Positive Technologies experts analyzed vulnerabilities and threats of web applications 1 and we found out that attacks on users were possible in the absolute majority of applications, and unauthorized access and leaks of important data were detected in 84% and 91% of applications. Experts called the shortcomings of the authorization and user authentication mechanisms the most dangerous vulnerabilities. The study was presented on May 19, 2022 as part of the annual forum on practical cybersecurity Positive Hack Days.
According to Positive Technologies, in 98% of the studied web applications, attackers had the opportunity to carry out attacks on users. Such attacks can lead to the spread of malware, redirection to malicious resources, or data theft using social engineering methods.
In 84% of the studied applications, threats of unauthorized access to the personal accounts of users, including administrators, were identified. In 72% of web applications, an attacker can gain access to functionality or content that should not be available to him, for example, viewing the personal accounts of other users or the ability to change the duration of the subscription trial period.
“Leaks of important data are the second most urgent threat to the security of the studied web applications, — notes Analyst of the Positive Technologies research group Fedor Chunizhekov. — 91% of the studied applications were affected by it. The results of the security analysis showed that personal data can be disclosed in 60% of applications, and user credentials in 47%, which is 13 and 16 percentage points more than in 2019. Personal and credentials are the desired targets of intruders, which is confirmed by the data the final analysis of the current cyber threats of 2021 ».
The study included dozens of applications of industrial and financial organizations, government agencies, IT companies, and online trading sites. High-risk vulnerabilities were identified in all test applications of the industrial sector. Among productive applications, 46% had a low or extremely low level of security. In general, experts note the positive dynamics of the security status of web applications of industrial companies – the share of applications with an extremely low level of security has decreased by more than three times compared to 2019. The security status of web applications in the IT industry showed a negative trend compared to 2019: about half of the studied productive applications had a low or extremely low level of security.
The study notes an increase in the level of security of online trading sites, among which there was not a single application with a low level of security. According to Positive Technologies experts, this is the result of a more responsible attitude to the protection of their web applications on the part of developers and the growing popularity of trading on the Internet. The most characteristic threats to online applications were attacks on customers caused by errors in settings and incorrect implementation of the OAuth protocol, and leaks of confidential data. Each application managed to get access to user IDs, and in 44% of applications — to personal data.
According to the results of the study, 67% of productive applications of state institutions received a low assessment of the level of security from specialists, which almost does not differ from the indicators of previous years. The most common vulnerabilities here were vulnerabilities related to access control deficiencies — they were identified in all applications of state institutions. In 70% of applications, such vulnerabilities could lead to unauthorized access to the application, as well as leaks of important information, and most often the possibility of personal data leakage was detected.
The share of web applications containing high-risk vulnerabilities was 66% in 2020, and 62% in 2021, which is significantly more than in 2019. Among the high-risk vulnerabilities, the first and second places are occupied by incorrect user authorization and bypassing authorization using the user’s key. Incorrect authentication closes the top three most common high-risk vulnerabilities.
The examination showed that many vulnerabilities of sites are associated with errors in their code: over the past two years, 72% of the vulnerabilities detected were related to vulnerable code of web applications, for example, the introduction of SQL commands, XSS, incorrect checks of conditions and exceptions. The rest of the vulnerabilities were related to improper administration — they can be fixed by the application settings. In order to avoid code-related vulnerabilities, experts recommend that organizations implement a secure development process into the lifecycle of web applications, and adhere to an integrated approach when solving problems of building effective protection of web applications.
«According to all the laws of classical cybersecurity, the installation of specialized tools that will block attempts to exploit vulnerabilities by an attacker will help protect against hacking, and we, as a vendor, have solutions in our product portfolio that allow us to cope with such a task,” says Alexey Zhukov, Head of Product Development for DevSecOps Positive Technologies. — PT Application Firewall blocks hacking attempts by the attacker without interfering with the legitimate user’s interaction with the application. But we can’t stop there. Reasoning in the paradigm of real cybersecurity, it is not enough just to block a hacking attempt — it is necessary to find and eliminate the vulnerability itself in the application code. And this should be done at the development stage. Here comes to the rescue PT Application Inspector , which is designed to analyze the code in automatic mode and find vulnerabilities, highlight flaws in the code to developers and information security specialists, give a hint where and what kind of gap needs to be patched in order to permanently close the attacker’s path to the system».
The full version of the study can be found on the Positive Technologies website .
1 The sample includes the results of the security analysis of web applications conducted in 2020-2021, the owners of which have given their consent to the use of data for research purposes.