications, we invite you to listen to a free webinar by Vladimir Kochetkov, head of the development department of source code analyzers Positive Technologies.

    The webinar will be held on November 12 at 14:00, pre-registration here: www.ptsecurity.ru/lab/webinars/#42235

    Also popular now: