PT Research analytic center and the experience of the Positive Technologies company in penetration testing and information security auditing show that errors in web application protection still are among the most common information security shortcomings. Moreover, web application vulnerabilities represent one of the most widespread ways for attackers to penetrate into enterprise information systems; there is a great number of factors that make web services an attractive target for attacks.
When designing applications, developers usually aim their best efforts at functionality implementation; the problems of information security and code quality are given short shrift. As a result, the overwhelming majority of web applications contain vulnerability of various risk levels.
The HTTP simplicity allows one to develop effective methods of automatic web application analysis and vulnerability detection. It considerably simplifies the job of malicious users; they can discover a great number of vulnerable web sites and then choose the most promising ones among them to attack.
Furthermore, not only can some vulnerability types be automatically detected, but they can also be automatically exploited. It is the way the malicious code is injected into a multitude of web resources; this malicious code is then used to create botnets of working stations of ordinary Internet users. The fact that web applications can be used as a platform for conducting attacks against users’ workstations makes these applications an attractive target for intruders.
Thus, when malicious users are planning an attack against the information infrastructure of a company, they investigate its web applications in the first place. Underestimation of the risk presented by vulnerabilities contained in web applications that are available from the Internet results in low security level of these applications.
Analysis of web application vulnerabilities detected in 2009 showed that almost half the reviewed systems contained errors. The statistics is based on the data about 5560 web applications gathered in the course of 6239 automatic scans and detailed analysis of 77 web applications. 13434 errors of various risk levels were detected in all reviewed applications and 1412 examples of malicious code were found on the pages of vulnerable systems. 1.7% of compromised sites were spreading malicious software; each of these sites contained vulnerabilities that allow attackers to execute arbitrary commands directly on server, which proves that such vulnerabilities can be exploited to compromise the system.
Distribution of critical vulnerabilities in web sites
The main result of investigation is deplorable. The probability to detect a critical error in a web application is about 35% by automatic scanning and 80% by comprehensive expert analysis. This fact shows that modern web applications are vulnerable not only for experienced attackers, but also for ordinary attackers who have utilities for automatic cracking.
The probability to detect vulnerabilities of various risk levels
As before [1, 2, and 3 in Russian], the most widespread errors made by application developers are Cross-Site Scripting and SQL Injection (19% and 17% of all detected vulnerabilities, respectively).
The most widespread vulnerabilities caused by web application development errors (aggregate data)
Analysis of vulnerabilities that had been detected in 2008 and then were eliminated in 2009 showed that the aggregate percentage of debugged vulnerabilities accounts for about 20%. On the whole, regular analysis of web application security and organized process of vulnerability elimination make it possible to reduce the number of vulnerable sites three times during one year.
Percentage of web sites containing vulnerabilities of various risk levels
In terms of compliance management, the situation has improved to a very little degree. Almost 84% of web applications are not compliant with PCI DSS (Payment Card Industry Data Security Standard) requirements and 81% of web applications are not compliant with criteria of ASV scanning defined in the standard.
The level of compliance of reviewed web applications with PCI DSS (QSA) requirements
The full pdf-version of this report can be downloaded from the Positive Technologies official site http://www.ptsecurity.com/download/PT-WebAppSecStat-2009.pdf