The most dangerous and widespread vulnerabilities in corporate web apps

A recent study by Kaspersky Security Assessment experts has identified the most dangerous and widespread vulnerabilities in corporate web applications developed in-house. Between 2021 and 2023, access control and data protection flaws were identified in the majority of the applications examined, amounting to several dozen in total. The largest number of high-risk vulnerabilities was reported in SQL injections.

Web applications, such as social networks, email and web services, are essentially web pages where users communicate with a web server through a browser. In its latest study, Kaspersky investigated vulnerabilities in web applications used by IT, government, insurance and telecommunications organizations, as well as cryptocurrency, e-commerce and healthcare organizations to identify the most prevalent types of attacks likely to occur in enterprises.

The most prevalent types of vulnerabilities involved the possibility of malicious use of faulty access controls and weaknesses in the protection of sensitive data. Between 2021 and 2023, 70% of the web applications examined in this study exhibited vulnerabilities in these categories.

The vulnerability of a compromised access control can be exploited when attackers try to bypass site policies that restrict users to their authorized rights. This can lead to unauthorized access, data corruption or deletion and more. The second common type of flaw involves the exposure of sensitive information such as passwords, credit card details, health records, personal data and confidential business information, which highlights the need for increased security measures.

Kaspersky experts also looked at how dangerous the vulnerabilities in the above groups were. The largest percentage of vulnerabilities that posed a high risk were related to SQL injections. Specifically, 88% of all SQL Injection vulnerabilities examined were classified as high risk.

Another significant percentage of high-risk vulnerabilities were found to be associated with weak user passwords. In this category, 78% of all vulnerabilities analyzed were classified as high risk.

It is important to note that only 22% of all web applications studied by the Kaspersky Security Assessment team had weak passwords. One possible reason is that the applications included in the study sample may have been test versions rather than actual operating systems.

The vulnerability categories described in the survey correspond to the categories and subcategories of the OWASP Top Ten assessment. Remediation of the most prevalent vulnerabilities in web applications described in the study will help companies protect confidential data and avoid breaches of web applications and related systems. To improve the security of web applications and detect potential attacks on them in a timely manner, the Kaspersky Security Assessment team recommends:

• use of the Secure Software Development Lifecycle (SSDLC),
• regular evaluation of application security,
• use of logging and logging mechanisms to monitor the operation of applications.