An analysis of web applications shows that 94% of applications tested had at least one high-severity vulnerability.
According to Positive Technologies’ Web Application Vulnerabilities in 2017 report, collated through the security firm’s automated source code analysis through the PT Application Inspector, most detected vulnerabilities (65%) overall were of medium severity, with much of the remainder (27%) consisting of high-severity vulnerabilities.
“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at PT. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”
The most common vulnerability across the board was cross-site scripting (affecting 82% of tested web applications), which allows attackers to perform phishing attacks against web application users or infect their computers with malware.
Other critical vulnerabilities also find their way into government web applications. For example, security assessment of a web application for a Russian local government revealed SQL Injection, a critical vulnerability that could allow attackers to obtain sensitive information from a database.
Financial services are at greatest risk. The analysis found that 46% of all tested web applications in this sector were at the greatest risk, with high-severity vulnerabilities found in 100% of tested banking and finance web applications.
PT also assessed the potential impact of every detected web application vulnerability and compiled a list of the most common security threats. The No. 1 threat is attacks that target web application users. Alarmingly, 87% of banking web applications and all government web applications tested were susceptible to these kinds of attacks. Users of government web applications in particular tend to not be security savvy, which makes them easy victims for attackers.
The firm also concluded that denial of service is especially threatening for e-commerce web applications, because any downtime means missed business and lost customers. High-profile e-commerce web applications receive large amounts of daily visits, increasing the motivation for attackers to find vulnerabilities to turn against users.