The State of Web Application Security

Threats loom over web applications

• According to a report from the F5 Labs, web application exploits were used in 57% of the most significant cybersecurity incidents that occurred in the last five years.
• Cross-site scripting (XSS) and SQL injection were the most highly exploited web vulnerabilities. While SQL injection vulnerabilities were exploited in 15% to 76% of attacks, the XSS attacks varied between 4% and 54%.
• The other exploited vulnerabilities include issues related to insecure deserialization, XML External Entities (XXE), and remote code execution.

A blow to the video game industry

• A report from Akamai revealed that the industry suffered more than 240 million web application attacks in 2020, which is a 340% increase over 2019.
• Most of these attacks were carried out by exploiting SQL injection flaws that targeted player login credentials and personal information.
• This was followed by local file inclusion attacks at 24%, which targeted sensitive details within applications and services. This could further compromise game servers and accounts.
• Other attacks included cross-site scripting (8%) and remote file inclusion (7%).

Unpatched flaws add more trouble

• Leaving publicly disclosed vulnerabilities unpatched has always created a gold mine of opportunities for threat actors. Verizon’s 2021 Data Breach incident report highlighted that around 54% of data breaches in EMEA were caused by web application attacks.
• Interestingly, in an independent study of 146 web applications, researchers found that dozens of web applications were still vulnerable to Kaminsky and IP fragmentation attacks that could lead to account hijacking. Both the attacks leverage the way the websites handle the DNS name resolution.

Can web apps ever be truly secure?