Positive Technologies has analyzed vulnerabilities and threats to web applications 1 and found that the vast majority of applications are vulnerable to sensitive data leaks, unauthorized access, and attacks on users. According to our experts, the most dangerous vulnerabilities are flaws in user authorization and authentication mechanisms. The research was presented on May 19, 2022, as part of the eighth annual Positive Hack Days forum on applied cybersecurity.
According to Positive Technologies, cybercriminals were able to carry out attacks on users in 98 percent of studied web applications. Such attacks can result in the spread of malware, redirection to a malicious site, or data theft through social engineering.
In 84% of applications under study, threats related to unauthorized access to users’ personal accounts, including those of administrators, were identified. In 72% of web applications, an attacker can gain access to features or content that should not be available to them, such as viewing other users’ personal accounts or changing the length of a subscription trial period.
"Leaks of sensitive information are the second most acute security threat to the web applications under study," notes Positive Technologies Information Security Analyst Fedor Chunizhekov. "91 percent of studied web applications are vulnerable to this threat. The results of the security analysis showed that more than three-quarters of web applications were vulnerable to disclosure of user identifiers. Personal data was disclosed in 60 percent of applications, and user credentials in 47 percent, up 13 and 16 percentage points compared to 2019, respectively. Personal data and credentials are desirable targets for attackers, as confirmed by the Cybersecurity threatscape: year 2021 in review report."
The study included dozens of applications belonging to industrial and financial organizations, government agencies, IT companies, and e-commerce sites. High-severity vulnerabilities were identified in all test applications of the industrial sector. Among the productive applications, 46% had a low or extremely low security level. On the whole, the state of web application security in industrial companies shows a positive trend: the share of applications with an extremely low security level decreased by more than three times compared to 2019. The state of web application security in the IT sector, however, showed a negative trend compared to 2019: about half of the productive applications under study had a low or extremely low security level.
The researchers note the increased level of security of e-commerce sites: not a single application was found to have a low security level. According to Positive Technologies, this is due to a greater awareness of web application security on the part of developers, and the growing popularity of online commerce. The most typical threats to e-commerce applications are attacks on clients caused by security misconfigurations, including OAuth implementation failures and sensitive data leaks. It was possible to access user identifiers in all applications, and personal data in 44 percent of them.
67 percent of productive applications of government agencies were deemed to have low security level, which is not much different from previous years. The most common vulnerabilities identified in all applications of government agencies were related to broken access control. In 70 percent of applications, such vulnerabilities could lead to unauthorized access to the application and leakage of sensitive information, with personal data spillage cited most frequently.
The share of web applications containing high-severity vulnerabilities was 66% in 2020 and 62% in 2021, significantly more than in 2019. Among high-severity vulnerabilities, the top two places are taken by improper user authorization and authorization bypass with a user key; improper authentication rounds out the top three.
Expert appraisal shows that many website vulnerabilities are due to code flaws: in the past two years, 72 percent of vulnerabilities discovered were related to vulnerable code in web applications, such as SQL injection, XSS, and incorrect condition checking or exception handling. The other vulnerabilities were caused by improper administration and are fixable in the application settings. To rule out code-related vulnerabilities, we strongly recommend that organizations implement a secure development process in the web application lifecycle and use a complex approach when building an effective web application protection system.
"The classical law of cybersecurity has not changed: install specialized tools to block attempts to exploit vulnerabilities. As a vendor, we have the solutions in our product portfolio to meet this challenge," says Alexey Zhukov, Head of DevSecOps Development, Positive Technologies. "PT Application Firewall blocks hacking attempts by an intruder without interfering with the normal use of the application by legitimate users. But this is not the end of story. When it comes to real cybersecurity, it is not enough to simply block a hacking attempt: one must find and fix the vulnerability in the application code. This must be done at the development stage. This is when PT Application Inspector comes to the rescue. The product is designed to automatically analyze code and find vulnerabilities, highlight flaws in the code for developers and infosec specialists, and give a clue as to where and which flaw needs to be fixed to prevent once and for all an attacker from penetrating the system."
The full version of this study is available on the Positive Technologies site.
- The research included the results of the web application security assessment conducted in 2020–2021; the owners of the studied web applications consented to the use of their data for research purposes.