Analysis of Web Apps Reveals Current Top Security Threats

Thirty-four days. That’s how long it takes for the average organization to patch a high-severity web application vulnerability according to a study of more than 316 million security incidents released recently by web application security provider tCell.

The report, “Security Report for In-Production Web Applications,” analyzed real-world cloud-based web application traffic on Amazon Web Services and Azure cloud environments. The study was conducted during 60 days in Q2 of this year and is based on actual production traffic.

During its analysis, tCell identified two main trends: attempted Cross-Site Scripting (XSS) and SQL Injection attacks. SQL injection attacks can enable an attacker to access sensitive information or gain access to the operating system for further attacks. When it came to vulnerabilities, tCell found that 90 percent of active applications had a known vulnerability and 30 percent of applications had a critical vulnerability.

While XSS attacks are common, they range from annoyance attacks to real threats to data and system. Most XSS attack attempts are just that—attempts—and are not successful. In its report from a year ago, tCell reported that as few as 1 in 100,000 attempts XSS attacks were successful. “Most security operations try to detect this attack on the network or server side; however, the attack lands on the client-side browser. This means, traditionally, it is difficult to know if one of these attempts has been successful (or not) at getting code to run in the browser,” the report stated.

The next three most common attacks were automated threats, file path traversals and command injection.

When it comes to classifying web application security flaws, the OWASP (Open Web Application Security Project) Top 10 is the widely accepted gold standard. The attack findings from tCell differ from the OWASP Top 10 web app vulnerabilities, which are listed as injection flaws, broken authentication flaws, sensitive data exposure, XML external entities and broken access control.

There could be a number of reasons for the discrepancy. First is the short time frame of tCell’s analysis, or tCell’s cloud web application-only focus. The OWASP Top 10 covers all web applications.

Interestingly, tCell found 47 percent of organizations experienced an automated attack within the study period, and these automated attacks were targeted at specific applications. OWASP classifies attacks as automated threats when the web applications are subjected to ongoing unwanted automated usage. These types of attacks don’t attempt to crack a vulnerability in the application but instead exploit its features through scrapping and automated scripts.

Finally, tCell found that as API use grows, so does an organization’s attack surface. On average, tCell found exposed API endpoints and APIs that had been orphaned and lack any known business function are a critical blind spot to security and operations teams. “On average, each application had 2,900 orphaned routes or exposed API endpoints without a current business function. In fact, 92 percent of all routes and API endpoints are orphaned,” the company said in its report.

George V. Hulme