Web Application Vulnerability Report - Acunetix
Web ApplicationVulnerability Report201684%OF WEB APPLICATIONSHAVE ONE OR MOREMEDIUM-SEVERITYVULNERABILITY55%OF WEB APPLICATIONSHAVE ONE OR MOREHIGH-SEVERITYVULNERABILITY8%OF PERIMETER NETWORKASSETS HAVE ONE ORMORE HIGH-SEVERITYVULNERABILITY16%OF PERIMETER NETWORKASSETS HAVE ONE ORMORE MEDIUM-SEVERITYVULNERABILITY
IntroductionWelcome to the 2016 edition of the Acunetix Web ApplicationVulnerability Report.This document presents the second Web Application Vulnerability Report,Web Applicationsan annual effort from the Acunetix Team. In this report, Acunetix willpresent data gathered, aggregated and analyzed throughout the periodof 1st April 2015 to 31st March 2016 to illustrate the state of security ofweb applications and network perimeters.By analyzing scan results on Acunetix’ Online Vulnerability Scanner(OVS) platform, we are able to identify current and emerging patterns in55%have at least onehigh-severity vulnerability Up 9% in12 monthsthe web application security space. With over 61,000 web and networksecurity scans run over a two-year period, Acunetix is uniquely positionedto observe such trends.Web app vulnerabilities have rapidly increased in the past 12 monthsas companies demand faster web application release cycles to satisfystaff and customers. Web application vulnerabilities are dangerous fororganizations as they risk not only brand and reputational damage, butdata breaches and the major fines associated with these. The findings84%are susceptible toat least onemedium-severityvulnerabilitycontinue to reaffirm the widely held understanding that the webapplication vector is a major, viable and low-barrier-to-entry vector forattackers; be they financially motivated, “hacktivists”, nation-state attacksor threat actors.Perimeter Network AssetsThe threat landscape is changing—the web stack, has evolved to serveup rich experiences directly within the browser. As a result of theversatility and platform agnosticism that web applications provide, webapplications and web services are ever increasingly replacing legacyapplications, and as a consequence, widening attackers' exploitationopportunities; especially since traditional network-layer-only securitycontrols such as firewalls and signature-based intrusion prevention and8%were found to haveat least onehigh-severityvulnerabilitydetection systems (IPS/IDS) have little, or no role to play in detecting andstopping an attack occurring via the web application vector.This report aims to shed a light on the state of web and perimeternetwork security based on the analysis undergone. While this researchfound a minor, but encouraging reduction in security vulnerabilities suchas SQL injection and Cross-site Scripting, web application vulnerabilitiesstill reign supreme and are worryingly on the rise. Now the majority ofweb apps (55%) contain a high severity vulnerability, up from 46% last16%are susceptible toat least onemedium-severityvulnerabilityyear.The Acunetix TeamAcunetix Web Application Vulnerability Report 20162
MethodologyThe data aggregated and analysed in this report was gathered fromautomated web and network perimeter scans run on the AcunetixOnline Vulnerability Scanner platform, over the period of one year,starting 1st April 2015 to 31st March 2016. Evaluation scans on theintentionally vulnerable Acunetix test websites were omitted for thescope of this analysis.How an Automated Web Scan WorksFor the purpose of thisanalysis, a random sample of5,700 subscribers who havesuccessfully scanned oneor more Scan Targets wererandomly selected out of apossible 37,500 subscribers.The scanning process comprises of three stages—Crawling, Scanningand Reporting.CrawlingDuring the crawling stage, AcunetixVulnerability Scanner analyzes thestructure of the web application beingscanned by leveraging its DeepScancrawling and scanning engine.DeepScan not only looks for links andinputs, but also executes JavaScriptand can interact with HTML5-basedweb applications just like a userin a modern web browser would.This means that modern client-sideapplications leveraging JavaScriptframeworks like Angular JS, React,Ember.js can be properly tested.ScanningThe scanning stage is where Acunetix Vulnerability Scanner tests the web application for over 3000vulnerabilities, some relating specifically to web server security, misconfigurations, and informationdisclosure; while the, large majority focus on testing inputs on a page for vulnerabilities. The scanner canautomatically test JSON, XML and Google Web Toolkit (GWT) input vectors in addition to the typical GET andPOST parameters.ReportingThe third final stage of a scan is reporting, where, after a scan is complete, vulnerability alerts are reported,complete with detailed information about vulnerabilities in question, remediation advice and links to otheronline references.Acunetix Web Application Vulnerability Report 20163
The DatasetThe data analysed in this report is gathered from automated web andnetwork perimeter scans run on the Acunetix Online VulnerabilityScanner platform.This dataset focuses predominantly on high and medium-severityvulnerabilities found in web applications as well as perimeter networkvulnerability data.17, 962Network Scans27, 248Web Scans5, 718Scan TargetsAverage/Month347, 000files scanned204,000directories scannedAcunetix Web Application Vulnerability Report 2016232, 000, 000HTTP requests done208, 000total alerts discovered4
01520162015This data was not tracked in 20152016This data was not tracked in neVu 201620162015This data was not tracked in erverSeWVulnerabilities at a GlanceWhat Changed and What Hasn’tBy comparing this dataset with results obtained last year, we canobserve areas of improvement and regression in the amount ofvulnerabilities by class.Vulnerabilities by Type - High Severity20%*N.B. The increase in WordPress Vulnerabilities in this case, can be attributed to the fact that the latest version of Acunetix (v10.5) used in thepurpose of this analysis, includes many more WordPress vulnerability checks than previous Acunetix version 9 had used in 2015.5
2016Vulnerabilities by Type - Medium s10%2016This data was not tracked in 20152015201520%2016201630%Vulnerabilities by Paradigm and Severity10%20%30%50%60%70%80%90%2015Web Application (High-severity)Network Perimeter (High-severity)40%2016201520162015Web Application (Medium-severity)20162015Network Perimeter (Medium-severity)2016Acunetix Web Application Vulnerability Report 20166
Vulnerability SeveritySeverity is a metric for classifying the level of risk which a securityvulnerability poses.The severity level of a vulnerability is assigned based on the securityrisk posed to an organization should the vulnerability be exploited, aswell as the degree of difficulty involved in exploiting it. The result of asuccessful attack by exploiting a vulnerability could vary from denialof service and information disclosure, to a complete compromise ofapplications or systems.The following provides a description of what the results in thisanalysis consider to be the impact of each vulnerability severity level.High-severityMedium-severityLow-severityAn attacker can fully compromiseAn attacker can partiallyAn attacker can limitedlythe confidentiality, integrity orcompromise the confidentiality,compromise the confidentiality,availability, of a target systemintegrity or availability, of a targetintegrity or availability, of a targetwithout specialized access, usersystem. Specialized access, usersystem. Specialized access, userinteraction or circumstances thatinteraction, or circumstancesinteraction, or circumstances thatare beyond the attacker’s control.that are beyond the attacker’sare beyond the attacker’s control isVery likely to allow lateral movementcontrol may be required for anrequired for an attack to succeed.and escalation of attack to otherattack to succeed. Very likely toNeeds to be used in conjunctionsystems on the internal network ofbe used in conjunction with otherwith other vulnerabilities tothe vulnerable application.vulnerabilities to escalate an attack.escalate an attack.Acunetix Web Application Vulnerability Report 20167
ResultsCode ExecutionSeverityHighDescriptionRemote Code Execution (RCE) is a very dangerous vulnerability thatallows an attacker to execute arbitrary commands on the target webserver (usually in a target process). The ability to trigger arbitrarycode execution from one machine on another, especially over theInternet, is often referred to as remote code execution (RCE).ImpactA code execution bug is arguably the most severe effect avulnerability can cause since it potentially allows an attacker to takeover the system entirely, from where an attacker can likely achievelateral movement, taking note of resources on the network andseeking opportunities for collecting additional credentials or privilegeescalation.Code Execution6%324 Targets5.67%of targets sampled were found to be vulnerable tocode execution. This is a very troubling figure, given the severity of thevulnerability. It is strongly recommended to refrain from using user inputto execute any commands within an application, however, if you must doso, user input needs to be properly validated and escaped to prevent codeexecution.SQL InjectionSeverityHighDescriptionSQL injection (SQLi) refers to an injection attack wherein an attackercan execute malicious SQL statements (also commonly referred to asa malicious payload) that control a web application’s database server(also commonly referred to as a Relational Database ManagementSystem – RDBMS).Acunetix Web Application Vulnerability Report 20168
Since an SQL injection vulnerability could possibly affect any websiteor web application that makes use of an SQL-based database, thevulnerability is one of the oldest, most prevalent and most dangerousof web application vulnerabilities.An attacker taking advantage of an SQLi vulnerability is essentiallyexploiting a weakness introduced into the application through poorweb application development practices. This allows attackers tosend SQL commands to the web application, allowing them to gainunauthorized access to data held in the backend database.By leveraging an SQL injectionIdentified SQLiVulnerabilitiesvulnerability, given the rightcircumstances, an attacker can use it tobypass a web application’s authenticationand authorization mechanisms andretrieve the contents of an entiredatabase. SQL injection can also be usedto add, modify and delete records in a718Targetsdatabase, affecting data integrity.607TargetsError/UNIONBlindTo such an extent, SQL injection canprovide an attacker with unauthorizedaccess to sensitive data including,customer data, personally identifiableinformation (PII), trade secrets,intellectual property and other sensitive information.Blind SQL Injection is a kind of SQLi attack that is used when theresults of an injection attack is not visible to the attacker. This doesnot imply that SQL injection is not possible, however, an attacker willneed to find some other way of extracting data out of the database.While a Blind SQLi attack does not display data within the responsefrom the server, the attacker is able to retrieve data from thedatabase by analyzing the results of a logical statement injected intothe SQL query, for instance by asking the database to ‘wait’ a specifiedamount of time if a condition is true.Acunetix Web Application Vulnerability Report 20169
ImpactWhile SQLi is mostly used to steal data from the database, thevulnerability can be escalated further, especially if the permissions onthe database are not correctly configured. For example, the attackercan inject a query that causes some tables to be deleted from thedatabase, effectively causing a DoS attack.An attacker can also potentially deploy a web shell onto the serverand subsequently take over the server, and even pivot into othersystems as a result of Blind)1325 Targets718 Targets23%23%13%11%607 Targetsof sampled targets were vulnerable to at least oneSQL injection vulnerability. The severity and ease of exploitation,combined with the maturity of exploitation tools targeting SQLinjection makes this figure worrying; especially when considering howwell understood and documented this vulnerability is. 3%However, all is not bleak with regards to SQL injection,this analysis has registered a 3% drop from last year, which indicatesthat things are very slowly moving in the right direction, however, asis the case with most other vulnerabilities in this report, SQL injectionis clearly not a thing of the past and a lot more still needs to be doneto address it.Acunetix Web Application Vulnerability Report 201610
File Inclusion and Directory TraversalSeverityHighDescriptionFile inclusion and directory traversal vulnerabilities could allow anattacker to access restricted files and directories outside of a webserver's root directory. In the case of file inclusion vulnerabilities, thevulnerable application would not just allow the file to be read, but itwould also execute its contents, while directory traversal only allowsthe reading of files.ImpactFile inclusion and directory traversal vulnerabilities are verydangerous since they both allow disclosure of sensitive files, includingsource code, secrets and sensitive configuration values. In the caseof file inclusion vulnerabilities, this is also extended to the executionof interpreted code (such as PHP), and therefore, if combined with afile upload or arbitrary file write vulnerability (possibly even throughSQL injection), file inclusion vulnerabilities could be escalated to codeexecution by an attacker using what is known as a web shell.File Inclusion(Local)DirectoryTraversal121 Targets151 Targets2%2%3% 1%3%of sampled targets were found to be vulnerable to file inclusionwere found to be vulnerable to directory traversal.These figures are on the rise from last year’s 1% figure(both for file inclusion and directory traversal)—which is of some concern,especially for file inclusion, through which an attacker could potentiallyexecute code given the right conditions. Both file inclusion and directorytraversal vulnerabilities, like most other web vulnerabilities arise from theimplicit trust web developers place in user input.Acunetix Web Application Vulnerability Report 201611
Cross-site ScriptingSeverityHighDescriptionCross-site Scripting (XSS) is a vulnerability wherein client-side codeinjection occurs, predominantly through the use of JavaScript due toits prevalence in most browsing experiences.Cross-site Scripting can be classified into four major categories:Stored XSS, Reflected XSS, DOM-based XSS and Blind XSS.In all cases with XSS, the goal of an attacker is to get a victim toinadvertently execute a maliciously injected script. The maliciousscript is often referred to as a malicious payload, or simply a payload.Stored (Persistent) XSS attacks involve an attacker injecting a script(referred to as the payload) that is permanently stored (persisted) onthe target application (for instance within a database, in a commentfield or in a forum post).Reflected XSS attacks involve an attacker luring a victim toinadvertently make an HTTP request containing an XSS payloadto a web server, usually achieved through phishing or other socialengineering attacks. Once sent to the web server, the payload is thenreflected back in such a way that the HTTP response includes thepayload from the HTTP request.DOM-based XSS is an advanced type of XSS wherein a payload isexecuted as a result of legitimate client-side JavaScript modifyingthe Document Object Model (DOM) in a victim’s browser. In contrastto the other types of XSS, with DOM-based XSS, the HTTP responseitself does not typically change, but rather client side code designedto process elements in the DOM, executes the malicious payload thathas been injected in the DOM elements processed by the vulnerableJavaScript code.When a web application is vulnerable to XSS, it will load the attackersupplied content from a source that the application implicitly trusts,without properly encoding it. With stored and blind XSS, implicitlytrusted data is loaded from a datastore (such as a database or cache);with reflected XSS, the implicitly-trusted data is loaded from the HTTPrequest; and with a DOM-based XSS, implicitly-trusted data is loadedfrom a DOM-XSS source within the browser's DOM.Acunetix Web Application Vulnerability Report 201612
In every case, XSS would result in the browser interpreting theattacker’s payload as legitimate JavaScript code, and subsequentlyexecuting it. It is important to note that an XSS vulnerability can onlyexist if the attacker’s payload ultimately gets rendered in the victim’sbrowser.ImpactThe consequences of an XSS attack may not be immediately obvious,especially since modern web browsers run JavaScript in a tightlycontrolled environment and since JavaScript has limited access to theuser’s operating system and the user’s files.However, when considering that malicious JavaScript has access toall the same objects as the rest of the web page, including access tocookies which are often used to store session tokens, if an attackercan obtain a user’s session cookie, they can then impersonate thatuser.Furthermore, JavaScript can read and make arbitrary modifications tothe browser’s DOM (within the page in which that script is running).JavaScript can also be leveraged to send HTTP requests with arbitrarycontent to arbitrary destinations, and in modern browsers, canleverage HTML5 APIs such as accessing a user’s geolocation, webcam,microphone and even the specific files from the victim’s file system.While such APIs require the victim’s opt-in, XSS in conjunction withsome clever social engineering can bring an attacker a long way.XSS(Stored, Reflected,DOM-based, Blind)33%1868 Targets33%of sampled targets were vulnerable to at least one Cross-siteScripting vulnerability. The combination of XSS and social engineering,allow attackers to pull off advanced attacks including cookie theft,keylogging, phishing and identity theft. Critically, XSS vulnerabilitiesprovide the perfect ground for attackers to escalate attacks to moreserious ones.DOM-basedXSS1%63 Targets 6%Cross-site Scripting vulnerabilities have seen a 6% dropfrom last year, which is a sign of improvement, however, clearly, XSS isstill a major issue plaguing web security. As JavaScript becomes ever morepowerful, XSS becomes increasingly more dangerous.Acunetix Web Application Vulnerability Report 201613
Vulnerable JavaScript LibrariesSeverityHighDescriptionJavaScript has become a ubiquitous and every-day part of the web.Therefore, in order to make development faster and easier, manyweb applications rely on JavaScript libraries to avoid ‘reinventingthe wheel’. Unfortunately, many of these JavaScript libraries containvulnerabilities, and therefore need to be updated to their latestversion.ImpactRunning vulnerable JavaScript libraries exposes web applications tosecurity vulnerabilities, most commonly being Cross-site Scriptingvulnerabilities. Using components and libraries with knownvulnerabilities can pose a significant risk to a web application andJavaScript libraries are certainly no exception.VulnerableJavaScriptLibraries27%1566 Targets27%of sampled targets were found to be making u
or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities. An attacker taking advantage of an SQLi vulnerability is essentially exploiting a weakness introduced into the application through poor web application development practices.
Guide to Acunetix 360 Basics 4 INSTALLATION Now that you know how Acunetix 360 works, here is a quick look into the deployment differences between Acunetix 360 On-Premises and Acunetix
for SQL Injection, Cross Site Scripting (XSS) & other web vulnerabilities. Acunetix History Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection. How Acunetix Works?
Safe Browsing Database) Acunetix Product Overview Wordpress, Drupal and Joomla! vulnerability checks to this widely adopted Content Management System (CMS) Framework and Platform since v10, and v10.5 onward. . Nessus”) OpenVAS. Acunetix OVS. Web Scanner Network Scanner Network Scanner: Nessus/SC/Retina/Retina
Kandy. The highest vulnerability (0.45: moderate vulnerability) to dengue was indicated from CMC and the lowest indicated from Galaha MOH (0.15; very low vulnerability) in Kandy. Interestingly the KMC MOH area had a notable vulnerability of 0.41 (moderate vulnerability), which was the highes
A Gartner Group study reveals that 75% of cyber-attacks are done at the web application level. . Vulnerability Scanner analyses each page for places where it can input data, and subsequently attempts all the different input combinations. This is the Automated Scan Stage. If the AcuSensor Technology is enabled, a series of additional .
gathering, scanning, SQL injection and report generation. Keywords. Acunetix. Web Vulnerability Scanner, Information Gathering, Penetration Testing, SQL Injection and Web Pages NTRODUCTION Web pages vulnerabilities have been exploited since early 90s . against user oriented applications such as email, online shop-ping, and Web banking [1].
Low 3.50 Pass Note to scan customer: This vulnerability is purely a denial-of-service vulnerability and it is not considered a failing condition under the PCI DSS. 10 23.229.184.1 (www. dumbbellshealth club.com) SSL Weak Encryption Algorithms Low 1.80 Pass Note to scan customer: This vulnerability is not recognized in the National Vulnerability .
Intra-day Trading Defined What is Intra-day Trading? 1) A style that covers a holding period of several minutes to hours. 2) Three forms of Intra-day Trading: Scalping Momentum 3) This style of trading has become widely accepted recently. 4) Day Traders use 5- & 15-Min. charts to make entries and exits. 5) Day Trading is best used on active, highly liquid stocks.
