Acunetix Vulnerability Testing Report 2017
Note: this is a reprint of June 6, 2017, Axiomatics report. The original report can be found here.
Each year the Acunetix Team compiles a report based on data from Acunetix Online. This third Vulnerability Testing Report contains data and analysis of vulnerabilities detected by Acunetix throughout the period of March 2016 to March 2017, illustrating the state of security of web applications and network perimeters.
With Cross-site Scripting (XSS) vulnerabilities found on 50% of sampled targets, this year's findings continue to reaffirm the widely held understanding that the web application vector is a major, viable and low-barrier-to-entry vector for attackers.
For the purpose of this analysis, a random sample of 11,600 subscribers who have successfully scanned one or more Scan Targets were randomly selected out of a possible 43,200 subscribers.
This dataset focuses predominantly on high and medium-severity vulnerabilities found in web applications as well as perimeter network vulnerability data.
Vulnerabilities at a Glance Web
Vulnerabilities by Type
Vulnerabilities by Paradigm and Severity
Vulnerability Testing Results
SQL Injection – High Severity
File Inclusion and Directory Traversal – Severity HighFile inclusion and directory traversal vulnerabilities could allow an attacker to access restricted files and directories outside of a web server's root directory. Things go even further with file inclusion, where an attacker can potentially not only read the contents of files, but also execute its contents causing code execution vulnerabilities.
Network Perimeter Vulnerabilities – Severity High
Network perimeter vulnerabilities residing in network perimeter resources, are typically results of configuration issues or vulnerabilities in devices such as routers, firewalls and other network appliances, or even services like web servers, mail servers and VPN gateways to name a few. Misconfigured network devices or services, and the presence of vulnerabilities in services on a network infrastructure can cause havoc.
An attacker can often escalate an attack and move laterally through a network after an initial compromise. This is especially the case if the network is not properly segmented and lacks controls to detect intruders.
Directory Listing – Medium Severity
TLS/SSL related vulnerabilities – Medium Severity
The results in this report clearly outline that web applications are a major, and growing attack vector that organizations of all shapes and sizes, the world over, are facing—whether they know it or not.
Unfortunately, with most web application vulnerabilities such as SQL injection (SQLi), Cross-site Scripting (XSS) and Code execution (RCE), the typical mitigation approach of installing a patch is often not valid. This is largely because web application vulnerabilities generally arise from poor design choices or oversights made during the development or deployment process.
The most worrying of these results is the rise in Cross-site Scripting (XSS) vulnerabilities. While the bar is rising for attackers to exploit reflected XSS, partly due to the protections browsers are building in, skilled and determined attackers do bypass XSS filters. What's more, stored XSS and DOM-based XSS still remain major attack vectors for attackers with very little to no browser defences in their way.
However, all is not bleak—the times they are a changin' for SQL injection. The venerable vulnerability that has plagued web application security for so long has seen a year-after-year decline, dropping 3% this year alone. This tells us that things are things are slowly moving in the right direction, however, we're pretty confident that SQL injection will still be dominating the headlines for the foreseeable future.
The ever growing shift to web technologies, while positive and exciting, is the perfect target for malicious attacks. Unfortunately, Development Teams are frequently up against tight deadlines, caught-up in complex engineering problems, and many are poorly equipped to assess the implications of insecure code within their applications, especially at the speed at which new code is being pushed to production.
Development and DevOps Teams however, are very good at leveraging automation to make their work more efficient; and there is no reason web vulnerability testing cannot be an automated process—especially when it forms part of Continuous Integration (CI) or Continuous Delivery (CD) pipelines. Naturally, automated vulnerability testing, like any other security testing methodology, should not be viewed as a 'silver-bullet' solution, but rather, it should be seen as a highly cost-effective approach to establishing a baseline security posture.
By leveraging automated vulnerability testing to uncover entire classes of grievous security bugs automatically, manual security testing (be that through a traditional penetration test, or through crowdsourced security testing platforms) is immediately more cost effective because penetration testers' focus is on finding bugs that require human logic, hunches and intuition to discover.
Automated security testing provides a highly-scalable, cost-effective, ongoing security baseline all the way from the initial stages of the Software Development Lifecycle (SDLC) to Staging and Production environments.
With web application vulnerabilities increasingly posing serious threats to organizations' overall security posture, if you're not prioritizing web security, now is the time to start.
In The News is brought to you by WinMill Software, the premier resource for systems development and integration, expert consulting, quality assurance, technology infrastructure, and software resale. For more information, contact a WinMill Account Manager at firstname.lastname@example.org or 1-888-711-MILL (6455).