Positive Technologies Experts analyzed the security state of web applications and found that in 9 out of 10 cases, attackers can attack site visitors. In addition, it turned out that 16% of applications contain vulnerabilities that allow you to gain full control over the system, and in 8% of cases – attack the company's internal network. And having gained full access to the web server, hackers can post their own content on the attacked site (perform a deface) or even attack its visitors, for example, infecting their computers with malware.
According to the study, in 2019 the proportion of web applications containing high-risk vulnerabilities decreased significantly (by 17 percentage points compared to 2018). The number of vulnerabilities, which, on average, per application, has decreased by almost one and a half times compared to last year. But despite this, the overall level of security of web applications is still rated as low.
82% of all identified vulnerabilities were caused by errors in the code. According to experts, even in the case of productive systems in every second they found high-risk vulnerabilities.
A high percentage of errors in the source code indicates that the code does not pass the check for vulnerabilities at the intermediate stages of its creation, and also that developers still do not pay enough attention to security, relying on the functionality of the application.
In 45% of the web applications studied, experts found Broken Authentication; many vulnerabilities in this category are critically dangerous.
“Most authentication attacks are caused by users setting only a password,” said Olga Zinenko, analyst at Positive Technologies. – The absence of a second factor makes authentication attacks easy to implement. This problem is compounded by the fact that users try to come up with easier passwords. Bypassing access restrictions usually results in unauthorized disclosure, alteration or destruction of data. ”
According to experts, 90% of web applications are at risk of attacks on clients. As in previous years, XSS plays a significant role in this. Examples of attacks on users can be malware infection on computers (the proportion of this method of attacking individuals in the third quarter of the year increased to 62% compared to 50% in the second), phishing attacks to obtain credentials or other important data, as well as performing actions on behalf of the user using a cheating clickjacking technique, in particular for cheating likes and views.