Trends in web application security
Despite web application vendors being more responsive and releasing security patches much faster than in 2012, new research revealed that it is still taking an average of over two weeks for critical vulnerabilities to be fixed.
Average patch times in 2013 compared to 2012:
Ilia Kolochenko, CEO at High-Tech Bridge, said: “11 days to patch critical vulnerabilities is still a fairly long delay. But, thankfully, even though serious vulnerabilities are becoming more complex to detect and exploit, there are vendors such as BigTree CMS who are responding to even complex vulnerabilities in less than three hours, so our award for the Most Responsive Vendor of the Year 2013 goes to that organization.
General awareness within vendors about the importance of application security is also growing, with vendors finally taking security seriously. In the past, even well-known vendors postponed security-related fixes in favor of releasing new versions of their software with new functionality and unpatched vulnerabilities. However, in 2013, no big vendor adopted this dangerous approach of prioritizing functionality while sacrificing security and only three of the 62 security advisories released by us in 2013 remained unpatched.”
Despite better coding practices making serious vulnerabilities in mature apps harder to find, researchers also found a number of cases where application security was compromised by basic mistakes such as failing to delete installation scripts, enabling cyber criminals to compromise the entire web application.
This highlights the important of independent security testing and auditing of web applications, as even professional developers may simply miss or forget to control vital security points.
Critical and high risk vulnerabilities are becoming more sophisticated both to detect and to exploit. Gone are the days when many PHP applications commonly used “exec()” or “passthru()” functions with user-supplied input leading to remote code execution. Serious vulnerabilities are now exploitable via chained attacks and good examples that illustrate this are Remote Code Execution in Microweber and OS Command Injection in CosCms.
SQL injections vulnerabilities are also becoming more complex to exploit. An efficient DNS exfiltration technique is now commonly used in cases that in the past were considered almost unexploitable to extract data from the database. It is also important to mention that many of the vulnerabilities usually deemed to be high or critical risk were downgraded to medium risk in our advisories in 2013, as their exploitation required the attacker to be authenticated or logged-in. This confirms that web developers should also pay attention to security for parts of the application accessible only to “trusted” parties who may in fact be quite hostile.”
The most vulnerable web applications are:
- In-house web application, at 40 per cent
- Plugins and modules for CMSs, at 30 per cent
- Small CMSs, at 25 per cent
- Large CMSs, such as WordPress and Joomla), at 5 per cent.
Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, concluded: “It is important to say that about 90 per cent of large and medium-size commercial and open-source CMSs prone to XSS and SQL injection attacks are vulnerable because they are not up-to-date or are incorrectly configured. However, we have made great progress in terms of positive impact our research brings to the industry, with tens of thousands of popular websites no longer at risk of compromised thanks to our efforts and collaboration with software vendors.