For Infosecurity Europe 2016, High-Tech Bridge has released a comprehensive overview of trends across all major fields of web security. The trends include all types of security and privacy issues, from web application vulnerabilities to HTTPS traffic encryption and PCI DSS compliance.
Over 1,000 people per day use High-Tech Bridge’s free web security services: SSL/TLS Security Test, Web Server Security Test and Domain Security Radar. The largest financial firms and banks, healthcare institutions, e-commerce and retail businesses rely on High-Tech Bridge’s award-winning web security platform ImmuniWeb® to test and secure their web applications. High-Tech Bridge’s security researchers have helped over 350 software vendors to detect and remediate vulnerabilities in their web applications, they also discovered RansomWeb and Drive-by-Login attacks last year.
Based on High-Tech Bridge’s continuous web security practice and research, below is a brief compilation of web security trends from the last six months:
Web Application Vulnerabilities
Over 60% of web services or APIs designed for mobile applications contain at least one high-risk vulnerability allowing database compromise.
If a website is vulnerable to XSS, in 35% of cases, it is also vulnerable to more critical vulnerabilities, such as SQL injection, XXE or improper access control.
High risk vulnerabilities, such as SQL injections, are now being used for RansomWeb attacks five times more frequently than in 2015, extorting money from website owners.
Blind XSS exploited in the wild, are being actively used by cybercriminals to infect privileged website users (e.g. support or admins) with Ransomware via drive-by-download attacks.
Web attacks are becoming more sophisticated than ever, using chained vulnerabilities (e.g. XSS for privilege escalation, then improper access control and race condition to upload web shell).
23% of websites are still using deprecated SSLv3 protocol (top five countries: US, Germany, UK, France, and Russia).
97% of websites are still using insecure TLS 1.0 protocol, restricted by PCI DSS from June 2018 (top five countries: US, Russia, Germany, UK, and Netherlands).
23% of websites are still vulnerable to POODLE, however only 0.43% are vulnerable to Heartbleed.
Only 24.3% of websites have SSL/TLS configuration fully compliant with PCI DSS requirements, and as low as 1.38% are fully compliant with NIST guidelines.
Web Server Security
Less than 1% of web servers have enabled and correctly configured Content Security Policy (CSP) HTTP header, aimed to prevent XSS and other malicious content injection attacks.
79.9% of web servers have incorrect, missing, or insecure HTTP headers putting web application and its users at risk of being compromised.
Only 27.8% of web servers are fully up2date and contain all available security and stability patches.
Web Application Firewalls
Web applications protected with a WAF, contain 20% more vulnerabilities on average than unprotected ones. Over 60% of web vulnerabilities have advanced exploitation vectors allowing hackers to bypass WAF configuration and compromise the web application.
Many customers abandon WAF integration with automated scanning tools due to a high rate of false-positives.
Cybersquatting, Typosquatting and Phishing
Domains in .com and .org TLDs remain the most common among fraudulent domains (typosquatted, cybersquatted, or used for phishing and drive-by-download attacks).
US, Poland and Singapore figure among the most popular countries to host fraudulent and malicious websites.
Despite the growing fear about the new gTLDs (such as .xxx or .pizza), fraudulent domains in these domain zones represent only 0.22% of all malicious domains.