WhiteHat Security released new threat research titled Top 10 Application Security Vulnerabilities of 2018. The report details the most common web exploits used by malicious attackers during 2018. 

Examples of Top Application Vulnerabilities for 2018:

1. jQuery File Upload RCE - CVE-2018-9206

jQuery File Upload is a popular open source package that allows users to upload files to a website.  In addition, it can be abused by creating a shell that is uploaded to run commands on the server. The vulnerability can be traced back to 2015, and all versions prior to 9.22.1 are vulnerable. 

2. Magecart

Magecart is a card-skimming attack that cannot be overlooked, even though it is not a common vulnerability and exposure (CVE.) This vulnerability originated from a black hat group in 2018, and companies like Ticketmaster, British Airways, Feedify, ABS-CBN and Newegg were among the victims of this attack. Magecart breaches systems and replaces the JavaScript that handles payments with malicious code to send payment details to the hackers completely unbeknownst to the end user.

3. WordPress DoS - CVE-2018-6989

In WordPress, unauthenticated users can perform a Denial of Service (DoS) attack by abusing the functionality of the load-scripts.php file to request a large number of JavaScript files via a single request. This allows each request to quickly consume the resources of the server, leading to a DoS.

In the past months, WhiteHat has analyzed and validated several million attack vectors across multiple market sectors. The WhiteHat Security platform is powered by a combination of automation, artificial and human intelligence to ensure that only actionable security threats are reported to its customers.

The Top 10 Application Security Vulnerabilities of 2018 reflect a combination of observed trends from the WhiteHat Security vulnerability data lake and the active customer feedback on the threats across its enterprise application portfolio.