Web application assessments performed by Positive Technologies revealed that attackers would be able to obtain personal data from 44 percent of applications handling such information, such as bank websites, ecommerce stores, and telecoms companies. Seventy percent of applications were vulnerable to leaks of critical information.
Attacks on web application users were possible in 96 percent of applications, while one in two applications (48 percent) were also vulnerable to unauthorized access. Furthermore, a sixth (17 percent) were found to contain vulnerabilities that would allow an attacker to take full control over the application.
Every tested web application contained vulnerabilities. However, analysts noted an encouraging trend: the percentage of web applications with critical vulnerabilities has declined for the second year in a row. In 2017, 52 percent of applications had high-severity vulnerabilities, compared to 58 percent in 2016. However, the number of applications harboring low-severity vulnerabilities rose to 74 percent, compared to 67 percent in 2016.
Out of the ten most common vulnerabilities in 2017, four were classed as critical. Cross-Site Scripting, which remains the most common vulnerability, was detected in 74 percent of applications, while OS Commanding, Path Traversal, and XML External Entities were present in nine percent of applications. Other common vulnerabilities that enable attacks on users include Cross-Site Request Forgery (39 percent) and URL Redirector Abuse (17 percent).
In a quarter of applications, experts were able to exploit SQL Injection, which in a real attack would allow sensitive database information, including user credentials to be obtained. In nine percent of applications, dangerous vulnerabilities such as OS Commanding, XML External Entities, and Path Traversal were present.
Most of the detected vulnerabilities (65 percent) were caused by errors in application development (coding errors), while incorrect configuration of web servers accounted for another third of the total.
Positive Technologies analyst Leigh-Anne Galloway commented: “Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process. Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.
It’s also important to remember that having access to source code makes security assessment much more effective. Through manual code audits, we were able to find critical vulnerabilities in 100 percent of tested applications, which may otherwise have been missed."