The State of Web Application Vulnerabilities in 2017
As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability’s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.
As we did last year, before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.
This year we registered a record high number of web application vulnerabilities including well-known categories like cross-site scripting, but also new categories such as insecure deserialization. In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to “dominate” in terms of vulnerabilities published in the content management system and server side technologies respectively. Apache Struts vulnerabilities, although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.
2017 Web Application Vulnerabilities Statistics
One of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.
Figure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.
As usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.
Figure 1: Number of web application vulnerabilities in 2016-2017
OWASP Top 10 View
This year OWASP released their long awaited “Top 10” list, which included two new risks:
Serialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.
Applications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.
Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017
The amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they “earned” their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.
Insufficient Logging and Monitoring
Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.
The Rise of the (IoT) Machines
Nowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere—in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even “backdoor” them on purpose in order to gain hidden access.
Figure 3: IoT vulnerabilities 2014-2017
2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.
One of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known Mirai malware used this kind of vulnerability (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.
Content Management Systems
When analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for 60% of the market share—WordPress, Joomla, Drupal and Magento.
Figure 4: Number of vulnerabilities by CMS platform 2016-2017
As suspected, WordPress vulnerabilities continue to be the lion’s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).
Further analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).
Figure 5: WordPress third party vendor vulnerabilities in 2017
The rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because third party plug-in code is notoriously known for its bad security.
|Year||Number of WordPress Plug-ins|
Figure 6: WordPress plug-in’s trend
PHP is still the most prevalent server-side language, therefore it’s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.
Figure 7: Top server-side technology vulnerabilities 2014-2017
The Year of Apache Struts
Although 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated remote code execution (RCE) which basically means that anyone can hack and take over the server, access private information and more.
Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017
Predictions Toward 2018
As a security vendor, we’re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:
- More authentication-related vulnerabilities from the family of “default/guessable credentials” will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks—DDoS, brute force and more.
How to Protect Your Apps and Data
One of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or a combination of both depending on your needs and infrastructure.
As organizations are moving more of their apps and data to the cloud, it’s important to think through your security requirements. A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.