An organization’s web presence is a crucial part of its ability to do business., as it serves as the primary point of connection between the organization and its customer base. And unsurprisingly, an organization’s web presence is often the primary target of a cybercriminal.
The first reason for this is the easy accessibility of an organization’s web applications. These web apps are designed to be usable by the general public, meaning that they are accessible from the public Internet. As a result, cybercriminals have no issues gaining access to them to search for vulnerabilities.
Beyond the ease of access, web applications are also a prime target since they can be very lucrative for cybercriminals. Customers’ personal data has become valuable on the black market, and web applications require access to this data in order to function. Identifying and exploiting a web application vulnerability could allow an attacker to steal sensitive user data or even use the web server as a foothold on the organization’s network to enable further attacks.
Therefore, identifying and patching web application vulnerabilities should be a priority for any organization. However, the importance and value that organizations assign to different vulnerabilities do not always line up with how often they are targeted by cybercriminals in the real world.
Certain vulnerabilities are more commonly exploited by cybercriminals than others. In the past, an organization mainly had to worry about an SQL injection attack, where a cybercriminal took advantage of poor input validation in database queries to steal sensitive information.
Previously, the Open Web Application Security Project (OWASP) Top Ten list of web application vulnerabilities was the only source of data regarding the relative risks associated with different types of web application vulnerabilities. It ranked these vulnerabilities based upon how frequently they occurred in the production web application code.
Now, with the rise of bug bounty programs and bug bounty platforms (such as HackerOne and BugCrowd), aggregated, real-world data is available for the first time. With this data, it is possible to gain a new level of insight into the types of vulnerabilities that companies prioritize and that ethical hackers can discover in their web applications in the real world.
These lists and the OWASP Top Ten List don’t always match up. Of OWASP’s Top Ten, only four of the vulnerabilities also appear on HackerOne’s lists as well. This indicates that the vulnerabilities that are the most common in web applications are not always the ones most targeted by cybercriminals or the most threatening to organizations.
However, this difference between the theoretical “top vulnerabilities” and the ones most discovered by ethical hackers during bug bounty programs is not the only one in the space. HackerOne’s data also indicated a disconnect between the vulnerabilities that organizations operating bug bounty programs were willing to pay the most for and the ones that were most commonly found and pulled in the most bounties.
Organizations running bug bounty programs tend to prioritize vulnerabilities that could result in a data breach or other expensive repercussions. As a result, the bounties with the highest potential payout amounts include server-side request forgery (SSRF), which was behind the recent CapitalOne Breach, privilege escalation flaws, and insecure direct object reference (IDOR) vulnerabilities.
According to HackerOne’s data, on the other hand, these vulnerabilities were relatively rare and did not even pull in a majority of bounty payments. Cross-site scripting (XSS) vulnerabilities were the most commonly discovered and reported flaw, accounting for $8 million of the $55 million in bounties paid out by the end of 2018, despite its relatively low bounty amount.
HackerOne’s data is not the only source pointing to XSS as a significant threat to organizations. A recent study found that 40% of cyberattacks against large North American and European companies in 2019 involved cross-site scripting. This validates HackerOne’s claim that their data is representative of the real-world threats to an organization’s web presence and indicates that organizations may be focusing on the wrong types of vulnerabilities when attempting to secure their platforms.
According to risk management, there are two factors that should be taken into account when determining the threat that a potential risk poses to an organization. The first of these is the potential impact, or the amount of damage that exploitation of that vulnerability could cause. The second is the probability of occurrence, or how often this risk can be expected to occur.
Data from HackerOne indicates that many organizations are focusing on the potential impact of a particular risk when designing their bug bounty programs. By attaching larger rewards to vulnerabilities that are likely to have a greater impact, they incentivize ethical hackers to focus on these particular flaws in their testing.
However, the evidence shows that these vulnerabilities, while theoretically more impactful, are being exploited far less in the real world. With the sheer number of new software vulnerabilities discovered and disclosed each year, it is infeasible for most organizations to identify and patch every vulnerability in their systems. If organizations are focusing solely on patching “high impact” vulnerabilities at the expense of “high probability” ones, they could be leaving their web applications open to exploitation. Also, as the British Airways breach and the associated fine imposed on the organization by regulators demonstrated, threats like Magecart, which make heavy use of “low impact” vulnerabilities like XSS, can be very expensive to an organization.