The State of Web Application Vulnerabilities in 2018

(Jan. 12 update:  Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)

As a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability’s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did last year, we took a look back at 2018 to understand the changes and trends in web application security over the past year.

The bad news is that in 2018, like 2017, we continued to see a trend of increasing number of web application vulnerabilities, particularly vulnerabilities related to injection such as SQL injection, command injection, object injection, etc. On the content management system (CMS) front, WordPress vulnerabilities continue to grow, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, Drupal vulnerabilities had a larger effect and were used in mass attacks that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry — the number of Internet of Things (IoT) vulnerabilities declined, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the number of PHP vulnerabilities continued to decline. In addition, the growth in API vulnerabilities also slightly declined.

(Did you know that one-third of businesses have suffered 6+ breaches in the past year? Download the CyberThreat Defense Report 2019 for other startling results from a survey of 1,200+ IT and security leaders.)

2018 Web Application Vulnerabilities Statistics

The first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.

Vulnerabilities by Category

In Figure 2, you can find 2018 vulnerabilities split into OWASP TOP 10 2017 categories.

Most Common Vulnerability: Injections

The dominant category this year was by far injections, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.

Figure 2: Vulnerabilities into categories 2014-2018

No. 2 Vulnerability — Cross-Site Scripting

The number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.

IoT Vulnerabilities Decreased

It appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.

API Vulnerabilities: Growing, but Slowing

API (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).

Although API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.

Vulnerabilities in Content Management Systems: Attackers Focused on WordPress

The most popular content management system is WordPress, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by Joomla and Drupal. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).

According to the WordPress official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.

Despite the slowed growth in new plugins, the number of WordPress vulnerabilities increased. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.

Unsurprisingly, 98% of WordPress vulnerabilities are related to plugins  (see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.

In Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year – and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins. This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report – such as ‘top attacked’ or ‘riskiest’ – which do not necessarily correlate with this measurement.

Server Technologies: PHP Vulnerabilities Fell

Since the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates – only one minor update was released, PHP 7.3, in December – could explain why.

The Year of Drupal

Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 (’23-mar’ bar in Figure 10 below), and CVE-2018-7602 (’25-apr’ bar below, also known as Drupalgeddon2 and Drupalgeddon3), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.

The simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting blogs we wrote this year. There was another risky vulnerability, part of the Drupal security patch sa-core-2018-006, that published in October. However, since it was not easy to exploit, the number of attacks was small.

Figure 10: CVSS Score of Drupal vulnerabilities in 2018

Predictions for 2019

As a security vendor, we’re often asked about our predictions. Here are our vulnerability predictions for 2019:

• PHP announced that versions 5.5, 5.6 and 7.0 reached their end of life. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to Shodan there are currently 34K servers with these unsupported PHP versions
• Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)
• More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing

How to Protect Your Apps and Data

One of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or a combination of both depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it’s important to think through your security requirements. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.