Vulnerability Management

Study finds nearly half of web applications put user data at risk

Despite the increased awareness of cybersecurity and high profile data breaches, a recent study revealed nearly half of web applications place users' personal data at risk of theft and all of them contained at least one vulnerability.

Positive Technologies conducted various tests using automated tools and manually by using a combination of black-, gray-, and white-box methods on 23 web applications and found that attackers could obtain personal data from 44 percent of applications handling that information, such as those for bank websites, e-commerce stores, and telecoms companies, according to the firm's Web Applications for Statistics report.

Researchers found that the average level of web application security remains poor and that every application tested had flaws of various security levels. The report also found that high-severity vulnerabilities could be exploited in more than half of applications tested granting threat actors access to sensitive data, execution of commands on a server, and total control of the system.

Researchers also found attacks on web application were possible on 96 percent of applications and that 48 percent of applications were vulnerable to unauthorized access while 17 percent contained vulnerabilities that would allow an attacker to take full control over the application.

To make matters worse, vulnerabilities were present in 100 percent of tested web applications, with 52 percent of them containing high-severity vulnerabilities.

“It's also important to remember that having access to source code makes security assessment much more effective,” Leigh-Anne Galloway, Positive Technologies cybersecurity resilience lead, said in the release. “Through manual code audits, we were able to find critical vulnerabilities in 100 percent of tested applications, which may otherwise have been missed.”

The top 10 critical vulnerabilities where SQL injections, XML External Entities, OS Commanding, as Path Traversal (PHP), Deserialization of Untrusted Data, and  Insufficient Authorization. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.