What application vulnerabilities should you be worried about when protecting your organization? Well, all of them, of course, but some more than others. Bug bounty company HackerOne recently analyzed the 120,000 vulnerabilities that researchers have reported through its platform to highlight the most common and highest-earning flaws.
HackerOne organizes community bug-finding programs for top brands and public sector organizations alike. By looking at its data, along with the Open Web Application Security Project (OWASP) top ten list of web application vulnerabilities, we can gain some useful insights. HackerOne’s list shows us what hackers are finding and how important companies consider those flaws in commercial situations. It represents the perfect complement to OWASP’s last top ten list, published in 2017, which combined data from “human assisted tools and tool assisted humans”, including data on around 114,000 applications from 23 large-scale data providers such as Veracode.
Four of the ten bugs on HackerOne’s list overlapped with OWASP’s top 10 web application vulnerabilities.
The top bug type on HackerOne’s list was one that slipped considerably in OWASP’s rankings between 2013 and 2017: cross-site scripting (XSS). The collected types of XSS vulnerability (dom, reflected, stored, and generic), accounted for nearly 35% of all reported vulnerabilities and 28% of all the paid bounties, according to HackerOne’s report.
It’s difficult to map the two lists against each other because OWASP and HackerOne categorize flaws differently. For example, injection is a vulnerability common to the two reports, in which an attacker injects their own instructions into what looks like a legitimate request, forcing the system to do their bidding. Injection made the top of the OWASP list, but ranks lower in HackerOne’s. That’s in part because HackerOne breaks this vulnerability into two types (code injection and SQL injection) that rank almost equally in popularity.
SQL injection isn’t the only vulnerability that HackerOne breaks out into its own category. For example, Insecure Direct Object Reference (IDOR) gets its own section. It occurs when apps allow someone to tweak a URL parameter to expose someone else’s information without authentication. This is the most likely cause of First American Financial Corp.’s recent online exposure of 885m sensitive mortgage insurance records.
OWASP lumps IDOR in with number five on its list (broken access controls), which seems to mirror HackerOne’s improper access control category.
The other crossover in the OWASP and HackerOne top tens is information disclosure, which ranks second on the OWASP chart and third on the HackerOne top ten. This occurs when web applications and APIs reveal sensitive personal information.
What’s old is new again
However you categorize different kinds of flaw, one thing is painfully clear: vulnerabilities that were big news years ago haven’t gone away. Take the relative popularity of SQL injection attacks, which were a popular method of exploiting web applications ten years ago. Akamai’s State of the Internet report lends even more credence to SQL injection attacks. They represent two thirds of all web attacks today, it warns.
Other examples of long-standing vulnerabilities on HackerOne’s list include improper authentication, which ranks a distant second after XSS in terms of bounty payments. This ranked second after injection on the OWASP list in 2017, unchanged since 2013. In fact there are few vulnerability types on the HackerOne list that you wouldn’t have seen in the news a decade ago.
One notable vulnerability on the HackerOne list is Server-Side Request Forgery (SSRF). This flaw, which is an also-ran in OWASP’s research, manipulates URLs to read non-public-facing resources such as configuration data or databases. The rush to hybrid and multi-cloud environments is highlighting this category of flaw, which may be one reason why individual bounties for this are typically high, says the HackerOne report. IDOR and privilege escalation also earn significant individual bounties.
Developers must learn how to better protect themselves against ‘evergreen’ flaws while identifying and learning about new ones, but the bounty payments currently making the headlines suggest that they could be doing a better job.
Learn to squash those bugs
Security consultants can capitalize on this and help protect applications by staying curious and keeping one step ahead. At SecTor this year, they can take a deep dive into application security by attending the Application Testing Fundamentals training course. Taking the OWASP top 10 as its reference guide, it will teach attendees about the different classes of vulnerabilities and how to find them using a range of industry tools.
This course will appeal both to penetration testers looking for a way to target online applications. It will also appeal to developers hoping to plug those loopholes during the design and coding process. Numerous data breaches in the last year alone have demonstrated the importance of application security. By taking a couple of days to study the topic before the SecTor conference opens, you can help avoid your organization becoming an unfortunate headline—and perhaps position yourself for a bounty payment or two into the bargain.