2018 was not a good year for web application vulnerabilities, with 17,142 reported issues, according to a report released on Jan. 9 by Imperva.
The 2018 tally for web application vulnerabilities represents a 21 percent year-over-year increase from 2017. There are multiple types of web applications vulnerabilities, among the most common being Cross Site Scripting (XSS) vulnerabilities, which doubled in 2018 and represented 14 percent of reported issues. The top issue, however, was injection vulnerabilities, which grew by a staggering 588 percent year-over-year and represented 19 percent of web applications vulnerabilities reported in 2018.
“Microsoft and IBM had a major influence as more injection vulnerabilities were published in 2018 than in 2017,” Nadav Avital, research manager of threat analytics at Imperva, told eWEEK.
In an injection vulnerability, code or data is injected into a web application data path leading to some form of unexpected result. There are multiple types of injection vulnerabilities, with SQL injection being among the most well-known. With SQL injection, an attacker inputs unexpected data into a database SQL query, which can lead to data exfiltration. Imperva reported that in 2018 there were 1,354 reported SQL injection vulnerabilities. An even larger injection issue, however, is remote command execution (RCE), which had 1,980 reported vulnerabilities in 2018. With an RCE, an attacker can remotely exploit a vulnerable application via some form of malicious input.
There are several reasons why injection vulnerabilities have grown over the past year.
“On one hand, there are developer communities that don’t enforce security best practices in the development life cycle,” Avital said. “On the other hand, bug bounty programs are becoming more popular and widely adopted by the industry.”
In bug bounty programs, researchers are awarded a “bounty,” that is a financial reward for responsibly disclosing a vulnerability. Many bug bounty programs put a focus on injection vulnerabilities as a primary class of bug to identify.
IoT Vulnerabilities
While the volume of injection vulnerabilities grew in 2018, internet of things (IoT) vulnerabilities went the other direction, with fewer IoT vulnerabilities reported in 2018 than there were in 2017.
“2018 bore good news for the IoT industry as more organizations are showing interest in developing security standards and best practices,” Avital said.
Among the standards and best practices announced in 2018 for IoT security was one from the U.S. National Institute of Standards and Technology (NIST) in May. In addition, the Open Web Application Security Project (OWASP) released the new list of top 10 risks in IoT.
“These are all signs that the IoT industry, and in turn IoT vendors, is investing more in security,” Avital said.
Patching Rates
While the number of overall vulnerabilities is concerning, there is another key trend identified by Imperva that might have even more impact. Imperva reported that of the web application vulnerabilities reported in 2018, 38 percent do not have an available solution, such as a software upgrade workaround or software patch.
“While there is no available solution, there is also no guarantee that all of these vulnerabilities are exploitable,” Avital said. “Some are and some are not.”
Avital added that the lack of patches for so many web application vulnerabilities is one of the reasons that organizations should rely on “security in depth” and have multiple security solutions, like a web application firewall, to protect IT assets.
What’s Next?
Looking at what trends are likely to emerge in 2019, Avital said he expects that injection vulnerabilities will continue to grow.
Additionally, Avital highlighted potential risks that are coming from the widely deployed PHP programming language, which is used inside many content management systems (CMS) and web applications. At the end of 2018, PHP announced that versions 5.5, 5.6 and 7.0 reached their end of life. That means that these versions will no longer receive security updates.
“The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions, since they will not be fixed and impact every application built with these outdated versions,” he said. “For example, according to Shodan, there are currently 34K servers with these unsupported PHP versions.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.