The exploitation of web application vulnerabilities continues to be one of the leading causes of organizations data loss, despite the numerous high profile attacks, many organizations have failed to address the most common application flaws leaving them victims for the next data consequence.
With years of experience and valuable insights from our cloud based application security testing, we thought of conducting a study to discover the prevailing website vulnerability trends. The study is based on our original research on more than 5000 tests covering 300+ customers distributed globally.
How was the study conducted?
The study was conducted on the vulnerability data of web applications tested by us in 2012. In total more than 5000 application vulnerability from 300+ customers has been considered as part of the sample data.
Our study comprised of 25% apps from Asia, 25% apps from Europe & 40% apps from USA.
- 99% of web applications have at least 1 vulnerability-Tweet This Stat!
- 82% of web applications have at least 1 High/Critical Vulnerability-Tweet This Stat!
- 90% of hacking incidents are not reported publicly-Tweet This Stat!
- We observed very low correlation between Security and Compliance (Correlation Coefficient: 0.2). This once again proves that compliance and security is not synonymous.
- There are 35 security vulnerabilities on an average in a single website. Tweet This Stat!
- 30% of the hacked organizations knew the vulnerability (for which they got hacked) beforehand
- The Customer Apps from US & Europe had lower Vulnerability density as compared to the customer apps from APAC
- #1 Vulnerability: Cross site scripting (61%). You can access the graph and the distribution of other vulnerabilities here.
- #1 Secure industry vertical: Banking. The vulnerability density in the application by industry vertical is available in the full report which can be downloaded for free.
- #1 Vulnerable industry Vertical: Retail-Tweet This Stat!
- Business Logic Flawswere the most neglected vulnerabilities
We observed the business logic vulnerabilities as the most overlooked and with the highest business impact. Most of the organizations do not have the expertise/process to discover and eliminate business logic flaws.
- Weak Password Recovery.
- Abusing Discount logic or coupons.
- Denial of service using Business Logic.
- Price manipulation
- OTP (One time Password) bypass
Note: We observed that the average Number of vulnerability per website as 35 which is significantly lower than other industry reports. One of the reasons could be that we remove all false positives (Zero False Positive Guarantee) which other tools don’t. Another possible reason is that we report vulnerability based on Root cause analysis and do not count the number of resulting manifestations due to single vulnerability. Hence the reported number is much lower compared to other reports.