The exploitation of web application vulnerabilities continues to be one of the leading causes of enterprise data loss, and even in the wake of numerous high profile and well publicized breaches, many organizations have failed to address the most common application flaws, leaving them prime candidates for the next data loss event. iViZ Security, a cloud-based penetration testing service that specializes in web application security, has released the findings of a study which reveals that cross-site scripting vulnerabilities remain the most prevalent web application weakness.
The company's Web Application Vulnerability Statistics of 2012 report looked testing data from more than 5000 applications at over 300 organizations spanning North America, Asia and Europe, and found that 61% of the web applications tested had cross-site scripting vulnerabilities, the most common threat detected.
"With years of experience and valuable insights from our cloud based application security testing, we thought of conducting a study to discover the prevailing website vulnerability trends. The study is based on our original research," said iViZ Security's Bikash Barai.
The industry vertical with the highest average level of web application security was the Banking sector, while the industry vertical with the highest average number web application vulnerabilities was the Retail sector, a finding that is consistent with most studies of this nature.
Business Logic Flaws were deemed to be the most neglected vulnerabilities according to the report, including:
- Weak Password Recovery
- Abusing Discount logic or coupons
- Denial of service using Business Logic
- Price manipulation
- OTP (One time Password) bypass
"We observed the business logic vulnerabilities as the most overlooked and with the highest business impact. Most of the organizations do not have the expertise/process to discover and eliminate business logic flaws," Barai said.
Other key findings in the report include:
- 99% of the Apps tested had at least 1 vulnerability
- 82% of the web application had at least 1 High/Critical Vulnerability
- 90% of hacking incidents were not publicly reported
- 30% of the hacked organizations knew of the vulnerability that led to the breach beforehand
- A very low correlation between Security and Compliance (Correlation Coefficient: 0.2) which demonstrates that compliance and security are not synonymous
The study also found that the average number of vulnerabilities per website was 35, a figure that is "significantly lower than other industry reports," according to Barai. He speculates that the lower number may be due to the elimination of false positives from the data, or possibly the way in which they reported the number of times a single vulnerability is detected.
"Another possible reason is that we report vulnerability based on Root cause analysis and do not count the number of resulting manifestations due to single vulnerability. Hence the reported number is much lower compared to other reports," Barai said.
The report provides further evidence that secure coding and robust testing of applications before and after deployment is essential to reducing exposure for all organizations.