A new report from Positive Technologies provides statistics on vulnerabilities discovered during web application security testing for clients in 2018. On average, each web application contained 33 vulnerabilities, of which 6 were high severity.
Two thirds (67%) of web applications contained critical security weaknesses. The number of critical vulnerabilities per web application tripled compared to 2017. The most common high-severity vulnerabilities included Insufficient Authorization, Arbitrary File Upload, Path Traversal, and SQL Injection. Cross-Site Scripting (XSS) vulnerabilities are present in many web applications as well. Configuration errors are the rule, not the exception, affecting four out of five web applications.
Positive Technologies found that secure storage of sensitive data in web applications is often problematic. Credentials are at stake in 46 percent of leaks. Almost all tested web applications (91%) store and process personal data and an attacker could obtain this personal data in 18 percent of cases.
In 19 percent of tested web applications, vulnerabilities allow an attacker to gain full control not only over all of the application's functionality and data, but also over the server OS. If the server is on the network perimeter, the attacker can penetrate the internal corporate network.
Leigh Anne Galloway, Cyber Security Resilience Lead for Positive Technologies commented: “Small businesses, banks, and major industrial concerns all depend on web applications, and as websites are the public face of an organization, any issues with them can damage their reputation. Businesses should, therefore, be highly motivated to address these vulnerabilities.”
Galloway continued: “Security assessments are an essential part of securing any web application. White-box testing, with access to source code, enables clients to identify and fix vulnerabilities before cyberattackers strike. Fixes for 83 percent of the vulnerabilities we found, including the majority of critical vulnerabilities, required making changes to code. To reduce the risk of disruption to business processes during remediation as new code is being prepared, we urge companies to implement a web application firewall (WAF)."
You can find the full report, Web Application Vulnerabilities: Statistics for 2018, here.