This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
On average, the online edition of the Netsparker web security solution identifies a vulnerability every 4.59 minutes. Since its launch in early 2015 it identified a total of 156,904 security issues. Since the beginning of this year until the fifth of October it detected 87,195 vulnerabilities across 4,469 total websites.
If that doesn't make you want to start scanning your web applications for security issues right now, we don't know what would.
We are always curious about what technologies Netsparker users employ to build their web applications, and keen to stay ahead of the hackers. So we extracted data from the online edition of Netsparker and here is our report.
Table of Content
- How Many Vulnerabilities Does Netsparker Detect and Verify?
- What Types of Technologies Do Netsparker Users Operate?
- What Type of Security Vulnerabilities Where Detected?
- Adoption of Client-side Web Security Features
- What Do These Web Application Security & Vulnerabilities Statistics Say?
- How Much Time and Resources Does it Take to Identify a Single Vulnerability?
How Many Vulnerabilities Does Netsparker Detect and Verify?
To start off with, 50,489 (32.18%) of the vulnerabilities Netsparker identified were categorised as High Severity and are critical issues. This should give you some idea of the statistics to follow.
An interesting fact is that out of the 156,904 vulnerabilities Netsparker identified, 30,164 (19.2%) of them have a probable/possible status. And around 80.8% of all the identified vulnerabilities have been confirmed automatically with the Proof-Based Scanning™, which means they are definitely not false positives.
How does Netsparker Confirms The Vulnerabilities?
Netsparker pioneered and uses an exclusive technology called Proof-Based Scanning™. When Netsparker identifies a vulnerability it tries to automatically verify it by exploiting it in a read-only and safe way. And if a vulnerability is exploitable, then it is definitely not a false positive.
Upon exploiting the vulnerability the solution also generates a proof of exploit, highlighting the impact the exploited vulnerability could have on the target website. Netsparker can auto exploit vulnerabilities that have a direct impact and are difficult or require technical expertise to reproduce, such as SQL Injection, XSS, Code Evaluation and second order vulnerabilities.
Non direct impact vulnerabilities, such as IP address or email address disclosure cannot be automatically verified. Though someone can verify these type of issues very easily verify without requiring any technical expertise.
So by automatically verifying 80% of the identified vulnerabilities, Netsparker is helping businesses save days and weeks of man hours, thus allowing small teams to do much more and ensure the security of their web applications with much less resources.
What Types of Technologies Do Netsparker Users Operate?
We examined the types of web servers and technologies Netsparker users operate. We found that Apache and IIS were by far the most commonly used web servers, while PHP and .NET were the most popular web app technologies.
What Type of Security Vulnerabilities Were Detected?
Cross-Site Scripting (XSS) has been around for a very long time and is known by almost all developers. So it's surprising that it accounts for around one quarter of all detected vulnerabilities, a total of 40,908 issues. 1,269 of the detected XSS were DOM XSS. Cross-site scripting vulnerabilities are very difficult to get rid of, though they are very easy to detect automatically with the Netsparker web security solution.
Netsparker detected 3,441 SQL injection vulnerabilities, which make up just over 2% of the whole. Given that SQL was once so prevalent, and it is still the top vulnerability in the OWASP Top 10 list of most critical web application security flaws, these are impressive results. It seems that new frameworks and prepared statements may all have played a role in reducing this proportion. In addition, though we see less classic SQLi vulnerabilities and encounter more complex variants of this injection, such as Boolean, Blind, and OOB, all of which make up part of this number. Exploiting those types is much more difficult and only something an experienced hacker would tackle.
The Netsparker web application security solution always generates a proof of exploit when it identifies a SQL injection vulnerability, meaning there is no need to manually check that a detected vulnerability is exploitable.
Out of Date Software
Clever, malicious and driven hackers aside, out of date software is still a big issue, even though it is one of the quickest and easiest security gaps to close. Equifax and Mosaic Fonseca made international news, yet….
Out of date software accounts for approximately 5% of all security issues. The severity varies, though:
- Since launch, Netsparker has detected 8,775 Out of Date Software issues
- 1,221 were outdated web server software
- 70 were out of date database servers.
Site owners should assume nothing and update their software as soon as updates become available.
Adoption of Client-side Web Security Features
Nowadays there are plenty of new defense in depth features developers can utilize to improve the security of their web applications such as Subresource Integrity and Content Security Policy. If not implemented, it does not necessarily mean the web applications will have a specific vulnerability, though Netsparker will report if they are missing or misconfigured because they are recommended best practises.
SSL / TLS Issues
It is quite surprising that we are still seeing these type of SSL / TLS issues, especially when HTTPS is almost becoming the de facto protocol for web. Netsparker discovered:
- 960 issues with mixed content over HTTP/HTTPS
- 545 invalid SSL certificates
Content Security Policy
Content Security Policy (CSP) is a relatively new standard, though it gained a lot of popularity. It can be a bit of a task to configure CSP properly, and an insecure configuration can lead to some security issues. From the scans we can see that:
- 4,067 sites do not have CSP enabled
- There were 5,792 issue with the CSP implementations of the scanned applications
Subresource Integrity (SRI) should be implemented on every web application that loads scripts and other third party code from CDNs and other third party sources. SRI is used to ensure the code loaded from third parties have not been altered, hence it is very important and allows you to trust more 3rd party websites with less worry. Out of the 4,469 targets scanned, 1,912 did not have SRI implemented.
Other Security Checks Using HTTP Headers
There are a number of security features that can be used in web applications to protect against exploitation of cross-site scripting (XSS) vulnerabilities, to ensure integrity of issued encryption certificates and more. Below are some of the issues Netsparker highlighted in target web applications:
- Expect CT HTTP Header issues: 4,069 (2,111 of which because the header is not enabled)
- Missing X-Frame-Options Header: 2,809
- Missing X-XSS Protection Header: 4,297
What Do These Web Application Security & Vulnerabilities Statistics Say?
There are several conclusions one can come up with after studying these statistics. Here are some of our thoughts on these numbers.
XSS vs SQL Injection
Injection vulnerabilities have occupied the number one spot in the OWASP Top 10 list of most critical security flaws since it started. However, from all the statistics we’ve gathered (not just this one) Cross-site Scripting (XSS) is always by far a much more common vulnerability. Though this should not be to a surprise because nowadays, developers have a lot of resources to write code that is not vulnerable to SQL Injections, such as prepared statements. New frameworks by default protects against SQL Injection and makes it quite hard to write insecure SQL code. On the other hand XSS vulnerabilities are much more complex to address and even when the framework has built-in protection, it's very easy to make mistakes.
Out of Date Software Is A Big Issue
It is impossible not to have third party frameworks, libraries or code in a custom built web application. Why not? Why should you reinvent the wheel when you can simply plug in new code and functionality?
Though these third party frameworks, code snippets and libraries can also have vulnerabilities, so it is important to keep them up to date. This should be one of the easier security best practice to follow - keeping software up to date - yet many are failing at it, as we have seen in the Panama papers leak and Equifax’s massive data breach.
Netsparker is a web security solution that can help you with this. It has a dedicated scanning engine for off-the-shelf components, such as libraries, frameworks and other third party code you might be using on your web applications. If Netsparker identifies a vulnerability in any of these components, it highlights the issue so you can update the software.
Security Beyond The Code - Use All Resources Available
TLS, Subresource Integrity, Content Security Policies and several other security features can help you build more secure web applications and web servers. Some of them are very easy to integrate and can definitely save you a lot of hassle. Defense in depth is something that you should always strive while building a security.
For example when the CDN used by Associated Press, The New York Times, CNN and the Washington Post mobile site was hacked, if they were using Subresource Integrity their readers wouldn’t have got messages from the hacking group Syria Electronic Army (SEA). So go ahead and use such security measures, though always scan the setup with Netsparker because a misconfiguration can render these features useless and give false sense of security.
How Much Time and Resources Does it Take to Identify a Single Vulnerability?
We can go on forever on what the above numbers mean, though the most important one that really makes a big difference and helps your security team identify and fix as many vulnerabilities as possible is the fact that 80% of the identified vulnerabilities were verified. What does this mean?
Netsparker is the only solution that employs Proof-Based Scanning™ to prove that a vulnerability is not a false positive. How effective do you think such feature is? How many resources (financial and manpower) can businesses save with it? Try this little exercise to find out how much time you need to identify a real vulnerability:
- Think of how long it takes to conduct a vulnerability assessment on all your web applications
- Add on the amount of time it took your seasoned security consultants or team to manually verify the identified vulnerabilities and document all info into a report so developers can fix it
- Divide that time by the number of actual vulnerabilities or issues you discovered
Now you should have a very rough estimate of how long, on average, it takes you to discover a vulnerability and figure out what to do with it. If the figure you came up with is measured in days rather than minutes – soul-destroying, we know – you can guess what's coming next.
With Proof-Based Scanning™ you do not need to do the second step mentioned in the above exercise, which, is the most time consuming part that requires most technical expertise. The solution does it all for you.
Just a reminder that Netsparker finds a vulnerability every 4.59 minutes! It also provides a scan summary, technical report, downloadable scan data, proof of exploit, and a list of issues along with their impacts and remediation details.
Manual vulnerability testing sounds a little crazy when you realise just how much time you could save by using the Netsparker web application security solution.
Authors, Netsparker Security Researchers: