Disclosure of new vulnerabilities in commercial web applications has slowly declined since 2006, dropping nearly 20% in 2011 from the previous year. However, data from the HP report demonstrate that this decline does not signify decreased risk.
“What we found based on the research in other areas is that this is not a good indication of a decrease in risk”, commented Jennifer Lake, security product marketing manager at HP’s DVLabs.
Nearly 24% of new vulnerabilities disclosed in commercial applications in 2011 had a severity rating of 8 to 10. These vulnerabilities can result in a remote code execution, the most dangerous type of attack. Roughly 36% of all vulnerabilities are in commercial web applications.
“It is harder to find these severe vulnerabilities. It takes more time, and someone with more expertise and knowledge of the application to uncover these severe vulnerabilities”, Lake told Infosecurity.
Approximately 86% of web applications are vulnerable to an injection attack, which is when hackers access internal databases through a website.
Due to a high success rate, web exploit toolkits continued to be popular in 2011. These “packaged” attack frameworks are traded or sold online, enabling hackers to access enterprise IT systems and steal sensitive data. For example, the Blackhole Exploit Kit is used by most cybercriminals, and reached an unusually high infection rate of more than 80% in late November 2011, the report found.
Of the six most common vulnerability categories reported, four of the six – SQL injection, cross-site scripting, cross-site request forgery, and remote file include – were exclusively exploitable via the web, according to Mark Painter, product marketing manager with HP Fortify. The other vulnerabilities – buffer overflow and denial of service – are also exploitable via the web.
“You can almost think of applications like the skin on the body. If you crack that skin, you can get to the meat or, in this case, the data. Application security needs to pervasive because applications are everywhere now”, Painter told Infosecurity.
Close to 94% of web applications subjected to static testing were vulnerable to information leakage and improper error handling, Painter noted. “That’s important because the leak might be the exact piece of information that allows an attacker to escalate his methodology and conduct a far more devastating attack….Developers are just making simple mistakes that can have devastating consequences”, he added.
Jason Jones, an engineer with HP DVLabs, said that SQL injection attacks went up almost every month for most of 2011. SQL injections tended to be the attack technique of choice for Anonymous and other hacktivist groups. He noted that hacktivists increased their ability to coordinate attacks, making them much more effective last year than in previous years.