To help companies with navigating the world of web application vulnerabilities and securing their own web applications, the Open Web Application Security Project (OWASP) online community created the OWASP Top Ten. As we followed their rankings, we noticed that the way we ranked major vulnerabilities was different. Being curious, we decided to find out just how big the difference was. That’s why we set up our own rankings that reflected our take on the most widespread and critical web application vulnerabilities as viewed through a prism of eight years’ experience.
We collected the data from a sample of the application security assessment projects our team completed in 2021–2023. Most of the web applications were owned by companies based in Russia, China and the Middle East.
Almost half of the applications (44%) were written in Java, followed by NodeJS (17%) and PHP (12%). More than a third (39%) used the microservice architecture.
Distribution of programming languages used in writing web applications, 2021–2023 (download)
We analyzed data obtained through web application assessments that followed the black, gray and white box approaches. Almost every application assessed with gray box was analyzed with black box too, so we combined these two approaches in our statistics. Therefore, a vast majority (83%) of the web application projects used the black and gray box methods.
Discrepancies caused by the differing approaches to analysis
Since the black, gray and white box methods implied different levels of access to the applications, the types of vulnerabilities that were most likely to be found were different as well. We compared vulnerabilities discovered with and without access to application source code. As a result, four out of five most widespread vulnerabilities matched, but there were differences too.
Black/Gray Box | White Box | |
1. Sensitive Data Exposure | VS | 1. Broken Access Control |
2. Broken Access Control | 2. SQL Injection | |
3. Cross-Site Scripting | 3. Sensitive Data Exposure | |
4. Server-Side Request Forgery | 4. Broken Authentication | |
5. Broken Authentication | 5. Cross-Site Scripting |
The most widespread vulnerabilities found during black/gray and white box analysis
In addition, statistics showed that the white box approach allowed finding a greater number of severe vulnerabilities, such as SQL Injection. On the average, black/gray box analysis revealed 23 vulnerabilities and white box analysis, 30.
Share of vulnerabilities of different risk levels found in per application on the average discovered using black/gray box analysis, 2021–2023 (download)
Share of vulnerabilities of different risk levels found in per application on the average discovered using white box analysis, 2021–2023 (download)
Even though the white box approach allows finding a greater number of vulnerabilities per application, the black and grey box approaches can be used to look at the application from the malicious actor’s perspective and identify the vulnerabilities that must be remediated first.
We analyzed the results of web application assessment projects to identify the most widespread and severe vulnerabilities the digital world had faced during the previous three years.
The rankings are expert opinions based on the number of applications containing a specific vulnerability and the severity of the impact.
Recommendations provided in these rankings are general in nature and based on information security best practices standards and guidelines, such as OWASP and NIST.
Kaspersky Top 10 | OWASP ranking |
1 Broken Access Control | A01 |
2 Sensitive Data Exposure | A02 |
3 Server-Side Request Forgery (SSRF) | A10 |
4 SQL Injection | A03 |
5 Cross Site Scripting (XSS) | A03 |
6 Broken Authentication | A07 |
7 Security Misconfiguration | A05 |
8 Insufficient Protection from Brute Force Attacks | A07 |
9 Weak User Password | A07 |
10 Using Components with Known Vulnerabilities | A06 |
70% of the web applications we analyzed contained vulnerabilities associated with access control issues.
Distribution of Broken Access Control vulnerabilities by risk level, 2021–2023 (download)
Almost half of the Broken Access Control vulnerabilities carried a medium risk level, and 37%, a high risk level. High-risk vulnerabilities can cause errors in applications and affect customers’ business. In one application, inadequate validation of data being submitted let us reach internal services and potentially execute attacks leading to financial loss.
Mitigation: implement authentication and authorization controls according to the role-based access model. Unless the resource is intended to be publicly accessible, deny access by default.
This type of vulnerabilities is another one frequently found in web applications. Compared to Broken Access Control, Sensitive Data Exposure contained a greater number of low-risk vulnerabilities, but high-risk ones were present as well.
Distribution of Sensitive Data Exposure vulnerabilities by risk level, 2021–2023 (download)
Among the sensitive data we identified during our analysis were plaintext one-time passwords and credentials, full paths to web application publish directories and other internal information that could be used to understand the application architecture.
Mitigation: do not store files containing sensitive data, such as passwords or backups, in web application publish directories. Avoid disclosing sensitive data when accessing application functions, unless the function itself is used to access sensitive data.
The popularity of the cloud and microservice architectures is on the rise. The microservice architecture expands the attack surface for SSRF exploitation due to more services communicating over HTTP (or other lightweight protocols) when compared to the traditional architecture. More than half (57%) of the applications we analyzed contained a vulnerability that let a malicious actor communicate with the internal services after bypassing application logic: Server-Side Request Forgery.
Distribution of SSRF vulnerabilities by risk level, 2021–2023 (download)
Specifically, a malicious actor can use SSRF in a chain with other vulnerabilities to develop an attack on the web server or read the application source code.
Mitigation: if possible, create an allowlist of resources that the application can request. Prevent requests to any resources not on that list. Do not accept requests that contain complete URLs. Set firewall filters to prevent access to unauthorized domains.
Most high-risk vulnerabilities in 2021–2023 were associated with SQL Injection. Still, we placed this category fourth as only 43% of the applications we analyzed were vulnerable to it.
Distribution of SQL Injection vulnerabilities by risk level, 2021–2023 (download)
Vulnerabilities of this type can lead to theft of sensitive information or remote code execution. During one of the projects, an SQL injection into an application that was open to signup by any internet user let us obtain the credentials of an internal system administrator.
Mitigation: use parameterized SQL queries in application source code instead of combining them with a SQL query template. If you cannot use parameterized SQL queries, make sure that no data entered by the user and used in generating SQL queries can be used to modify the query logic
Cross-Site Scripting vulnerabilities were discovered in 61% of the web applications we analyzed. In most cases, the vulnerability carried a medium risk level, therefore we ranked it fifth, even though it was so widespread.
Distribution of XSS vulnerabilities by risk level, 2021–2023 (download)
More than half (55%) of all XSS vulnerabilities were associated with applications used by IT companies, followed by the public sector (39%).
An XSS attack against the application’s clients can be used for obtaining user authentication information, such as cookies, phishing or spreading malware. In one attack scenario, XSS in a chain with other vulnerabilities allowed changing a user password to a known value and so obtaining access to the application with that user’s privileges.
Mitigation: to prevent cross-site request forgery attacks, use synchronizer token patterns in all HTML forms and links associated with sensitive server-side operations. Check the Referer and Origin headers, and implement challenge-response options like CAPTCHA, re-authentication or one-time tokens.
Although almost half of the vulnerabilities we discovered in this category carried a medium risk level (47%), there were high-risk ones as well, allowing access to the web application on behalf of the customers’ clients.
Distribution of Broken Authentication vulnerabilities by risk level, 2021–2023 (download)
For example, a certain application had no JWT (Jason Web Token) signature check, so a malicious actor could modify their own JWT (by specifying another user’s ID) and use the resulting token to perform various actions inside the account.
Mitigation: implement proper validation of authentication data used for accessing the application. Verify token and session ID signatures when used. Secrets used for authentication (encryption keys, signatures and so on) should be unique and have a high degree of entropy. Do not store secrets in application code.
A little less than half of the applications we analyzed contained a Security Misconfiguration vulnerability. This category covers a spectrum of vulnerabilities from enabled debug mode to disabled authentication.
Distribution of Security Misconfiguration vulnerabilities by risk level, 2021–2023 (download)
The Nginx server of one application we analyzed allowed access to files in a parent directory (relative to the directory specified in the Alias directive). This could be used for gaining access to files that contained confidential data.
Mitigation: follow security best practices when configuring systems used in your IT-infrastructure. Automate the setup process to eliminate errors when setting up new systems. Use different credentials for test and production systems. Disable unused components.
Over a third of the applications we analyzed allowed brute force attacks. One-Time Passwords and authentication against various resources, such as accounts or file systems, were some of the mechanisms we found to be vulnerable.
Distribution of Insufficient Protection from Brute Force Attacks vulnerabilities by risk level, 2021–2023 (download)
Specifically, a poor OTP implementation can allow an attacker to brute-force an OTP, bypassing this authentication factor and making unauthorized access to the application easier as a result.
Mitigation: use CAPTCHA to make it harder for the attacker to brute-force credentials. You can also use prevention controls (WAF, IPS) to promptly block brute-forcing attempts both in the case of multiple failed sign-ins to the same account and multiple failed sign-ins to different accounts that originate with the same source.
Weak passwords were set for 22% of the web applications we analyzed.
One explanation for the relatively low percentage of vulnerabilities in this category is the fact that security analysts often get to work with customer test benches rather than live systems.
Distribution of Weak User Password vulnerabilities by risk level, 2021–2023 (download)
Although the number of applications containing this type of vulnerabilities is small, the consequences of exploiting weak credentials can be significant. Depending on the account type, an attacker can get access to basic application features or administrative scenarios, which can impact business processes.
Mitigation: implement weak password checks, for example, by running new or changed passwords against a list of the 10,000 weakest passwords. Enforce password length, complexity and expiration requirements, along with other modern evidence-based password policies.
The last but not least widespread category is Using Components with Known Vulnerabilities.
Distribution of vulnerabilities caused by using components with known vulnerabilities by risk level, 2021–2023 (download)
Among the vulnerable components were frameworks and various application dependencies, such as libraries and modules. Some of these allowed us to get access to servers used by the applications, and thus, penetrate the customers’ internal networks.
Mitigation: take regular inventories of software components you use, and update as required. Use only trusted components that have successfully passed security tests. Disable any unused components.
Remediating the most widespread web application vulnerabilities described in this study will help you to protect your confidential data and avoid compromise of web applications and related systems. For improved security of web applications and timely detection of attacks, we recommend you do the following:
For our part, we can offer help discovering vulnerabilities not just in web applications, but also in ATMs, IT infrastructure and ICSs. Through awareness of vulnerabilities and associated threats, you can better protect your information assets.
P.S. If you want to discover vulnerabilities and help to develop protection, while this article sounded simplistic to you, you are welcome to take an interview with us.