Pavel Ignatov - Fotolia

Websites giving hackers easy access, audit reveals

Many company websites still contain critical vulnerabilities that cyber criminals can use to carry out a variety of cyber attacks, a security audit shows

More than half of websites audited by Positive Technologies were found to contain critical vulnerabilities that attackers could use to steal personal data and carry out denial of service (DoS) and other attacks.

E-commerce and manufacturing organisations topped the list of websites with vulnerable web applications, the security audit across 73 web applications throughout 2016 revealed.

Hackers can take advantage of insecure web applications as a way to infect other targets, including users, with 94% of those applications making such attacks possible by using five of the 10 most common application vulnerabilities, researchers at Positive Technologies warned.

Although the number of websites with high-severity vulnerabilities decreased by 12%, compared with 2015, security flaws were found in all the applications analysed, with 58% found to have at least one high-severity vulnerability.

Testers were able to obtain personal data from 20% of web applications that process such data, including bank and government websites.

High-risk vulnerabilities were found in 74% of applications belonging to telecommunications companies, the highest rate of any industry. But, in terms of possible consequences, the worst security situation was found in manufacturing and e-commerce, where 43% and 34% of websites respectively were rated as “extremely poor”.

The researchers said vulnerabilities in public sites are still a popular way for compromising a company’s internal infrastructure, with every fourth web application allowing such attacks. And the same proportion of web applications contain vulnerabilities that give an intruder access to internal databases.

Read more about web application security

  • CISOs are becoming more concerned about web application security, but there is still a long way to go, says Owasp.
  • Expert Michael Cobb discusses numerous open source and low-cost web application security testing options for enterprises on a budget.
  • Does a web application security assessment termed ‘compliance-ready’ seem too good to be true? Learn its role in an enterprise compliance programme.
  • Nearly half of all web application cyber attack campaigns target retail applications, shows a study from security firm Imperva.

“Security testing is imperative, both during development and ongoing operation,” said Evgeny Gnedin, head of information security analytics at Positive Technologies. “We urge all companies to use web application firewalls for protecting their applications.”

For the best results, said Gnedin, source code testing should be performed during development. “Automated source code analysis throughout the development process is key for identifying issues as quickly and efficiently as possible,” he said.

Every year, web applications expand their presence, and almost every business has its own web applications for clients and for internal business processes. But application functionality is often prioritised at the expense of security, which negatively affects the security level of the entire business, the researchers said in a blog post.

Web application vulnerabilities provide opportunities for malicious actors, and by taking advantage of mistakes in application architecture and administration, attackers can obtain sensitive information, interfere with web application functionality, perform DoS attacks, attack application users, penetrate a corporate LAN, and gain access to critical assets, they warned.

Read more on Web application security