Almost every public and private sector organization has its own website, and new online services are introduced regularly. Personal data of clients and employees, and business and financial information of the organization, are stored in electronic form. This presents opportunities for cybercriminals, whose attacks against web applications are usually a first step on their path to attacking networks of large organizations.
In a recent study, Positive Technologies tested the web resources of companies from various industries including banking, government, information technologies, telecom, manufacturing and mass media. The large majority of the systems tested (62%) contained high-severity vulnerabilities and nearly all systems (95%) had mediumseverity vulnerabilities.
This is significant since vulnerable web applications can enable wide spread DDoS attacks. If an attacker emulates an authorized user’s actions and exploits specially crafted queries to a website, even a small amount of traffic can result in complete site unavailability.
100% of Web Applications are Vulnerable to Attack
Positive Technologies tested the security level of each web application both using automated tools and manually using a combination of black-, gray-, and white-box methods. Key findings included:
- All web applications analyzed (100%) were found to have vulnerabilities. High-severity vulnerabilities were detected in 62% of systems, a large increase from 2012 (45%). Medium-severity vulnerabilities were detected in 95% of the systems.
- In 2013, the most widespread weakness was Cross-Site Scripting, which affected 78% of applications. Brute Force vulnerability placed second with 69% of the analyzed systems affected. The Top 10 also included SQL Injection and XML External Entity (XXE) Injection, with critical vulnerabilities found in 43% and 20% of systems, respectively.
- The sector most threatened by high-severity vulnerabilities was mass media, with critical vulnerabilities detected in 80% of web applications.
- Of applications written in PHP, 76% were found to contain critical vulnerabilities. This was a higher rate than other programming languages both in terms of percentage of vulnerable systems and number of vulnerabilities per system.
- In 2013, the most popular web server was Apache and the most vulnerable web servers were Apache Tomcat and Microsoft IIS. Critical vulnerabilities were identified in 75% of web applications for Tomcat users and 71% of web applications for MS IIS users.
- Half of the analyzed E-banking systems had critical vulnerabilities and no E-banking system studied complied with all PCI DSS requirements.
- White-box testing allowed specialists to reveal 10 times more high severity vulnerabilities and approximately twice as many medium- and low-severity vulnerabilities compared to black- and gray-box testing.
This Positive Technologies study included large-scale penetration tests conducted on 61 web applications in several countries. The enterprises included in this research ranged from oil and gas producers and banks to government agencies, software manufacturers and telecommunications firms.