A Positive Technologies study finds 82% of web application vulnerabilities lie in the source code.
A recent report from Positive Technologies studied web application vulnerabilities and found that more than half of all sites have high-risk vulnerabilities.
The company’s “Web Application Vulnerabilities and Threats: Statistics for 2019” report found signs that companies are beginning to prioritize security but are still failing to do everything necessary when protecting web applications and users.
Nine times out of 10, hackers are able to easily attack website visitors and 82% of web application vulnerabilities lie in the source code.
SEE: 10 dangerous app vulnerabilities to watch out for (free PDF) (TechRepublic Premium)
Many of the attacks highlighted in the report include stealing credentials in phishing attacks, infecting computers with malware or redirecting users to hacker-controlled sites.
Companies were also failing to adequately protect their web applications with multi-factor authentication, still relying on password-only authentication that could be easily bypassed.
“Password-only authentication is a contributing factor in most authentication attacks. Lack of two-factor authentication makes attacks very easy,” said Evgeny Gnedin, head of information security analytics at Positive Technologies.
“Users tend to use weak passwords, which makes matters even worse. Bypassing access restrictions usually leads to unauthorized disclosure, modification, or destruction of data,” Gnedin said.
Positive Technologies assessed 38 fully functional web applications in 2019 and said that while there had been a steady decrease in the percentage of web applications with severe vulnerabilities, the security of most web applications is still poor.
The company’s research found the average number of vulnerabilities per application has fallen by a third compared to 2018 and companies are taking security more seriously in not just public-facing web applications but in their internal ones, too.
Financial institutions had the highest web application security ratings in the study while state institutions had the lowest scores.
The report said 16% of applications contain vulnerabilities that allow attackers to take full control of the system and half of web sites in production had high-risk vulnerabilities. On average, each system contained 22 vulnerabilities, four of which were of high severity. One out of five vulnerabilities has high severity, according to the Positive Technologies report.
“The percentage of production systems with high-risk vulnerabilities declined: 45% in 2019 compared to 71% in 2018. But this is still higher than in 2017, when the equivalent figure was 25%. The last five years show a reduction in the percentage of sites containing severe vulnerabilities. This is an encouraging sign consistent with an overall improvement in security,” the report said.
“Unauthorized access to applications is possible on 39% of sites. In 2019, full control of the system could be obtained on 16% of web applications. On 8% of systems, full control of the web application server allowed attacking the local network.”
Almost 70% of web applications were vulnerable to breaches of sensitive data, with most of the data containing personal information or credentials.
In terms of commonly found vulnerabilities and attacks, the Positive Technologies report said security misconfigurations, cross-site scripting and broken authentication were the main concerns for most web applications.
One out of every five applications that Positive Technologies researchers tested had vulnerabilities that allowed cybercriminals to attack a user session.
The most common high-risk vulnerability was broken authentication, which was found in 45% of web applications.
According to the company’s research, almost a third of such vulnerabilities consist of failure to properly restrict the number of authentication attempts and an attacker could exploit this to bruteforce credentials or access the web application.
In one particular instance, the report notes that one of the applications could be accessed with administrator rights after only 100 attempts.
“As a general recommendation, web applications should sanitize all user input that is subsequently displayed in a browser, including HTTP request header fields such as User-Agent and Referer. Potentially unsafe characters that can be used in HTML page formatting must be replaced with their non-formatting equivalents. We also recommend using modern web application firewalls, since they are able to block cross-site scripting,” the Positive Technologies report noted.
“In a targeted attack against a company, web application vulnerabilities can help with gathering data about the company’s internal network, such as the structure of the network segments, ports, and services. In many cases, hackers can even access internal network resources and the confidential data stored there,” the report added.
As suggestions, the study says companies should train developers in a variety of secure development methods while giving them tools for automated source code analysis and web application firewalls as preventative measures.