A new report on 5,500 companies comprising 15,000 website and network scans, performed on over 1.9 million files, found nearly half of the web applications scanned contained a ‘high security’ vulnerability such as XSS or SQL Injection, while over 4 out of 5 web applications were affected by a medium security vulnerability. Also many scans found the main superbugs of 2014 have not been patched, especially POODLE.
Overall, the findings confirmed that web application vulnerabilities are increasingly posing serious threats to organisations’ overall security posture, such as data loss or alteration, system down-time, loss of reputation and severe fines from the regulator, amongst others.
“Website security should be a priority in any organisation, but remains the most overlooked aspect of securing the enterprise. Hackers continue to concentrate their efforts on web-based applications since they often have direct access to back-end data such as customer databases,” security vendor Acunetix said in its report.
According to the report, both web applications and perimeter servers are vulnerable to high and medium security vulnerabilities.
Nearly 10 percent of the servers scanned were found to be vulnerable to high security risks, and 50 percent had a Medium security vulnerability. “Keeping in mind most of these servers are perimeter servers, having a network vulnerability on these internet-facing servers could spell disaster, as this could easily lead to server compromise and possibly be escalated further.”
Cross-site Scripting (XSS) and Denial of Service (DoS) vulnerabilities topped the list with a significant 38 percent of websites being vulnerable to each of these attacks. Following closely at 28 percent are SSL related vulnerabilities such as HeartBleed and POODLE, and SQL Injection (SQLi) at 27 percent of the sites scanned by Acunetix OVS.
The report findings show a whopping 95 percent of XSS vulnerabilities involved Reflected Cross-site scripting, with only 5 percent being made up of DOM-based and Stored XSS. SQL Injection accounted for over 25 percent of vulnerabilities detected.
Out of the 1455 SQL Injection vulnerabilities detected, 829 scanned websites were found to be vulnerable to Blind SQL Injection. “SQL Injection is still possible when the results of the injection are not visible to the attacker. This is referred to as Blind SQL Injection,” the report stated.
2014 and so far, 2015 have been bad years for TLS/SSL. Starting with Heartbleed in April of 2014, continuing with the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability in September of 2014 and the Factoring RSA Export Keys (FREAK) vulnerability discovered in March 2015. 37 percent of websites vulnerable to SSL vulnerabilities were found to be using what are considered weak ciphers. POODLE account for a staggering 23 percent of TLS/SSL related vulnerabilities.
Security ‘Superbugs’ were a prominent topic throughout 2014 and so far throughout 2015, the report said. In 2014, Heartbleed (CVE-2014-0160), Shellshock, Padding Oracle On Downgraded Legacy Encryption (POODLE) (CVE-2014-3566) garnered discussion in online forums; while in 2015 the GHOST vulnerability (CVE-2015-0235), the Factoring attack on RSA-EXPORT Keys (FREAK) vulnerability (CVE-2015-0204), MS15-034 (CVE-2015-034) have already achieved a great deal of publicity.
“Such wide-spread bugs will continue to be exploited in the years to come, and this is clearly shown in our scan results, which are still detecting bugs (like BREACH) that had been discovered nearly 2 years ago.”
According to the Acunetix report, 961 Directory Listing scans were identified on 17.36 percent of all the servers scanned. Directory Listing refers to a server misconfiguration that could divulge sensitive information to an attacker.
Nearly 765 web applications scanned or 13.82 percent of all the servers scanned were vulnerable to Host Header Attacks — when an attacker has the ability to control functionality within web applications that are implicitly trusting the HTTP Host header value.
Vulnerable JS Libraries were identified on 664 web applications, which accounted for 11.99 percent of all servers scanned.
There are 2 major areas that affect WordPress security – vulnerabilities that affect the WordPress core and others that affect specific plugins or themes. The top two WordPress vulnerabilities detected were 144 instances of WordPress Username Enumeration and 85 instances of XML-RPC Authentication Bruteforce.
In addition, 38 percent of the servers scanned contained vulnerabilities that make the site open to a Denial of Service (DoS) that can be so crippling to modern e-commerce and online operations. The most common of these vulnerabilities is the Slow HTTP DoS Attack, often referred to simply as Slowloris.
“The next most common DoS vulnerability is specific to Apache and is caused by the way multiple overlapping ranges are handled by the Apache server.”
Acunetix also analysed the vulnerabilities which are specific to the 3 most popular web servers – Apache, IIS and nginx. The study found 18,266 vulnerabilities from scanning 2716 Apache web servers; 1111 IIS servers finding 5029 vulnerabilities; and 303 nginx servers finding 1391 vulnerabilities.
When it comes to network vulnerabilities, topping the list are SSH related vulnerabilities, and the most common is CVE-2012-0814. The security company also discovered server-specific vulnerabilities, most of which have been discovered over a year ago, such as CVE-2011-3208.
Nick Galea, CEO at Acunetix said, “These are worrying stats, showing businesses are failing in some basic web security areas.…it’s just like leaving your wallet or unlocked phone lying around in a public place. It’s more a question of how long it takes, rather than if at all, before you are compromised.”