Vulnerabilities in leading web and application frameworks, if exploited, can have devastating effects like the Equifax breach which affected 147 million people, according to RiskSense.
Among the report’s key findings, total framework vulnerabilities in 2019 went down but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting (XSS) as the most weaponized weakness in the frameworks examined.
“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense.
“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”
Most weaponized vulnerabilities
These two frameworks alone accounted for 57% of the weaponized vulnerabilities, those for which exploit code exists to take advantage of the weakness, in the past 10 years.
WordPress faced a wide variety of issues, but XSS was the most common problem, while input validation was the biggest risk for the Apache Struts framework. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.
2019 vulnerabilities are down, but weaponization is up
While the overall number of framework vulnerabilities was down in 2019 compared to previous years, the weaponization rate jumped to 8.6% which is more than double the National Vulnerability Database (NVD) average of 3.9% for the same period. This uptick was primarily due to increased weaponization in Ruby on Rails, WordPress and Java.
Input validation replaces XSS as top weakness
While XSS issues were the most common vulnerability over the 10-year study period, it dropped to 5th when analyzed over the last 5 years. This is a sign that frameworks are making progress in this important area.
Meanwhile, input validation has emerged as the top security risk for frameworks, accounting for 24% of all weaponized vulnerabilities over the past 5 years mostly affecting Apache Struts, WordPress, and Drupal.
Injection weaknesses are highly weaponized
Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were command injection (60% weaponized), OS command injection (50% weaponized), and code injection (39% weaponized). This often makes them some of the most sought after weaknesses by attackers.
Shedding light on hidden threats
An organization’s web-facing applications represent fundamental digital assets that are essential to serving internal and external users. Their exposure to the outside world also means they are susceptible to constant attack.