Analysis of vulnerabilities discovered by NCC Group researchers over the last nine years found that instances of common web-based vulnerabilities have largely refused to fall over during this time, with cross-site scripting (XSS) vulnerabilities appearing the most frequently.
The global cyber security and risk mitigation expert found that despite this type of vulnerability being understood across the industry for decades, XSS flaws, which enable attackers to inject malicious scripts into websites or victim browsers, still account for 18% of all bugs logged.
However, some classes of bugs have become almost non-existent, including format string flaws, in which submitted data is evaluated as a command by the application, as well as some memory-related flaws, and flaws that allow the exploitation of XML applications and services.
Commenting on this analysis, Matt Lewis, research director at NCC Group, said: “While some historically common vulnerabilities have disappeared over the last nine years, cross-site scripting has been around for almost 20 years. We should have seen a significant fall in these types of vulnerabilities, but this hasn’t been the case, which highlights the need for better education around security within the software development life cycle.”
Overall, the team uncovered vulnerabilities in 53 different categories, and found that there was an increase in the number of bugs targeting complex applications and hardware. This included deserialization flaws – when untrusted data is used to abuse the logic of an application and inflict DDoS or remote code attacks – and the exploitation of multiple low-risk issues in a chain across a complex web application, resulting in full, unauthorised control.
As well as this, researchers saw an increase in hardware-related design flaws, following an increased engagement with embedded systems and IoT devices.
Matt Lewis added: “Although there could be a lot of factors influencing the discovery of bugs over the last nine years – such as shifts in industry focus with regard to certain classes of bugs, and even the time that our consultants have available – there is still an ongoing prevalence of the most common vulnerabilities.
“As well as this, we’re already seeing an increasing variety of relatively new attack methods as applications and systems become more complex. This highlights the need for more investment into security skills, as well as a wider understanding of how important the mitigation of these vulnerabilities is for the overall security of businesses.”
