November 18, 2015

Web-application vulnerabilities: no light at the end of the tunnel


There has been significant growth in web applications, from official sites and ERP systems, to e-commerce and e-banking platforms, and portals providing government services. These applications have increasingly become a target for hackers attempting to target enterprise information systems. Positive Technology conducted a study in 2014 to assess the state of web application security. The key findings are discussed below.


Cases and Methodology

During the 2014 calendar year, our specialists reviewed around 300 web applications. From this pool, the experts chose 40 systems for in-depth study using the most thorough testing methods. These 40 systems belong to companies from different industries – e-commerce (30%), banking (22%), manufacturing sector (17%), IT (15%), and telecoms (13%). The study also includes one government-owned institution.

The study contains data on external web applications available on the Internet. The vulnerability assessment was conducted via black-, grey- and white-box testing with the aid of automated tools. Detected vulnerabilities were categorized according to the WASC TCv2 system, and the severity of vulnerabilities was estimated in accordance with CVSSv2. The findings only include vulnerabilities caused by code errors and configuration flaws.

Most of the web applications examined were written in PHP (58%) and ASP.NET (25%). The most common server used in 2014 was Nginx (37%), followed by Apache (26%), and ISS (24%). The majority of the web applications, 85%, are production systems, but there were some test platforms still in development or acceptance when tested.

Summary

All 40 of the web applications studied suffered from some type of security flaw. The total number of vulnerabilities found across the 40 systems is 1,194. 68% of the systems are plagued by high severity level vulnerabilities, 6% more than in 2013. In addition, in 2013, there were 15.6 vulnerabilities per application on average; in 2014, this number almost doubled to 29.9. Most of these vulnerabilities are caused by code errors (89%) and the rest are due to malformed configuration (11%).


Percentage of websites by vulnerability severity level

In 2014, the most common and least dangerous vulnerability was Fingerprinting, present in 73% of the systems, followed by the Cross-site Scripting flaw, most common in 2013. If either of these flaws are exploited, an attacker could gain access to someone’s personal details.

More than a half of the web sites have vulnerabilities pertaining to Credential/Session Prediction exploits and the incidents of critical SQL Injection flaw also increased as they are found in 48% of the web-applications. These exploits allow for unauthorized access to sensitive information stored in application databases and could also lead to an attacker gaining full control of a target server.

Vulnerabilities by Language

The results in 2014 are similar to those of 2013 as 81% of PHP systems suffer from dangerous vulnerabilities, compared to 76% in 2013, making it the most vulnerable language. ASP. NET applications, by contrast, became less vulnerable, dropping from 55% in 2013 to 44% in 2014. An average PHP application contains 11 critical vulnerabilities while an ASP.NET application contains 8.4. These statistics are heavily skewed by one outlier, an ASP.NET system that had 60 high severity level flaws. If this outlier case is excluded, the average number of critical vulnerabilities found drops to only 2 vulnerabilities per application.

It is also worth noting that the amount of PHP resources exposed to XSS is drastically higher (95%) than the corresponding data for ASP.NET (44%). This might be due to the ASP. NET built-in basic defense mechanisms against such attacks (Request Validation).


Vulnerabilities by Server

86% of web applications run by Nginx servers contain high severity level vulnerabilities. The web applications run on Microsoft ISSbased resources had similar vulnerabilities in 44% of cases, a decrease from 2013 where the incidents occurred in 71% of cases. By contrast, the vulnerabilities in Apache sites increased dramatically from 2013 to 2014, from 10% to 70%.

The most common administrative error is Fingerprinting, which was present in 8 out of 10 Apache-based resources. The cause of this vulnerability is that standard configuration of the examined servers allows for disclosure of information about a server version through error messages (for example, when calling to a nonexistent resource).

Vulnerabilities by Industry

The banking industry featured 89% of all high severity level vulnerabilities. This might be caused in part by the testing pool used. The majority of the resources tested were not e-banking services or other systems that handle money transactions, so they may not feature the highest levels of data security. The telecoms industry also had an 80% high severity level vulnerability, followed by the manufacturing sector, 71%, IT, 67%, and e-commerce, 42%.

Judging by the average number of vulnerabilities per system, the least protected sites are in the manufacturing industry with 18 critical flaws per application. It is worth noting that the aforementioned application with 60 vulnerabilities was from the manufacturing sector. If that outlier is removed, the average number drops to 13.1, which mimics the rate in banking.

In 2014, SQL Injection, XML Injection and Directory Traversal vulnerabilities were most common vulnerabilities. Similar to the previous year, SQL Injection flaw was present in web application from all industries.


Percentage of vulnerable websites by industry

Vulnerabilities in Production and Test Sites

71% of the production web resources and 50% of the test sites surveyed contained critical vulnerabilities. The average number of the high level severity vulnerabilities detected in the test systems, 12.8, is almost twice as high compared to the production ones, 7; however, the latter contain larger number of medium severity vulnerabilities (20.6 vs 14.3).

Comparison of Testing Methods

Positive Technologies experts compared the results of white-box testing (using internal system data including source codes) and the results that came from black- and grey-box testing (using privileges identical to those a potential attacker might have). The number of sites containing high and medium severity level vulnerabilities was similar across all three testing methodologies. Even if an attacker does not have access to source code, web applications are not necessarily secure.

By contrast, source code analysis, rather than black- and grey-box testing, allows for better quality vulnerability assessment for each application. In particular, white-box testing discovers 3.5 times more medium severity flaws on average compared to black- and grey-box testing methods. For example, each site tested with black- and grey-box testing methods uncovered 4 XSS vulnerabilities compared to 29 when employing a white-box testing method.


Number of vulnerabilities per system by their type and testing method


The 2014 results demonstrate a decrease in protection levels of web applications from 2013. Only one site tested had a web application firewall, so that product is not normally being used to protect web applications.

Read the full report here: www.ptsecurity.com/library/whitepapers/

40 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete