High-Tech Bridge Research: Web Application Security Trends in 2013January 31, 2014
High-Tech Bridge Security Research Lab has released its annual review of trends in web application security in 2013. During 2013, we released 62 security advisories describing 126 vulnerabilities in various, but mainly well-known web applications affecting several millions of live websites.
Those advisories permit to highlight a few trends in web application security:
Vendor responsiveness and security awareness increased, patches are released faster
In 2013, web application vendors were more responsive and released security patches much faster than in 2012. Many vendors reacted to a vulnerability notification within several hours and released a security patch in a couple of days. The vast majority of vendors alerted their end-users about vulnerabilities in a fair and rapid manner, practices of silent patching and risk underscoring are becoming rare among medium-sized and well-established web application vendors. The only vendor that put its end-users at risk by ignorance and negligence was Mijosoft, which demonstrated how vendors should not behave in our HTB23186 security advisory (see “Solution” section of that page for details).
General awareness within vendors about the importance of application security is also growing. Vendors finally started taking security seriously. In the past, we have seen even well-known vendors postponing security-related fixes in favour of releasing new versions of their software with new functionality and unpatched vulnerabilities, but in 2013 no big vendor adopted this dangerous approach of prioritizing functionality while sacrificing security. Only three security advisories released in 2013 remained unpatched, all others were either patched by vendors or security solutions were provided by High-Tech Bridge.
The table below provides a comparison of average time to patch in 2012 vs. 2013:
|Risk Level||Average Time to Patch 2012||Average Time to Patch 2013||Year-on-year improvement|
|Critical Risk Vulnerabilities||17 days||11 days||35%|
|High Risk Vulnerabilities||13 days||12 days||8%|
|Medium Risk Vulnerabilities||29 days||13 days||55%|
|Low Risk Vulnerabilities||48 days||35 days||27%|
|Overall average||27 days||18 days||33%|
Nevertheless, we believe that vendors can do even better to protect their customers and end-users, as 11 days to patch critical vulnerabilities is still a fairly long delay.
Serious vulnerabilities are becoming more complex to detect and exploit
Critical and high risk vulnerabilities are becoming more sophisticated both to detect and to exploit. Gone are the days when many PHP applications commonly used “exec()” or “passthru()” functions with user-supplied input leading to remote code execution. Serious vulnerabilities are now exploitable via chained attacks: when successful exploitation of one [non-critical] vulnerability is required to exploit the critical one. Good examples that illustrate the points are Remote Code Execution in Microweber or OS Command Injection in CosCms.
We had several cases in 2013 when critical or high risk vulnerability was caused not by bad-programming techniques but by a vendor’s failure to take application security globally as a process. For example quite secure web applications that follow secure coding practices had critical vulnerabilities in their installation scripts, that the vendor had forgotten to delete automatically after installation, enabling cyber criminals to compromise the entire web application. This highlights the important of independent security testing and auditing of web applications, as even professional developers may simply miss or forget to control vital security points.
SQL injections vulnerabilities are becoming more complex to exploit as we can see in the Sexy Polling Joomla Extension security advisory. A relatively complex, but efficient DNS exfiltration technique is now commonly used in cases that in the past were considered almost unexploitable to extract data from the database: when the SQL injection can be exploited only via CSRF vector or when SQL injection is present in a query that does not return the result (INSERT, UPDATE or DELETE). A good example is SQL injection in Dolphin.
It’s also important to mention that many vulnerabilities that are usually deemed to be high or critical risk were downgraded to medium risk in our advisories in 2013, as their exploitation required the attacker to be authenticated or logged-in. This confirms that web developers should also pay attention to security for parts of the application accessible only to “trusted” parties who may in fact be quite hostile.
XSS and SQL injections are still the most common vulnerabilities in web applications
55% of vulnerabilities discovered by High-Tech Bridge Research in 2013 were Cross-Site Scripting vulnerabilities, SQL injections are in second place with 20%. These vulnerabilities are common for relatively young products, while mature products are prone to vulnerabilities such as Cross-Site Request Forgery or User Identity Spoofing.
Combining our security research with statistics from ImmuniWeb® web application security testing SaaS and web application penetration testing that we perform every day, we can rank the most vulnerable web applications in the following order:
It is also important to say that about 90% of large and medium-size commercial and open-source CMSs prone to XSS and SQL injection attacks are vulnerable because they are not up-to-date or are incorrectly configured.
Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge comments: “We made great progress in terms of positive impact our research brings to the industry. Ten of thousands of popular websites were not compromised thanks to our efforts and collaboration with software vendors.”
“Our security advisory format developed together with OSVDB is now being used by other security researchers as a standard. As we can see, vulnerabilities are becoming harder to detect and exploit. Common approaches to security testing such as automated vulnerability scanning or automated source code review are no longer sufficient. At High-Tech Bridge we see the future of web application security in hybrid testing when automated testing is combined with manual security testing by a human. We implemented a hybrid approach in our SaaS called ImmuniWeb® that can detect such complex vulnerabilities missed by automated solutions.”
About High-Tech Bridge Security Research Lab
HTB Security Research Lab is a non-profit unit of our R&D department dedicated to vulnerability research that is publicly available in the form of Security Advisories. HTB Security Advisories have successfully passed MITRE’s formal CVE and CWE certification processes and are CVE-Compatible and CWE-Compatible. At the moment of publication 277 software vendors have fixed 894 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.
ImmuniWeb® is a next-generation on-demand web application security assessment solution with online Software-as-a-Service delivery model. It is a unique hybrid of cutting-edge web security scanner and accurate manual web application penetration test.