A recent study by Kaspersky Security Assessment experts has identified the most dangerous and widespread vulnerabilities in corporate web applications developed in-house. In the period between 2021 and 2023, flaws related to access control and data protection were found in the majority of the examined applications, totaling several dozen. The highest number of high-risk level vulnerabilities referred to SQL injections.
Web applications like social networks, email, and online services are basically web sites where users engage with a web server via a browser. In its latest study, Kaspersky researched vulnerabilities in web applications used by IT, government, insurance, telecommunications, cryptocurrency, e-commerce, and healthcare organizations to identify the most prevalent types of attacks that are likely to occur to enterprises.[1]
The predominant types of vulnerabilities involved the potential for malicious use of access control flaws, and failures in protecting sensitive data. Between 2021 and 2023, 70% of the web applications examined in this study exhibited vulnerabilities in these categories.
A broken access control vulnerability can be used when attackers try to bypass website policies that limit users to their authorized permissions. This can lead to unauthorized access, the alteration, or deletion of data, and beyond. The second common type of flaw involves the exposure of sensitive information like passwords, credit card details, health records, personal data, and confidential business information, highlighting the need for increased security measures.
“The rating was compiled by considering the most common vulnerabilities in web applications developed in-house in various companies and their level of risk. For instance, one vulnerability could enable attackers to steal user authentication data, while another could help execute malicious code on the server, each with varying degrees of consequences for business continuity and resilience. Our rankings reflect this consideration, drawing from our practical experience in conducting security analysis projects,” explains Oxana Andreeva, a security expert at Kaspersky Security Assessment team.
Type of vulnerability | The share of web applications that contain it | Share of high-risk vulnerabilities | Share of medium-risk vulnerabilities | Share of low-risk vulnerabilities |
Broken Access Control | 70% | 37% | 49% | 14% |
Sensitive Data Exposure | 70% | 9% | 28% | 63% |
Server-Side Request Forgery (SSRF) | 57% | 15% | 66% | 19% |
SQL Injection | 43% | 88% | 12% | – |
Cross Site Scripting (XSS) | 61% | 11% | 78% | 11% |
Broken Authentication | 52% | 21% | 47% | 32% |
Security Misconfiguration | 43% | 15% | 41% | 44% |
Insufficient Protection from Brute Force Attacks | 39% | 11% | 39% | 50% |
Weak User Password | 22% | 78% | 22% | – |
Using Components with Known Vulnerabilities | 13% | 43% | 43% | 14% |
Kaspersky experts also looked at how dangerous the vulnerabilities in the groups listed above were. The largest proportion of vulnerabilities posing a high risk were associated with SQL injections. In particular, 88% of all the analyzed SQL Injection vulnerabilities were deemed to be high-risk.
Another significant share of high-risk vulnerabilities was found to be linked with weak user passwords. Within this category, 78% of all vulnerabilities analyzed were classified as high-risk.
It is important to note that only 22% of all the web applications Kaspersky Security Assessment team studied had weak passwords. One possible reason is that the apps included in the study sample may have been test versions rather than actual live systems.
To delve more deeply into the study, visit the Securelist website. The vulnerability categories outlined in the research align with the categories and subcategories of the OWASP Top Ten rating. Remediation of most widespread web application vulnerabilities described in the study will help companies to protect confidential data and avoid compromising web applications and related systems. To improve the security of web applications and to detect possible attacks on them in a timely manner, Kaspersky Security Assessment team recommends:
- using Secure Software Development Lifecycle (SSDLC);
- performing regular application security assessment;
- using logging and monitoring mechanisms to track applications operation.
[1] The web applications analyzed in this study were developed by companies-owners of these apps.