Skip to main content

Access control and data exposure flaws prevalent in corporate web applications, Kaspersky study finds

March 12, 2024

Woburn, MA – March 12, 2023 A recent study by Kaspersky Security Assessment experts has identified the most dangerous and widespread vulnerabilities in corporate web applications developed in-house. Between 2021 and 2023, flaws related to access control and data protection were found in the majority of the examined applications, totaling several dozen. The highest number of high-risk level vulnerabilities referred to SQL injections.

Web applications like social networks, email, and online services are sites where users engage with a web server via a browser. In our latest study, Kaspersky researched vulnerabilities in web applications used by IT, government, insurance, telecommunications, cryptocurrency, e-commerce, and healthcare organizations to identify the most prevalent types of attacks that are likely to occur to enterprises.[1]

The predominant types of vulnerabilities involved the potential for malicious use of access control flaws, and failures in protecting sensitive data. Between 2021 and 2023, 70 percent of the web applications examined in this study exhibited vulnerabilities in these categories.

A broken access control vulnerability can be used when attackers try to bypass website policies that limit users to their authorized permissions. This can lead to unauthorized access, the alteration, or deletion of data, and beyond. The second common type of flaw involves the exposure of sensitive information like passwords, credit card details, health records, personal data, and confidential business information, highlighting the need for increased security measures.

“This rating was compiled by considering the most common vulnerabilities in web applications developed in-house in various companies and their level of risk,” explains Oxana Andreeva, a security expert on Kaspersky’s Security Assessment team. “For instance, one vulnerability could enable attackers to steal user authentication data, while another could help execute malicious code on the server, each with varying degrees of consequences for business continuity and resilience. Our rankings reflect this consideration, drawing from our practical experience in conducting security analysis projects.”

Type of vulnerability The share of web applications that contain it Share of high-risk vulnerabilities Share of medium-risk vulnerabilities Share of low-risk vulnerabilities
Broken Access Control 70% 37% 49% 14%
Sensitive Data Exposure 70% 9% 28% 63%
Server-Side Request Forgery (SSRF) 57% 15% 66% 19%
SQL Injection 43% 88% 12% -
Cross Site Scripting (XSS) 61% 11% 78% 11%
Broken Authentication 52% 21% 47% 32%
Security Misconfiguration 43% 15% 41% 44%
Insufficient Protection from Brute Force Attacks 39% 11% 39% 50%
Weak User Password 22% 78% 22% -
Using Components with Known Vulnerabilities 13% 43% 43% 14%

Kaspersky experts also looked at how dangerous the vulnerabilities in the groups listed above were. The largest proportion of vulnerabilities posing a high risk were associated with SQL injections. In particular, 88 percent of all the analyzed SQL Injection vulnerabilities were deemed to be high-risk.

Another significant share of high-risk vulnerabilities was found to be linked with weak user passwords. Within this category, 78 percent of all vulnerabilities analyzed were classified as high-risk.

It is important to note that only 22 percent of all the web applications Kaspersky Security Assessment team studied had weak passwords. One possible reason is that the apps included in the study sample may have been test versions rather than actual live systems.

The vulnerability categories outlined in the research align with the categories and subcategories of the OWASP Top Ten rating. Remediation of most widespread web application vulnerabilities described in the study will help companies to protect confidential data and avoid compromising web applications and related systems. To improve the security of web applications and to detect possible attacks on them in a timely manner, Kaspersky Security Assessment team recommends:

  • Using Secure Software Development Lifecycle (SSDLC);
  • Performing regular application security assessment;
  • Using logging and monitoring mechanisms to track applications operation

For more information, please visit Securelist.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:

Cassandra Faro

Cassandra.Faro@Kaspersky.com

781-503-1812



[1] The web applications analyzed in this study were developed by companies-owners of these apps

Access control and data exposure flaws prevalent in corporate web applications, Kaspersky study finds

Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases