Dima Bekerman and Sarit Yerushalmi, Security Research Managers at Imperva, reflect on the changes and trends in web application and database security that occurred in 2019.
Web application vulnerabilities are often caused by application design flaws and misconfigured web servers. They can be particularly easy targets for hackers who look to take advantage of system security flaws.
With more web application security solutions now readily available on the market, organisations are placing more importance on ensuring their safety. However, despite growing concerns over web application security, recent research has shown that in 2019 the overall number of vulnerabilities increased by 17.6% in 2019 compared to 2018.
Shockingly, according to Imperva’s data, almost half of vulnerabilities (47%) have a public exploit available to hackers. In addition, more than a third (40.2%) of vulnerabilities don’t have an available solution, such as a software upgrade, workaround, or software patch.
To truly understand why the state of web applications has continued to deteriorate in 2019, we delve into the most common vulnerabilities and how organisations can stay safe from future attacks.
The Most Common Vulnerability: Injections
With a 21% increase on last year, the most dominant category was, by far, Injection – an attack where the attacker supplies untrusted input to a program. with 28.1% of the total vulnerabilities seen in 2019.
When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down into the data, however, remote command execution (RCE) emerged as the bigger issue, with 3,869 vulnerabilities (19%), compared to 1,610 vulnerabilities (8%) for SQLi. This was alongside 75 vulnerabilities related to local or remote file inclusion, and 607 vulnerabilities to unsanitized file upload.
A key focus for attackers: WordPress
There was an increase in vulnerabilities in third-party components compared to 2018, with most of the vulnerabilities related to WordPress plugins. WordPress was not only the most popular platform but also dominated the number of new vulnerabilities in 2019.
The most popular content management system is WordPress which, according to market share statistics cited by BuiltWith, is used by over 33% of all websites, and by 68% of all websites using a known content management system.
Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (1,574) last year and also saw a major increase of 143% from 2018. The second major increase in the number of vulnerabilities (77%) was in Magento, from 126 in 2018 to 223 in 2019.
According to the WordPress official site, the current number of plugins is 55,173, a slight decrease from 55,271 in 2018. Despite this slower growth in new plugins, the number of WordPress vulnerabilities increased. This could be as a result of the code quality of the plugins, or the fact that WordPress is such a popular CMS, motivating more attackers to develop dedicated attack tools and try their luck searching for holes in the code.
It's not all bad: A decrease in IoT vulnerabilities
Despite the increase in the number of IoT (Internet of Things) devices and vendors, there has been a decrease of 9% in vulnerabilities, compared to 2018.
Delving deeper into IoT vulnerabilities, it was found that DoS was the most common vulnerability for IoT in 2019 with 418 vulnerabilities. The runner up was Remote Code/Command Execution with 398 vulnerabilities, and Broken Authentication (default credentials) was in third place with 157 new vulnerabilities in 2019.
Ultimately, a lesson has been learned. Manufacturers have learnt from their old mistakes and paid more attention to IoT security, giving way to a more protected environment.
What to look out for in 2020?
Despite the heightened awareness of old faithful Injection and Cross-Site-Scripting vulnerabilities and the number of tools that check code for their presence, they will still remain at the top of the chart and will not decrease throughout the year. The reason for this is the direct impact of the exploitation of these vulnerabilities, as well as – in most cases – the lack of preconditions required to exploit them.
As well as this, the number of vulnerabilities in third-parties will no doubt continue to grow. Major platforms and frameworks rely on third-party plugins. WordPress has over 55K plugins, the NPM registry has almost 450K packages for NodeJS, and PyPI has over 210K packages for Python.
As the community continues to grow, and without code standards or restrictions to publish a plugin or a package, they remain the weakest point in the application, making them the sweet spot for attackers.
However, security awareness among IoT vendors is still growing, so they will invest more in securing their devices. This will be reflected in the number of new vulnerabilities in IoT devices.
Protecting your apps and data
What has been shown by this year’s research is that more protection and security is needed to safeguard web applications. One of the best solutions for doing this is to deploy a Web Application Firewall (WAF) and Data Monitoring & Protection. The solutions may be either on-premise, in the cloud, or a combination of both depending on your needs, infrastructure, and more.
As data usage continues to expand, it’s vital to think through your security requirements. A solution supported by a dedicated security team is one to add to your selection criteria, as security teams can push timely security updates to properly defend assets.