A recent study by Kaspersky
Security Assessment experts has identified the most dangerous
and widespread vulnerabilities in corporate web applications developed
in-house. Between
2021 and 2023, flaws related to access control and data
protection were found
in the majority of the examined applications, totaling several
dozen. The
highest number of high-risk level vulnerabilities referred to
SQL injections.
Web applications like social networks, email, and online services are sites
where users engage with a web server via a browser. In our latest study,
Kaspersky researched vulnerabilities in web applications used by IT,
government, insurance, telecommunications, cryptocurrency, e-commerce, and
healthcare organizations to identify the most prevalent types of attacks that
are likely to occur to enterprises.
The predominant types of vulnerabilities involved the potential for
malicious use of access control flaws, and failures in protecting sensitive
data. Between 2021 and 2023, 70 percent of the web applications examined in
this study exhibited vulnerabilities in these categories.
A broken access control vulnerability can be used when attackers try to
bypass website policies that limit users to their authorized permissions. This
can lead to unauthorized access, the alteration, or deletion of data, and
beyond. The second common type of flaw involves the exposure of sensitive
information like passwords, credit card details, health records, personal data,
and confidential business information, highlighting the need for increased
security measures.
"This rating was compiled by
considering the most common vulnerabilities in web applications developed
in-house in various companies and their level of risk," explains Oxana Andreeva, a security expert on
Kaspersky's Security Assessment team. "For
instance, one vulnerability could enable attackers to steal user authentication
data, while another could help execute malicious code on the server, each with
varying degrees of consequences for business continuity and resilience. Our
rankings reflect this consideration, drawing from our practical experience in
conducting security analysis projects."
Kaspersky
experts also looked at how dangerous the vulnerabilities in the groups listed
above were. The largest proportion of vulnerabilities posing a high risk were
associated with SQL injections. In particular, 88 percent of all the analyzed
SQL Injection vulnerabilities were deemed to be high-risk.
Another
significant share of high-risk vulnerabilities was found to be linked with weak
user passwords. Within this category, 78 percent of all vulnerabilities
analyzed were classified as high-risk.
It is
important to note that only 22 percent of all the web applications Kaspersky
Security Assessment team studied had weak passwords. One possible reason is
that the apps included in the study sample may have been test versions rather
than actual live systems.
The
vulnerability categories outlined in the research align with the categories and
subcategories of the OWASP Top Ten rating. Remediation
of most widespread web application vulnerabilities described in the study will
help companies to protect confidential data and avoid compromising web
applications and related systems. To improve the security of web applications
and to detect possible attacks on them in a timely manner, Kaspersky Security
Assessment team recommends:
- Using Secure Software
Development Lifecycle (SSDLC);
- Performing regular application
security assessment;
- Using logging and monitoring
mechanisms to track applications operation
For more information, please visit Securelist.