Pages

Wednesday, November 18, 2015

Web-application vulnerabilities: no light at the end of the tunnel


There has been significant growth in web applications, from official sites and ERP systems, to e-commerce and e-banking platforms, and portals providing government services. These applications have increasingly become a target for hackers attempting to target enterprise information systems. Positive Technology conducted a study in 2014 to assess the state of web application security. The key findings are discussed below.


Cases and Methodology

During the 2014 calendar year, our specialists reviewed around 300 web applications. From this pool, the experts chose 40 systems for in-depth study using the most thorough testing methods. These 40 systems belong to companies from different industries – e-commerce (30%), banking (22%), manufacturing sector (17%), IT (15%), and telecoms (13%). The study also includes one government-owned institution.

The study contains data on external web applications available on the Internet. The vulnerability assessment was conducted via black-, grey- and white-box testing with the aid of automated tools. Detected vulnerabilities were categorized according to the WASC TCv2 system, and the severity of vulnerabilities was estimated in accordance with CVSSv2. The findings only include vulnerabilities caused by code errors and configuration flaws.

Most of the web applications examined were written in PHP (58%) and ASP.NET (25%). The most common server used in 2014 was Nginx (37%), followed by Apache (26%), and ISS (24%). The majority of the web applications, 85%, are production systems, but there were some test platforms still in development or acceptance when tested.

Summary

All 40 of the web applications studied suffered from some type of security flaw. The total number of vulnerabilities found across the 40 systems is 1,194. 68% of the systems are plagued by high severity level vulnerabilities, 6% more than in 2013. In addition, in 2013, there were 15.6 vulnerabilities per application on average; in 2014, this number almost doubled to 29.9. Most of these vulnerabilities are caused by code errors (89%) and the rest are due to malformed configuration (11%).


Percentage of websites by vulnerability severity level

In 2014, the most common and least dangerous vulnerability was Fingerprinting, present in 73% of the systems, followed by the Cross-site Scripting flaw, most common in 2013. If either of these flaws are exploited, an attacker could gain access to someone’s personal details.

More than a half of the web sites have vulnerabilities pertaining to Credential/Session Prediction exploits and the incidents of critical SQL Injection flaw also increased as they are found in 48% of the web-applications. These exploits allow for unauthorized access to sensitive information stored in application databases and could also lead to an attacker gaining full control of a target server.

Vulnerabilities by Language

The results in 2014 are similar to those of 2013 as 81% of PHP systems suffer from dangerous vulnerabilities, compared to 76% in 2013, making it the most vulnerable language. ASP. NET applications, by contrast, became less vulnerable, dropping from 55% in 2013 to 44% in 2014. An average PHP application contains 11 critical vulnerabilities while an ASP.NET application contains 8.4. These statistics are heavily skewed by one outlier, an ASP.NET system that had 60 high severity level flaws. If this outlier case is excluded, the average number of critical vulnerabilities found drops to only 2 vulnerabilities per application.

It is also worth noting that the amount of PHP resources exposed to XSS is drastically higher (95%) than the corresponding data for ASP.NET (44%). This might be due to the ASP. NET built-in basic defense mechanisms against such attacks (Request Validation).


Vulnerabilities by Server

86% of web applications run by Nginx servers contain high severity level vulnerabilities. The web applications run on Microsoft ISSbased resources had similar vulnerabilities in 44% of cases, a decrease from 2013 where the incidents occurred in 71% of cases. By contrast, the vulnerabilities in Apache sites increased dramatically from 2013 to 2014, from 10% to 70%.

The most common administrative error is Fingerprinting, which was present in 8 out of 10 Apache-based resources. The cause of this vulnerability is that standard configuration of the examined servers allows for disclosure of information about a server version through error messages (for example, when calling to a nonexistent resource).

Vulnerabilities by Industry

The banking industry featured 89% of all high severity level vulnerabilities. This might be caused in part by the testing pool used. The majority of the resources tested were not e-banking services or other systems that handle money transactions, so they may not feature the highest levels of data security. The telecoms industry also had an 80% high severity level vulnerability, followed by the manufacturing sector, 71%, IT, 67%, and e-commerce, 42%.

Judging by the average number of vulnerabilities per system, the least protected sites are in the manufacturing industry with 18 critical flaws per application. It is worth noting that the aforementioned application with 60 vulnerabilities was from the manufacturing sector. If that outlier is removed, the average number drops to 13.1, which mimics the rate in banking.

In 2014, SQL Injection, XML Injection and Directory Traversal vulnerabilities were most common vulnerabilities. Similar to the previous year, SQL Injection flaw was present in web application from all industries.


Percentage of vulnerable websites by industry

Vulnerabilities in Production and Test Sites

71% of the production web resources and 50% of the test sites surveyed contained critical vulnerabilities. The average number of the high level severity vulnerabilities detected in the test systems, 12.8, is almost twice as high compared to the production ones, 7; however, the latter contain larger number of medium severity vulnerabilities (20.6 vs 14.3).

Comparison of Testing Methods

Positive Technologies experts compared the results of white-box testing (using internal system data including source codes) and the results that came from black- and grey-box testing (using privileges identical to those a potential attacker might have). The number of sites containing high and medium severity level vulnerabilities was similar across all three testing methodologies. Even if an attacker does not have access to source code, web applications are not necessarily secure.

By contrast, source code analysis, rather than black- and grey-box testing, allows for better quality vulnerability assessment for each application. In particular, white-box testing discovers 3.5 times more medium severity flaws on average compared to black- and grey-box testing methods. For example, each site tested with black- and grey-box testing methods uncovered 4 XSS vulnerabilities compared to 29 when employing a white-box testing method.


Number of vulnerabilities per system by their type and testing method


The 2014 results demonstrate a decrease in protection levels of web applications from 2013. Only one site tested had a web application firewall, so that product is not normally being used to protect web applications.

Read the full report here: www.ptsecurity.com/library/whitepapers/

40 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. Thank you for sharing this impressive article. So it may be useful for many people and please keep update like this with the blog

    SAP MM Training in Chennai

    ReplyDelete
  18. Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know.
    geometry dash

    ReplyDelete
  19. Thank you for sharing valuable information. Nice post. I enjoyed reading this post
    minecraft games

    ReplyDelete
  20. I enjoyed over read your blog post. Your blog have nice information, I got good ideas from this amazing blog. I am always searching like this type blog post. I hope I will see again juegos friv 2

    ReplyDelete
  21. Good blog post. I want to thank you for interesting and helpful information and I like your point of view. Thank you!
    - Mortal Kombat XL
    - Atari Breakout
    - Dragon Ball Z Games

    ReplyDelete
  22. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!
    earn to die
    Hi! I’ve been reading your blog for a while now and finally got the courage to go ahead and give youu a shout out from Austin Texas! Just wanted to tell you keep up the fantastic work!my weblog:
    tank trouble
    tank trouble

    earn to die 1

    earn to die 2

    earn to die 3

    tank trouble 4
    tank trouble 3
    tank trouble 2

    ReplyDelete
  23. هكذا الافضليه الكامله لشركه اركان المملكه اذا معنا انت الافضل نقدم لك كافه التسهيلات الممكنه فى هذا المجال
    شركة كشف تسربات المياه بالرياض
    معنا انت تتعامل بمجال تنظيف المنازل والفلل والقصور وغيرها اذا معنا انت الافضل
    شركة نقل عفش بالرياض
    اتصلوا نصلكم اينما كنتم بالمملكه فى كافه المجالات ومجال العفش الدائم والفعال هنا وهناك وبكافه اركان المملكه
    شركة رش مبيدات بالرياض
    مع شركه اركان المملكه الشركه الام التى لها تاريخ وباع كبير وفعال فى هذا المجال وغيره من المجالات المتنوعه والمتوفره فى هذا السياق
    شركة اركان المملكه
    اذا نحن معك دائما نقدم لك كافه العماله بكل اتقان وامانه وبكافه التسهيلات الممكنه
    شركة تنظيف منازل بالرياض
    معنا انت تتعامل باقل الاسعار اتصل نصلك اينما كنت وفى كل وقت وكل مان بالمملكه السعوديه

    ReplyDelete
  24. Thanks for the best blog.it was very useful for me.keep sharing such idea
    s in the future as well.this was actually what i was looking for,and i
    am glad to came here
    earn to die play
    earn to die
    earn to die 3
    Hi! I’ve been reading your blog for a while now and finally got the
    earn to die 4
    courage to go ahead and give youu a shout out from
    earn to die 6
    Austin Texas! Just wanted to tell
    earn to die 5
    good game empire play

    ReplyDelete
  25. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!

    hotmail sign in Hotmail is an email account of Microsoft Corporation. Like Google’s Gmail, it is full of the features of a regular email.

    hotmail login Hotmail was previously a quite popular email service. It has the features and utilities similar to other email services, but users encountered many annoying issues, and even lost fees they had paid for this service.


    recover hotmail password Therefore, there are many users who have a registered Hotmail account but no longer wish to use it as they are unhappy with the service.

    sign in to Hotmail  At this time, some users sought to remove their Hotmail account, but has some difficulties as it is a complicated process.

    ReplyDelete
  26. Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    http://strikeforceheroesgame.com/
    http://strikeforceheroesgame.com/strike-force-heroes-2/
    http://strikeforceheroesgame.com/strike-force-heroes-3/
    http://strikeforceheroesgame.com/strike-force-heroes-4/
    Here are the simple steps to add an email address to your Hotmail contacts
    http://hotmailsigninvl.com/
    http://hotmailsigninvl.com/how-to-recover-hotmail-password/
    http://hotmailsigninvl.com/how-to-create-a-hotmail-account/
    I want you to thank for your time of this wonderful read!!!

    ReplyDelete
  27. Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    Strike Force Heroes

    Strike Force Heroes 2

    Strike Force Heroes 3 is an action-packed, thrilling war-style browser game that will keep you on the edge of your seat
    Strike Force Heroes 3

    Strike Force Heroes 4

    I want you to thank for your time of this wonderful read!!!

    ReplyDelete
  28. All the best blogs that is very useful for keeping me share the ideas
    of the future as well this is really what I was looking for, and I am
    very happy to come here. Thank you very much
    earn to die
    earn to die 2
    earn to die 3
    Hi! I’ve been reading your blog for a while now and finally got the
    earn to die 4
    courage to go ahead and give youu a shout out from
    earn to die 6
    Austin Texas! Just wanted to tell
    earn to die 5
    you keep up the fantastic work!my weblog
    age of war
    Hi! I’ve been reading your blog for a while now and finally got the
    happy wheels
    strike force heroes
    zslitherio
    good game empire

    ReplyDelete
  29. Psjthjk5d.支付寶- http://alipayyy.com/
    鐵藝花架- http://pergola.housestp.com.tw/
    酒架- http://jiujia.housestp.com.tw/
    百家樂- http://mark.playxxoo.com.tw/
    情趣用品- http://sister.911fish.com/
    六合彩- http://six.playxxoo.com.tw/
    台灣彩券- http://twcq.playxxoo.com.tw/
    大樂透- http://ppllaayy.com.tw/
    二胎房貸- http://房貸.zhanwang.com.tw/
    按摩- http://honey.loveavgirl.com/
    a片- http://5200.loveavgirl.com/
    成人影片- http://tw3k.911fish.com/
    大樂透- http://lotto.playxxoo.com.tw/
    鐵藝花架- http://huajia.housestp.com.tw/
    情趣用品- http://coco.911fish.com/
    洪爺- http://mark.911fish.com/
    洪爺的家- http://xoxo.loveavgirl.com/
    一夜情- http://honey.loveavgirl.com/
    線上a片- http://movie.94ilove.com/
    二胎- http://nbone.zhanwang.com.tw/
    信用貸款- http://sec.zhanwang.com.tw/
    六合彩- http://六合彩.niuniu.com.tw/
    百家樂- http://mimi.kennyleo.com.tw/
    大樂透- http://睡美人.kennyleo.com.tw/
    情趣用品- http://sexy.niuniu.com.tw/
    成人影片- http://chengren.loveavgirl.com/
    免費a片- http://avi.dayniceing.com.tw/
    成人影片- http://成人影片.dayniceing.com.tw/
    大樂透- http://letou.kennyleo.com.tw/
    二胎- http://二胎.zhanwang.com.tw/
    Technology Blog- http://520xx.cn/
    成人影片- http://playmygun.com/
    援交- http://援交.dayniceing.com.tw/
    酒架- http://jiaju.housestp.com.tw/
    外送茶- http://外送茶.niuniu.com.tw/
    免費a片- http://xxoo.94ilove.com/
    情色影片- http://av.niuniu.com.tw/
    大樂透- http://大樂透.kennyleo.com.tw/
    六合彩- http://dada.dayniceing.com.tw/
    按摩- http://sexy5278.com/
    大樂透- http://111.kennyleo.com.tw/
    今彩539- http://caiquan.dayniceing.com.tw/
    百家樂- http://niuniu.kennyleo.com.tw/
    成人影片- http://ydd.loveavgirl.com/
    免費a片- http://avgirl.94ilove.com/
    按摩- http://mmlove78.com/
    六合彩- http://ciji.dayniceing.com.tw/
    大樂透- http://dlt.kennyleo.com.tw/
    魚訊- http://yux.funygirls.com/
    百家樂- http://blg.dayniceing.com.tw/
    叫小姐- http://tealg.com.tw/
    大樂透- http://lele.dayniceing.com.tw/
    酒店小姐- http://mm9453.com.tw/
    魚訊- http://tea.bobonice.com/
    百家樂- http://ble.kennyleo.com.tw/
    免費a片- http://jjidd.com.tw/
    友達旅行社- http://www.meettours.com.tw/
    酒店小姐- http://mm9453.com.tw/
    成人文學- http://av.loveavgirl.com/
    酒店小姐- http://tealg.com.tw/
    色情影片- http://sex.94ilove.com/
    援交- http://tjj.loveavgirl.com/
    援交妹- http://girl.loveavgirl.com/
    援交- http://yaya8y88.com/
    外送茶- http://blg.loveavgirl.com/
    援交- http://ecuptea.com.tw/
    外送茶- http://girl7788.com.tw/
    外約- http://sexy520.com.tw/
    免費a片- http://520lg.com.tw/
    外送茶- http://love.911fish.com/
    成人影片- http://twav8d.com/
    外送茶- http://momotea.com.tw/
    友達旅行社- http://www.meettours.com.tw/
    成人網站- http://comeimei.com.tw/
    援交- http://51chiyu.com/
    茶訊- http://bobonice.com/
    外送茶- http://chajiaoliu.com/
    應召- http://52nila.com/
    全套- http://chayuxun.com/
    找小姐- http://line78.com/
    全套- http://twcoco.com/
    外送茶- http://cbd.911fish.com/
    伴遊- http://loveavgirl.com/
    半套- http://funygirls.com/
    援交- http://www.dayniceing.com.tw/
    外送茶- http://www.niuniu.com.tw/
    叫小姐- http://www.topkason.com/
    外送茶- http://911fish.com/
    全套服務- http://www.iqk520.com/
    找茶- http://www.xm-zpw.com/
    外送- http://outertea.com/
    援交- http://www.94ilove.com/
    一夜情- http://www.ilove-gg.com/
    援交- http://www.line4000.com/
    台北援交- http://in-mm.com/
    德州撲克遊戲- http://www.kennyleo.com.tw/
    博弈遊戲- http://by.kennyleo.com.tw/
    博弈線上遊戲- http://www.paogotime.com.tw/
    百家樂- http://www.playxxoo.com.tw/
    bar水果盤遊戲- http://www.mybingo.com.tw/
    外約- http://www.love2mm.net/
    博弈遊戲- http://www.mmm-tw.com.tw/

    ReplyDelete
  30. All the best blogs that is very useful for keeping me share the ideas
    of the future as well this is really what I was looking for, and I am
    very happy to come here. Thank you very much
    earn to die
    earn to die 2
    earn to die 3
    Hi! I’ve been reading your blog for a while now and finally got the
    earn to die 4
    courage to go ahead and give youu a shout out from
    earn to die 6
    Austin Texas! Just wanted to tell
    earn to die 5
    Hi! I’ve been reading your blog for a while now and finally got the
    happy wheels
    strike force heroes
    slitherio
    you keep up the fantastic work!my weblog
    age of war
    earn to die 5
    good game empire

    ReplyDelete
  31. The game controls are shown just under . Movement mechanisms primarily include acceleration and tilting controls.
    It consists of a total of 17 levels and the challenge you face in each level increases as you go up. The game basically has a red ball that has to be moved across the various obstacles in its path to the goal.
    In order to gain the highest tanh trouble | tank trouble 2 scores you should try to avoid the difficulties, be smart and quick. The game offers you tank death matches where you should show off your concentration and accurate shots the only way towards success . If your performance will be good, the game will reward you. Some bonuses will appear during the game play of tank trouble unfair mario
    unfair mario 2 | tank trouble 3

    ReplyDelete
  32. Hotmail is an email account of Microsoft Corporation. Like Google's Gmail, it is full of features usually xuyen.Neu of an email you want to register an account please follow these basic steps:
    Hotmail login

    Hotmail review

    Sign in to hotmail

    Login to hotmail

    Recover hotmail password

    Tank Trouble is a very interesting flash game about tanks, about war and about destruction
    TANK TROUBLE | TANK TROUBLE 2

    One Penguin Takes it personally when he is surfing the web and stumbles upon a web site telling him that he cant fly, after that he sets his mind to research and practice flying until he can prove the world that he can..
    Slitherio | LEARN TO FLY | LEARN TO FLY 2

    Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    Strike Force Heroes 4

    Strike Force Heroes

    ReplyDelete
  33. Welcomes to google terminal from Austin Texas! google snake
    Amazing insight you have on this, Happy wheels it's nice to find a website that details so much information about different artists... Age of war 2 This article always blew me... Earn to die For how many times I have read this.
    slither io Hi! I’ve been reading your blog for a while slitherio it's nice to find a website that details so much big farm

    ReplyDelete