70% of websites have critically dangerous vulnerabilities that allow attackers access the site and cause serious trouble not only to its owner but also to many users. According to the results of 2015, Java applications turned out to be the leakiest ones, the proportion of highly vulnerable Microsoft IIS servers increased. The usage of automated source code analyzer proved to detect 3 times more dangerous vulnerabilities than manual checks.
These are the findings set forth in the study by the company Positive Technologies. This data was collected through Web applications vulnerability analysis performed in 2015. Comparison with the studies held in previous years allows assessing information vulnerability in modern Web apps. This article provides insight into the main findings of the study.
Sources and Methods
Each year experts from Positive Technologies examine more than 250 Web applications during all kinds of research ranging from instrumental scanning to analysis of source code. Following the research findings of 2015, 30 applications were chosen for carrying out an in-depth analysis with the most comprehensive checks coverage. At the same time, only the vulnerabilities that had been confirmed by carrying out checks on the test stand were taken into account.
The vulnerability was assessed by black-box, gray-box and white-box testing. It was performed both manually (using supplemental automation tools) and using automated code analyzer. Black box testing stands for site research on behalf of an outsider without access to additional information about the system on the part of the site owner. Gray-box testing is quite similar, but in this case, the offender is a user with certain privileges in the system. White-box testing uses all the necessary data about the system, including applications source code.
This statistics chart only exhibits vulnerabilities related to the errors in the code and web applications configuration. Vulnerabilities are classified according to the threats by WASC TC v. 2, except for Improper Input Handling and Improper Output Handling categories, as they are carried out in a variety of other attacks. Vulnerability risk score was assessed according to CVSS v. 2.
The applications under study belonged to the companies representing telecommunications (23%), industry (20%), mass media (17%), IT (17%), finance (13%) and government organizations (10%).
Most web applications under study are written in Java (43%) and PHP (30%). The study also included apps developed in ASP.NET, Perl, ABAP, 1C and other technologies. Applications were handled by Nginx (34%), Microsoft IIS (19%), Apache Tomcat (14%) and WebLogic (14%) servers, as well as by Apache and SAP NetWeaver Application Server. Approximately half of the investigated resources (53%) were the productive systems which are already available to users via the Internet. The second half of the tested sites were in the process of development or acceptance into operation.
Most common vulnerabilities
Vulnerabilities of at least average risk level were detected in all apps under study. At the same time, 70% of the examined systems demonstrated critical severity vulnerabilities. In the past three years, the share of such systems has grown from 61% in 2013 to 68% in 2014.
Second most common vulnerability detected in every second web application is Information Leakage. 47% of websites also demonstrate vulnerabilities coming from the lack of protection against capturing user credentials (Brute Force). The most common high-risk vulnerability in 2015 turned out to be an XML External Entity injection. This vulnerability allows an attacker to obtain the contents of the files located on the server under attack, or to make queries to the local network on behalf of the attacked server.
Development tools: Java is not better than PHP
Studies held in previous years proved that PHP applications tended to be more vulnerable than the systems developed using ASP.NET and Java. However, today the situation has changed: 69% of Java applications are subject to high severity vulnerabilities, and for PHP systems this figure is 56%, which is 20% lower than in 2013.
In average, each PHP web application contains 9.1 critical severity vulnerabilities, Java apps – 10.5. As for average data for all other programming languages and development tools, each system accounts for only 2 critical vulnerabilities.
Cross-Site Scripting is the most found vulnerability typical of all programming languages. The share of applications vulnerable to SQL injections has decreased as compared to 2014: then it was identified in 67% of Web resources developed on PHP, and now it is found only in 22% of those.
Leaky Servers on Microsoft IIS
The share of Microsoft IIS based resources with high-risk vulnerabilities has increased significantly compared to previous years and reached a maximum value. At the same time, the share of vulnerable sites based on Nginx has decreased (from 86% to 57%), as well as those based on Apache Tomcat (from 60 to 33%).
Web apps with high severity vulnerabilities (sorted by server type)
The majority of servers demonstrated high vulnerability to Information Leakage. This flaw was detected in all investigated apps hosted on Microsoft IIS based servers. Second most found vulnerability is the lack of protection against Brute Force.
Sites of Banks and IT-companies at Risk
Shares of applications with high severity vulnerabilities by industry
Production systems are protected barely better than test systems
The share of vulnerable applications already in use is very high: most of them (63%) are subject to critical vulnerabilities. Such deficiencies allow an attacker to gain complete control over the system (for example, download random files or execute commands) and receive sensitive information (e.g., as a result of SQL or XML External Entity injections). Also, an intruder may carry out such attacks as “service denial”.
Critical vulnerabilities for test and production systems (the share of vulnerable systems)
Source code check is more effective in identifying dangerous vulnerabilities
The share of highly vulnerable systems detected by black-box testing is significantly lower than that of the sites where the source code was analyzed. However, even black-box and gray-box checks detected a considerable amount of highly vulnerable resources (59%). Thus, absence of access to the source code does not make Web apps invulnerable for attackers.
Share of systems with vulnerabilities of different risk levels by type of testing
At the same time, an average amount of different risk level vulnerabilities per each system identified by white-box checks significantly exceeds that detected via black-box and gray-box testings.
The study also compared the findings of manual white-box checks and analysis provided by an automated scanner. At the average, code analyzers discovered 15 high severity vulnerabilities per system (only confirmed vulnerabilities were taken into account), while manual testing detected just 4 vulnerabilities.
Average number of vulnerabilities of different severity levels per system by different methods of testing
Thus, white box testing turned out to be significantly more effective than methods which do not include source code testing. Yet automated code analysis proved its efficiency, especially considering high volume of code in modern applications which utilize multiple libraries.
In general, the study confirms necessity of regular Web apps security checks. Vulnerability analysis is vital at all stages of development, as well as regular screening (e.g. twice per year) during the system operation. Besides that, working applications require effective protection against attacks: the majority of them (63%) demonstrated high severity vulnerabilities. Aforementioned deficiencies can lead not only to disclosure of sensitive data, but also to a full system compromise or its failure. To protect resources against such attacks it is recommended to use application-level firewalls.