High-Tech Bridge has released an overview of trends across major fields of web security. The trends include all types of security and privacy issues, from web application vulnerabilities to HTTPS traffic encryption and PCI DSS compliance. Based on High-Tech Bridge's continuous web security practice and research, it has created a brief compilation of web security trends from the last six months:
Web Application Vulnerabilities
Over 60% of web services or APIs designed for mobile applications contain at least one high-risk vulnerability allowing database compromise.
If a website is vulnerable to XSS, in 35% of cases, it is also vulnerable to more critical vulnerabilities, such as SQL injection, XXE or improper access control.
High risk vulnerabilities, such as SQL injections, are now being used for RansomWeb attacks five times more frequently than in 2015, extorting money from website owners.
Blind XSS exploited in the wild, are being actively used by cybercriminals to infect privileged website users (e.g. support or admins) with Ransomware via drive-by-download attacks.
Web attacks are becoming more sophisticated than ever, using chained vulnerabilities (e.g. XSS for privilege escalation, then improper access control and race condition to upload web shell).
23% of websites are still using deprecated SSLv3 protocol (top five countries: US, Germany, UK, France, and Russia).
97% of websites are still using insecure TLS 1.0 protocol, restricted by PCI DSS from June 2018 (top five countries: US, Russia, Germany, UK, and Netherlands).
23% of websites are still vulnerable to POODLE, however only 0.43% are vulnerable to Heartbleed.
Only 24.3% of websites have SSL/TLS configuration fully compliant with PCI DSS requirements, and as few as 1.38% are fully compliant with NIST guidelines
Web Server Security
Less than 1% of web servers have enabled and correctly configured Content Security Policy (CSP) HTTP header, aimed to prevent XSS and other malicious content injection attacks.
79.9% of web servers have incorrect, missing, or insecure HTTP headers putting web application and its users at risk of being compromised.
Only 27.8% of web servers are fully up2date and contain all available security and stability patches.
Web Application Firewalls
Web applications protected with a WAF, contain 20% more vulnerabilities on average than unprotected ones.
Over 60% of web vulnerabilities have advanced exploitation vectors allowing hackers to bypass WAF configuration and compromise the web application.
Many customers abandon WAF integration with automated scanning tools due to a high rate of false-positives
Cybersquatting, Typosquatting and Phishing
Domains in .com and .org TLDs remain the most common among fraudulent domains (typosquatted, cybersquatted, or used for phishing and drive-by-download attacks). US, Poland and Singapore figure among the most popular countries to host fraudulent and malicious websites.
Despite the growing fear about the new gTLDs (such as .xxx or .pizza), fraudulent domains in these domain zones represent only 0.22% of all malicious domains.
Ilia Kolochenko, CEO and founder of High-Tech Bridge, comments: "The easiest and fastest to hack, insecure web applications are becoming the major threat across the Internet. Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cybercriminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs.
“In the near future, we can expect a significant and continuous growth of RansomWeb attacks against website owners, and Ransomware attacks against website visitors. Actually, ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing.”