SQL Injection, XSS, and RCE Top List of Vulnerabilities in Internet-facing Applications

by Timothy Chiu, VP of Marketing on August 17, 2020

A new report on the top vulnerabilities in internet facing applications in 2020 was released recently by Edgescan, and found that 42% of the vulnerabilities found in these apps are SQL Injection vulnerabilities. The other common vulnerabilities include cross-site scripting (XSS) errors (19%), PHP vulnerabilities (16%), remote code execution (RCE) (7%), and sensitive file disclosure flaws (5%). As the report says,

“SQL Injection was first discovered in 1998 and still lives happily on the Internet with its cousins XSS and RCE.”

Like SQL Injection, XSS and RCE have been standard features on the OWASP Top 10 list of web application risks which has been around since 2003 and updated every 2 years since. These common vulnerabilities are still the bane of application developers, testers, and IT security personnel over a decade later since the publication of the first OWASP Top 10 list.

A great start for protection against SQL Injection, XSS and RCE attacks is using runtime application security. The latest draft version of the NIST Framework for SP 800-53 now includes RASP (Runtime Application Self Protection), as a requirement for an organization’s security framework. By having security that’s close to the application, you get greater visibility and understanding of when an attack is happening, and better tools to control the attack. Traditional security tools like Web Application Firewalls (WAFs), sit on the network perimeter, and can miss nuanced and sophisticated attacks.

K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including Injection attacks.

In addition to providing runtime application security, K2 can also help with faster vulnerability remediation in your web application code during your penetration testing cycle. The K2 agent is deployed on the pen testing/QA server and no change in testing methodology or setup is required. K2 works in conjunction with your existing scanning tools or pen testing tools. K2 creates a vulnerability report at the end of the testing cycle detailing additional telemetry on the vulnerability including which file and line number in the code has the vulnerability. K2 can also find additional vulnerabilities in the application that the testing tools may have missed.

K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.