For Infosecurity Europe 2016, a European web security company High-Tech Bridge has released an overview of trends across the fields of web security. The trends include all types of security and privacy issues, from web application vulnerabilities to HTTPS traffic encryption and PCI DSS compliance.
High-Tech Bridge claims that several financial firms and banks, healthcare institutions, e-commerce and retail businesses rely on its platform which has allowed it to detect and remediate vulnerabilities in their web applications.
Below is a brief compilation of web security trends from the last six months:
Web Application Vulnerabilities
- Over 60% of web services or APIs designed for mobile applications contain at least one high-risk vulnerability allowing database compromise.
- If a website is vulnerable to XSS, in 35% of cases, it is also vulnerable to more critical vulnerabilities, such as SQL injection, XXE or improper access control.
- High risk vulnerabilities, such as SQL injections, are now being used for RansomWeb attacks five times more frequently than in 2015, extorting money from website owners.
- Blind XSS exploited in the wild, are being actively used by cybercriminals to infect privileged website users (e.g. support or admins) with Ransomware via drive-by-download attacks.
- Web attacks are becoming more sophisticated than ever, using chained vulnerabilities (e.g. XSS for privilege escalation, then improper access control and race condition to upload web shell).
- 23% of websites are still using deprecated SSLv3 protocol (top five countries: US,Germany, UK, France, and Russia).
- 97% of websites are still using insecure TLS 1.0 protocol, restricted by PCI DSS fromJune 2018 (top five countries: US, Russia, Germany, UK, and Netherlands).
- 23% of websites are still vulnerable to POODLE, however only 0.43% are vulnerable to Heartbleed.
- Only 24.3% of websites have SSL/TLS configuration fully compliant with PCI DSS requirements, and as low as 1.38% are fully compliant with NIST guidelines.
Web Server Security
- Less than 1% of web servers have enabled and correctly configured Content Security Policy (CSP) HTTP header, aimed to prevent XSS and other malicious content injection attacks.
- 79.9% of web servers have incorrect, missing, or insecure HTTP headers putting web application and its users at risk of being compromised.
- Only 27.8% of web servers are fully up2date and contain all available security and stability patches.
Web Application Firewalls
- Web applications protected with a WAF, contain 20% more vulnerabilities on average than unprotected ones.
- Over 60% of web vulnerabilities have advanced exploitation vectors allowing hackers to bypass WAF configuration and compromise the web application.
- Many customers abandon WAF integration with automated scanning tools due to a high rate of false-positives.
Cybersquatting, Typosquatting and Phishing
- Domains in .com and .org TLDs remain the most common among fraudulent domains (typosquatted, cybersquatted, or used for phishing and drive-by-download attacks).
- US, Poland and Singapore figure among the most popular countries to host fraudulent and malicious websites.
- Despite the growing fear about the new gTLDs (such as .xxx or .pizza), fraudulent domains in these domain zones represent only 0.22% of all malicious domains.
Ilia Kolochenko, CEO and founder of High-Tech Bridge, comments:
The easiest and fastest to hack, insecure web applications are becoming the major threatacross the Internet. Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cybercriminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs.
In the near future, we can expect a significant and continuous growth of RansomWeb attacks against website owners, and Ransomware attacks against website visitors. Actually, ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing.
Web Application Firewalls don’t work in isolation from other security technologies anymore. Web application security requires a comprehensive approach, including Secure Software Development Lifecycle (S-SDLC), continuous monitoring, and regular manual or hybrid web security testing to complement automated vulnerability scanning.