Nadav Avital, Threat Analytics Manager at Imperva,reviews the state of web application vulnerabilities in 2018 and tells us what to look out for in 2019.
Web application vulnerabilities have been around for years and are often caused by application design flaws and misconfigured web servers. These vulnerabilities can be easy targets for hackers looking to capitalise on security flaws.
With more and more web application security solutions available on the market, organisations are increasingly placing more importance on ensuring the safety of their applications. Despite growing concerns over web application security, however, our research has revealed that in 2018 the overall number of new vulnerabilities elevated by 23% compared to 2017.
To really understand why the state of web application vulnerabilities took a turn for the worse in 2018, we examine the most common vulnerabilities and what businesses should be doing to stay safe from attacks.
With a staggering 267% increase from 2017, the most dominant vulnerability this year has without a doubt been injections. Injections such as SQL injections, code injections and object injections have proven to be the most common among web vulnerabilities.
Cross-site scripting bugs also continued to grow throughout the year, becoming the second most common vulnerability.
WordPress, the most popular content management system, is used by over 28% of all websites. However, despite its slow growth in new plugins, its vulnerabilities increased by 30% since 2017. Its popularity in the CMS category has motivated more attackers to develop dedicated attack tools and try their luck searching for holes in the code.
While it may come as no surprise, almost all of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it as WordPress is open source. There is no enforcement or any proper process that mandates minimum security standards.
The top ten WordPress plugins with the most vulnerabilities discovered in 2018 include Ultimate Member, Event Calendar, Coming Soon Page and GD Rating System.
Let’s not forget about Drupal. It can be said that 2018 was the year of Drupal. Despite being the third-most popular CMS, two of its vulnerabilities, Drupalgeddon2 and Drupalgeddon3, were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations.
The simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers.
The announcement by PHP that versions 5.5, 5.6 and 7.0 have ended will definitely impact the industry. These versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions.
As well as this, injection vulnerabilities are set to grow due to the economic implications to attackers. Injections prove popular as a result of how quickly it is to make money from the vulnerability. This is only fueling attackers’ desires.
Lastly, DevOps has become very popular in the world of IT. Their usage and demand for APIs have grown exponentially. Therefore, it is predicted that there will be an increase in the discoveries of vulnerabilities in APIs in 2019.
However, there is a silver lining amongst these vulnerabilities. The number of Internet of Things vulnerabilities declined, as well as the number of vulnerabilities related to weak authentication. Despite more people using electronic devices on a daily basis and the fear of them being easily compromised, it appears that something has definitely changed in this arena. This may be due to IoT vendors finally starting to implement better security in IoT devices. At the same time, the growth of API vulnerabilities declined slightly as well as the number of PHP vulnerabilities.
In essence, what has been shown by this research is that more protection and security is needed to protect web applications. The best way to do this is to deploy web application firewall, which can either be on-premises, in the cloud or a combination of both.
As technology continues evolving, it is important to do more to secure your website and organisation. Preventions put in place to deter the exploitation available to hackers can help dissuade future hackers from leveraging the security vulnerabilities and inevitably using it against you.
How to best tackle Vulnerability Management (VM)? Here is the first in a series from Lamar Bailey, senior director of security research at Tripwire, for organisations wanting to tackle Vulnerability Management …