High-Tech Bridge has found that after in-house apps, plugins and modules for content management systems (CMS) are up there too at 30%. These aren’t created equal, however: small CMS account for 25% of issues, while large CMS, such as WordPress and Joomla, account for only 5%, despite snagging big headlines when a flaw is revealed.
Also, many times the CMS problems have little to do with the app itself. “It is important to say that about 90% of large and medium-size commercial and open-source CMSs prone to XSS and SQL injection attacks are vulnerable because they are not up-to-date or are incorrectly configured,” said Marsel Nizamutdinov, chief research officer at High-Tech Bridge, in a statement.
Cross-site scripting and SQL injection were revealed as still being the most common weaknesses found, with XSS making up 55% of vulnerabilities discovered by High-Tech Bridge Research in 2013, and SQL injections accounting for 20% of the total. Again, in-house web applications are the most likely to be vulnerable to these types of attacks.
The findings confirm a continuation of XSS and SQL injection dominance. In the third quarter of 2013, FireHost found that XSS and SQL injection activity was up 32% in the third quarter, as those with malicious intent look to specifically target web-facing and cloud applications carrying sensitive information about organizations and their customers.
SQL injection vulnerabilities are also becoming more complex to exploit. For instance, a relatively complex but efficient DNS exfiltration technique is now commonly used in cases that in the past were considered almost unexploitable to extract data from a database.
Despite better coding practices making serious vulnerabilities in mature apps harder to find, in its research High-Tech Bridge also found a number of cases where excellent application security was compromised by basic mistakes, such as failing to delete installation scripts, enabling cybercriminals to compromise the entire web application.
“Critical and high risk vulnerabilities are becoming more sophisticated both to detect and to exploit,” said company CEO Ilia Kolochenko, in a statement. “Gone are the days when many PHP applications commonly used ‘exec()’ or ‘passthru()’ functions with user-supplied input leading to remote code execution. Serious vulnerabilities are now exploitable via chained attacks.”
Good examples that illustrate this are remote code execution in Microweber and OS command Injection in CosCms, he said.
“It is also important to mention that many of the vulnerabilities usually deemed to be high or critical risk were downgraded to medium risk in our advisories in 2013, as their exploitation required the attacker to be authenticated or logged-in,” said Kolochenko. “This confirms that web developers should also pay attention to security for parts of the application accessible only to ‘trusted’ parties who may in fact be quite hostile.”
Despite web application vendors being more responsive and releasing security patches much faster than in 2012 (patch times cut by one-third compared to the previous year), the research also revealed that given the increased complexity of the landscape, it is still taking an average of more than two weeks for critical vulnerabilities to be fixed.
That said, many of the vendors notified of a vulnerability by High-Tech Bridge reacted within several hours and released a security patch in a couple of days.
“Thankfully, even though serious vulnerabilities are becoming more complex to detect and exploit, there are vendors such as BigTree CMS who are responding to even complex vulnerabilities in less than three hours, so our award for the Most Responsive Vendor of the Year 2013 goes to that organization,” Kolochenko noted.
General awareness within vendors about the importance of application security is also growing, and only three of the 62 security advisories released by High-Tech Bridge in 2013 remained unpatched.
“In the past, even well-known vendors postponed security-related fixes in favor of releasing new versions of their software with new functionality and unpatched vulnerabilities,” Kolochenko noted. “However, in 2013, no big vendor adopted this dangerous approach of prioritizing functionality while sacrificing security.”
Nizamutdinov added, “As we can see, vulnerabilities are becoming harder to detect and exploit. Common approaches to security testing such as automated vulnerability scanning or automated source code review are no longer sufficient.”