Woburn, MA – March 12, 2023 — A recent study by Kaspersky Security Assessment experts has identified the most dangerous and widespread vulnerabilities in corporate web applications developed in-house. Between 2021 and 2023, flaws related to access control and data protection were found in the majority of the examined applications, totaling several dozen. The highest number of high-risk level vulnerabilities referred to SQL injections.
Web applications like social networks, email, and online services are sites where users engage with a web server via a browser. In our latest study, Kaspersky researched vulnerabilities in web applications used by IT, government, insurance, telecommunications, cryptocurrency, e-commerce, and healthcare organizations to identify the most prevalent types of attacks that are likely to occur to enterprises.[1]
The predominant types of vulnerabilities involved the potential for malicious use of access control flaws, and failures in protecting sensitive data. Between 2021 and 2023, 70 percent of the web applications examined in this study exhibited vulnerabilities in these categories.
A broken access control vulnerability can be used when attackers try to bypass website policies that limit users to their authorized permissions. This can lead to unauthorized access, the alteration, or deletion of data, and beyond. The second common type of flaw involves the exposure of sensitive information like passwords, credit card details, health records, personal data, and confidential business information, highlighting the need for increased security measures.
“This rating was compiled by considering the most common vulnerabilities in web applications developed in-house in various companies and their level of risk,” explains Oxana Andreeva, a security expert on Kaspersky’s Security Assessment team. “For instance, one vulnerability could enable attackers to steal user authentication data, while another could help execute malicious code on the server, each with varying degrees of consequences for business continuity and resilience. Our rankings reflect this consideration, drawing from our practical experience in conducting security analysis projects.”
Type of vulnerability | The share of web applications that contain it | Share of high-risk vulnerabilities | Share of medium-risk vulnerabilities | Share of low-risk vulnerabilities |
Broken Access Control | 70% | 37% | 49% | 14% |
Sensitive Data Exposure | 70% | 9% | 28% | 63% |
Server-Side Request Forgery (SSRF) | 57% | 15% | 66% | 19% |
SQL Injection | 43% | 88% | 12% | - |
Cross Site Scripting (XSS) | 61% | 11% | 78% | 11% |
Broken Authentication | 52% | 21% | 47% | 32% |
Security Misconfiguration | 43% | 15% | 41% | 44% |
Insufficient Protection from Brute Force Attacks | 39% | 11% | 39% | 50% |
Weak User Password | 22% | 78% | 22% | - |
Using Components with Known Vulnerabilities | 13% | 43% | 43% | 14% |
Kaspersky experts also looked at how dangerous the vulnerabilities in the groups listed above were. The largest proportion of vulnerabilities posing a high risk were associated with SQL injections. In particular, 88 percent of all the analyzed SQL Injection vulnerabilities were deemed to be high-risk.
Another significant share of high-risk vulnerabilities was found to be linked with weak user passwords. Within this category, 78 percent of all vulnerabilities analyzed were classified as high-risk.
It is important to note that only 22 percent of all the web applications Kaspersky Security Assessment team studied had weak passwords. One possible reason is that the apps included in the study sample may have been test versions rather than actual live systems.
The vulnerability categories outlined in the research align with the categories and subcategories of the OWASP Top Ten rating. Remediation of most widespread web application vulnerabilities described in the study will help companies to protect confidential data and avoid compromising web applications and related systems. To improve the security of web applications and to detect possible attacks on them in a timely manner, Kaspersky Security Assessment team recommends:
- Using Secure Software Development Lifecycle (SSDLC);
- Performing regular application security assessment;
- Using logging and monitoring mechanisms to track applications operation
For more information, please visit Securelist.
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812