Each year the Acunetix Team compiles a vulnerability testing report based on data from Acunetix Online. This third Vulnerability Testing Report contains data and analysis of vulnerabilities detected by Acunetix throughout the period of March 2016 to March 2017, illustrating the state of security of web applications and network perimeters.
With Cross-site Scripting (XSS) vulnerabilities found on 50% of sampled targets, this year’s findings continue to reaffirm the widely held understanding that the web application vector is a major, viable and low-barrier-to-entry vector for attackers.
For the purpose of this analysis, a random sample of 11,600 subscribers who have successfully scanned one or more Scan Targets were randomly selected out of a possible 43,200 subscribers.
This dataset focuses predominantly on high and medium-severity vulnerabilities found in web applications as well as perimeter network vulnerability data.
Vulnerabilities at a Glance
Web Vulnerabilities by Type
|Code Execution||6%||4%||▼ 2%|
|SQL Injection (SQLi)||23%||20%||▼ 3%|
|File Inclusion + Directory Traversal||5%||3%||▼ 2%|
|Cross-site Scripting (XSS)||33%||50%||▲ 17%|
|Directory Listing||15%||13%||▼ 2%|
|TLS/SSL vulnerabilities||23%||33%||▲ 10%|
Vulnerabilities by Paradigm and Severity
|Web Application (High-severity)||55%||42%||▼ 13%|
|Network Perimeter (High-severity)||8%||9%||▲ 1%|
|Web Application (Medium-severity)||84%||79%||▼ 5%|
|Network Perimeter (Medium-severity)||16%||14%||▼ 2%|
Vulnerability Testing Results
Code Execution – High Severity
Code Execution, Code Injection, or Remote Code Execution (RCE) refers to an attack which allows an attacker to execute malicious code through an injection attack.
Code Execution often provides an attacker with the possibility to escalate an attack from Code Injection to execute arbitrary shell commands, making it among the most severe web application vulnerabilities since it potentially allows an attacker to take over the system entirely. Once an attacker has an initial foothold they can likely achieve lateral movement, enumerating resources on the internal network and escalating their attack through privilege escalation.
|Code Execution||6% (324 targets)||4% (445 targets)|
SQL Injection – High Severity
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server.
By leveraging SQL injection, an attacker could bypass authentication and authorization mechanisms and retrieve and even modify the contents of the database. An attacker can also potentially deploy a web shell onto the server and subsequently take over the server, and even pivot into other systems as a result of SQLi.
SQL injection can also be ‘blind’, meaning that the results of an injection attack are not visible to the attacker. Since a Blind SQLi attack does not display data within the response from the server, an attacker needs to use a side-channel attack to retrieve data either by analyzing the results of a logical statement injected into the SQL query.
|SQLi (Error, UNION, Blind)||23% (1325 targets)||20% (2,295 targets)|
|SQLi (Error, UNION)||13% (718 targets)||10% (1,118 targets)|
|SQLi (Blind)||11% (607 targets)||10% (1,177 targets)|
File Inclusion and Directory Traversal – Severity High
File inclusion and directory traversal vulnerabilities could allow an attacker to access restricted files and directories outside of a web server’s root directory. Things go even further with file inclusion, where an attacker can potentially not only read the contents of files, but also execute its contents causing code execution vulnerabilities.
|File Inclusion (Local)||2% (121 targets)||1% (146 targets)|
|Directory Traversal||3% (151 targets)||2% (228 targets)|
Cross-site Scripting – High Severity
|Cross-site Scripting||33% (1,868 targets)||50% (5,829 targets)|
Network Perimeter Vulnerabilities – Severity High
Network perimeter vulnerabilities residing in network perimeter resources, are typically results of configuration issues or vulnerabilities in devices such as routers, firewalls and other network appliances, or even services like web servers, mail servers and VPN gateways to name a few. Misconfigured network devices or services, and the presence of vulnerabilities in services on a network infrastructure can cause havoc.
An attacker can often escalate an attack and move laterally through a network after an initial compromise. This is especially the case if the network is not properly segmented and lacks controls to detect intruders.
|Network Perimeter High-severity Vulnerabilities||8% (447 targets)||9% (994 targets)|
Directory Listing – Medium Severity
Directory listing refers to a web server misconfiguration that could divulge sensitive information to an attacker. Directory Listing is a ‘feature’ that is enabled in some web servers by default which allows a user to view a list of files and directories hosted on the web server in an organized hierarchical view. An attacker can abuse this vulnerability by simply listing directories to find sensitive files.
|Directory Listing||15% (882 targets)||13% (1,545 targets)|
TLS/SSL related vulnerabilities – Medium Severity
Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL) are widely used protocols designed to secure the transfer of data between the client and the server through authentication, encryption and integrity. TLS security is essential for websites and other services that rely on the essential cryptographic protocols to allow communications without third-parties being able to read or alter traffic.
|TLS/SSL related vulnerabilities||23% (1,287 targets)||33% (3,862 targets)|
|POODLE||7% (394 targets)||7% (761 of 11,666)|
|BREACH||3% (165 targets)||4% (411 of 11,666)|
The results in this report clearly outline that web applications are a major, and growing attack vector that organizations of all shapes and sizes, the world over, are facing—whether they know it or not.
Unfortunately, with most web application vulnerabilities such as SQL injection (SQLi), Cross-site Scripting (XSS) and Code execution (RCE), the typical mitigation approach of installing a patch is often not valid. This is largely because web application vulnerabilities generally arise from poor design choices or oversights made during the development or deployment process.
The most worrying of these results is the rise in Cross-site Scripting (XSS) vulnerabilities. While the bar is rising for attackers to exploit reflected XSS, partly due to the protections browsers are building in, skilled and determined attackers do bypass XSS filters. What’s more, stored XSS and DOM-based XSS still remain major attack vectors for attackers with very little to no browser defences in their way.
However, all is not bleak—the times they are a changin’ for SQL injection. The venerable vulnerability that has plagued web application security for so long has seen a year-after-year decline, dropping 3% this year alone. This tells us that things are things are slowly moving in the right direction, however, we’re pretty confident that SQL injection will still be dominating the headlines for the foreseeable future.
The ever growing shift to web technologies, while positive and exciting, is the perfect target for malicious attacks. Unfortunately, Development Teams are frequently up against tight deadlines, caught-up in complex engineering problems, and many are poorly equipped to assess the implications of insecure code within their applications, especially at the speed at which new code is being pushed to production.
Development and DevOps Teams however, are very good at leveraging automation to make their work more efficient; and there is no reason web vulnerability testing cannot be an automated process—especially when it forms part of Continuous Integration (CI) or Continuous Delivery (CD) pipelines. Naturally, automated vulnerability testing, like any other security testing methodology, should not be viewed as a ‘silver-bullet’ solution, but rather, it should be seen as a highly cost-effective approach to establishing a baseline security posture.
By leveraging automated vulnerability testing to uncover entire classes of grievous security bugs automatically, manual security testing (be that through a traditional penetration test, or through crowdsourced security testing platforms) is immediately more cost effective because penetration testers’ focus is on finding bugs that require human logic, hunches and intuition to discover.
Automated security testing provides a highly-scalable, cost-effective, ongoing security baseline all the way from the initial stages of the Software Development Lifecycle (SDLC) to Staging and Production environments.
With web application vulnerabilities increasingly posing serious threats to organizations’ overall security posture, if you’re not prioritizing web security, now is the time to start.