According to the Web Application Vulnerability and Threats report: Statistics for 2019, recently released by Positive Technologies, a company specialized in providing enterprise solutions for security and compliance, 9 out of 10 hackers are able to
Positive Technologies experts also pointed out that 16 percent of applications contain vulnerabilities that allow attackers to take full control of the system and that, on 8% of systems, full control of the web application server has allowed to attack the local network
With full access to the web server, hackers can also place their content on the site attacked (deface) or even attack site visitors, for example by infecting their computers with malware.
Positive Technologies experts analysed 38 fully functional web applications of financial organisations (26% of the total number of apps analysed), state institutions (8%), IT companies (29%), telco (21%) and industry (16%).
The level of security of web applications was measured by Positive Technologies with tests and evaluations, and assigned based on the potential impact on the particular system in question, in the context of the type of information processed.
The financial institutions’ web applications, in the report, registered the best security in 2019: no system in this sector received a “poor” or “extremely poor” security rating. The web applications of state institutions were the least secure: they all contained high-risk vulnerabilities and their security was classified as “poor” or “blow average.”
The percentage of web applications containing high-risk vulnerabilities, again according to the Positive Technologies report, decreased significantly in 2019 by 17 percentage points compared to the previous year. Even the average serious vulnerabilities for web application decreased by almost 1.5 times. However, the overall level of security of web applications remains low.
According to the experts of Positive Technologies, half of the websites in production were vulnerable to high risk. In addition, 82% of vulnerabilities were in the application code. The high percentage of errors in the source code suggests that the vulnerability of the code is not verified during development. According to Positive Technologies, this indicates that developers treat security quickly, focusing instead on the functionality of the app.
Unarmed authentication was detected in 45% of web applications and many vulnerabilities in this category are classified as critical.
Positive Technologies points out that password-only authentication is a factor contributing to most attacks. The lack of two-factor authentication makes attacks very easy and users tend to use weak passwords, which makes things worse. Bypassing access restrictions usually leads to unauthorised disclosure, modification or destruction of data.
Perhaps the most worrying fact is that, according to the experts of Positive Technologies, 90% of web applications are vulnerable to attacks on clients. Cross-Site Scripting (XSS) remains a significant vulnerability, as in previous years.
Attacks against users include computer infection with malware (the percentage of this type of attacks on people rose to 62% in the third quarter of 2019, compared to 50% in the second quarter), phishing attacks aimed at obtaining credentials or other important data,
The full Web Application Vulnerability and Threats: Statistics for 2019 report can be found on the Positive Technologies website.