Modern web technologies allow businesses to solve organizational issues cost-effectively and efficiently and demonstrate their services and products to a wide range of audiences through the Internet. However, attackers may exploit websites as an easy access point to company infrastructure. This can cause financial and reputational damage, and despite well documented incidents involving compromised security, developers and administrators still pay little attention to the security of web applications.
Positive Technologies experts examine around 300 web applications each year using various techniques from instrument to source-code analysis. This report provides a summary of statistics and findings gathered during penetration testing of web applications in 2015. It also compares 2015 results to those in 2013 and 2014 and tracks the dynamics of web application development in the context of delivering information security.
Cases and Methodology
We chose 30 applications, from the total number examined in 2015, and conducted an in-depth analysis on each of these. The study contains vulnerabilities tested in the testbeds. The vulnerability assessment was conducted via black-, gray- and white-box testing manually (with the aid of automated tools) or using automated code analyzer. The black-box technique is defined as website security testing from the perspective of an external attacker, with no “inside” knowledge of the system. The gray-box testing is similar to the black-box testing, except an attacker is defined as a user who has some privileges in the system. The white-box scanning presupposes the use of all relevant information about the application, including its source code.
Our statistics only include code and configuration vulnerabilities. Vulnerabilities were categorized according to WASC TC v. 2, with the exception of Improper Input Handling and Improper Output Handling, since these threats are implemented by exploiting a number of other vulnerabilities. The severity of vulnerabilities was estimated in accordance with CVSS v. 2.
These applications belong to companies from different industries — telecoms (23%), manufacturing (20%), mass media (17%), IT (17%), finance (13%), and governmental organizations (10%).
Most of the examined web applications were written in Java (43%), followed by PHP (30%). Applications based on other languages and technologies, such as ASP.NET, Perl, ABAP, and 1С, were also used. The most common server was Nginx (34%), followed by Microsoft IIS (19%), Apache Tomcat (14%), WebLogic (14%), Apache, and SAP NetWeaver Application Server. Almost half of the resources studied were production systems, available on the Internet, but there were some test platforms still in development or acceptance when tested.
All Sites are Vulnerable
All applications contained at least medium-severity vulnerabilities. 70% of the systems studied had a critical vulnerability, and the percentage of systems with this type of vulnerability has grown consistently over the last three years.
The second most common flaw was Information Leakage: about 50% of applications were vulnerable. 47% of the websites were exposed to brute force attacks, and XML External Entities was among the most common high-severity vulnerabilities discovered in 2015. This security weakness allows attackers to obtain the content of server files or execute requests in the local network of the attacked server.
Most common vulnerabilities (%)
Development Tools: Java Better than PHP?
Previous studies show that PHP systems were more vulnerable than applications written in ASP.NET and Java. By contrast, in 2015, 69% of Java applications suffered from vulnerabilities, while PHP systems were less vulnerable, 56% in 2015 compared to 76% in 2013.
Systems with vulnerabilities of various severity levels (by development tools)
An average PHP application contains 9.1 critical vulnerabilities, a Java application contains 10.5, while applications based on other languages and development tools have only 2 vulnerabilities per application on average.
XXS had the largest percentage of vulnerabilities among all types of programming languages. The percentage of SQL Injection found in PHP applications in 2015 decreased from 67% to 22%.
Most common vulnerabilities (by development tools)
Vulnerable Servers on Microsoft IIS
The percentage of applications run on Microsoft IIS with high-severity vulnerabilities increased in 2015. By contrast, vulnerabilities in Nginx and Apache Tomcat sites decreased from 86% to 57% and from 60% to 33% respectively.
Web applications with high-severity vulnerabilities (by web servers)
The most common administrative error was Information Leakage, and this weakness was detected in all applications based on Microsoft IIS. The second most common flaw was insufficient brute force protection.
Banks and IT: Industry Concerns
All banking and IT websites contained critical vulnerabilities, results similar to 2014. There was improvement only in the manufacturing industry and telecom applications.
Sites with high-severity vulnerabilities by industries
Almost Equally Vulnerable Production and Test Sites
The percentage of vulnerable applications already put into production is extremely high: more than a half (63%) contained critical vulnerabilities. These vulnerabilities allow an attacker to obtain full control of the system (in case of arbitrary file upload or command execution) or sensitive information as a result of SQL Injection, XXE, etc. An intruder also can conduct a DoS attack.
Vulnerabilities detected for test and production systems
Source Code Analysis Detects More Vulnerabilities
Source code analysis uncovers more high-severity vulnerabilities than the black-box technique, however, even black- and gray-box testing discovered a high percentage of critical flaws (59%). Even if an intruder does not have access to source code, web applications are not necessarily secure.
Systems with vulnerabilities of various severity levels (by testing methods)
The average number of different severity vulnerabilities detected by the white-box testing is higher than the results that came from black- and gray-box testing.
Average number of vulnerabilities per system
The study is comprised of a comparison between manual and automated (using automated scanners) white-box testing. The code analyzer discovered on average 15 critical vulnerabilities per system, while manual testing detected only 4 vulnerabilities.
Average number of specified severity vulnerabilities per system
Thus, the white-box testing is more efficient than other methods without source code analysis. Automated code analysis is effective when investigating code volumes of applications with numerous libraries.
The 2015 results demonstrate how important it is to regularly analyze web application security. It is important to analyze security at all development stages and regularly (e.g. twice a year) in the course of operational use: more than a half (63%) of applications put into production contain critical vulnerabilities. This can lead to sensitive data disclosure, system compromise or failure. It is important to use application firewalls to protect against attacks on web applications.
You can find the full version of the report at www.ptsecurity.com/library/whitepapers/