Acunetix have released their 2015 Web Application Vulnerability report which has aggregated the findings of over 15,000 scans performed from around 1.9 million files between a 12 month period between 2014 – 2015. Their report details an increase in web application vulnerabilities “posing serious threats to organizations’ overall security posture, such as data loss or alteration, system down-time, loss of reputation and severe fines from the regulators”. Data was taken from a random sample of 5,500 users of ‘Acunetix Online Vulnerability Scanner’ who have successfully scanned at least one scan target, out of a possible 18,000 subscribers.
Signal Networks and Acunetix believe website security should be a high priority for any organisation, however the report details how it remains one of the most overlooked aspects when securing an enterprise. This allows hackers to concentrate their efforts on web-based applications to receive maximum output for minimal input compared to other methods.
Through analysing their findings, Acunetix have been able to tell that “the nature of cyber-attacks is also diversifying as criminals target not only financial data, but personal data for use in identity theft and confidential intelligence to carry out cyber espionage”.
The data scanned showed that both perimeter servers and web applications are vulnerable to high and medium security vulnerabilities with nearly half of the web applications scanned containing a high security vulnerability such as XSS or SQL Injection.
The Acunetix Web Application Vulnerability Report 2015 report noted that overall, administrators are the most suited to protect a network against vulnerabilities however, there is a clear difference between high, medium and low level severity:
High Severity: An attacker can easily exploit such vulnerabilities to compromise the integrity and availability of the target application, gain access to backend systems and databases, as well as deface the target site and trick users into phishing attacks.
Medium Severity: An attacker can exploit such vulnerabilities caused by server misconfiguration and site-coding flaws, which facilitate server disruption and intrusion. Medium severity vulnerabilities could also be used to escalate an attack by exploiting known vulnerabilities in disclosed software components.
Low Severity: An attacker can identify sensitive information derived from lack of encryption of data traffic, or directory path disclosures and may be able to use this information to escalate an attack and find other vulnerabilities.
Within these severity levels, Acunetix found over 1,500 distinct types of vulnerabilities with 11 separate types of WordPress vulnerabilities. They went on to conclude that despite most of the servers scanned were perimeter servers “having a network vulnerability on these internet-facing servers could spell disaster, as this could easily lead to server compromise and possibly be escalated further”.
- 9% High risk server vulnerability
- 50% Medium risk server vulnerability
- 46% High risk server vulnerability
- 87% Medium risk server vulnerability
When looking at the top web vulnerabilities, Cross-site Scripting (XSS) and Denial of Service (DoS) were the highest performing types of attacks with 38% of websites vulnerable to each of these attacks. The graph below shows how new security vulnerabilities e.g. HeartBleed and POODLE are “already nearly as common as the older vulnerabilities such as XSS and SQL, which have been around for decades”.
In conclusion, Acunetix notes that vulnerabilities are on the rise with nearly half of web applications containing a high security vulnerability. Despite this severe level severity, companies are taking an approach that is deemed “too casual” as “this problem of unsecured apps is only getting worse as new technologies are adopted”.
If you’d like to discuss your IT Network, Website and its security further, our certified ethical hackers are qualified and experienced and able to help organisations of any size or sector. To find out more, please view our IT Security pages or contact us on 08453702202.
To download a full copy of the Acunetix Web Application Vulnerability Report 2015, please click here.