The Top 7 Most Common Web Vulnerabilities

Invicti has published the Spring 2022 Edition of The Invicti AppSec Indicator, a comprehensive study that ranks the most common web vulnerabilities. To conduct their research, Invicti analyzed 939 customers across the globe for flaws, discovering 282,914 direct-impact vulnerabilities. In the process, over 23 billion individual security checks were performed.

Among the latent threats within modern web architecture, XSS, CSRF and SQLi rank among the top most common vulnerabilities. Plugging these up will be critical to protecting infrastructure and sensitive data from threats. Below, we’ll explore each in detail, from most common to less common, and feature a real-world example of each vulnerability.

1. Cross-Site Scripting (XSS)

The most common web vulnerability is cross-site scripting (XSS). According to the Invicti study, instances of XSS were found in 71% of organizations. XSS attacks occur when a bad actor injects malicious JavaScript code into an unsuspecting user’s browser. Though XSS seems like a modest threat, it can lead to some disastrous outcomes.

Year after year, XSS vulnerabilities continue to rise, likely due to new social engineering schemes. XSS attacks typically pose as a site the user can trust and convince them to divulge session tokens and sensitive information. One example of an XSS vulnerability occurred in the game Fortnite in 2019. A design flaw allowed for cross-site scripting that could be leveraged to take over a player’s game account.

2. Cross-site request forgery (CSRF)

The second most common web application vulnerability is cross-site request forgery (CSRF). CSRF was present in 69% of the Invicti customers analyzed in 2021. A CSRF threat occurs when a user is tricked into performing actions on a seemingly verifiable source that actually holds malicious intent. These actions are often related to changing their account email or password.

CSRF is an older type of attack that can quickly enable privilege escalation and account takeover for the hacker. As a result, CSRF attacks often target login forms and password reset functionalities. For example, a critical CSRF vulnerability was discovered on Glassdoor in 2020. Bug bounty researchers found a flaw in the site’s CSRF protection that allowed them to obtain a CSRF token from the server to take over accounts from logged-in users.

3. SQL injection (SQLi)

SQL injection (SQLi) remains a top vulnerability across today’s modern web-based applications. SQLi errors were present in 21% of applications. This threat occurs when an attacker can send malformed SQL requests to an application’s backend database. If an attack can modify these SQL requests, they could have access to company data and steal it, alter data or obliterate data completely.

The continued prevalence of SQL-based attacks is likely due to the lasting use of SQL. Though NoSQL is rising in interest, SQL is still very commonly applied to work against databases. One notable SQLi vulnerability occurred at Cisco in 2018, in which a hole in Cisco Prime License Manager allowed arbitrary SQL queries.

4. Server-side request forgery (SSRF)

Another top threat is server-side request forgery (SSRF). A full 15% of organizations have some sort of SSRF flaw. SSRF occurs when a hacker makes requests in the guise of a third-party web application. As OWASP describes, “SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.”

For example, in 2019, an attacker leveraged an SSRF flaw in a web application firewall to obtain access to Capital One servers hosted on AWS. By manipulating a vulnerable web server, the attacker was able to retrieve credentials that enabled them to access customer information. SSRF frequencies could increase as complex API-driven architectures become more common.

5. Local file inclusion (LFI)

Local file inclusion (LFI) is present within 10% of web applications. This vulnerability presents itself when an attacker can make a web application expose specific files on a server. This breach hinges on the web application making use of unvalidated user input. For example, if this system doesn’t sanitize input, one could directly access certain files by entering specific file names into the URL.

LFI results in information disclosure and can be the first step toward many other nefarious goals, like XSS or injection. In 2016, Adult Friend Finder suffered a significant breach that exposed over 300 million user accounts. The attackers are believed to have used a local file inclusion vulnerability to gain access to unauthorized material.

6. Remote code execution (RCE)

Remote code execution (RCE) flaws were discovered in 8% of software analyzed in 2021. RCE occurs when an application allows hackers to supply dangerous code and execute it. Although RCE is less common than some other attacks, it is a major flaw that should be taken seriously. If RCE is successful, it grants nearly limitless abilities to an attacker—they could deploy malware, install data collection mechanisms, probe internal systems and more.

RCE is on the rise. From 2020 to 2021, Invicti noticed a three-point uptick in RCE, from 5% to 8%. For an example of RCE in practice, look to the Log4Shell vulnerability. This far-reaching threat shook the software industry in late 2021 since many commercial products written in Java use the Log4j logging framework. As CVE-2021-44228 detailed, through a complex series of calls, the exploit allows an attacker to execute arbitrary code on a vulnerable application.

7. OS command injection

Finally, the last vulnerability on our list is OS command injection. Invicti reported that 4% of their customers had at least one instance of an OS command injection flaw. OS command injection occurs when a web application interacts with the operating system. If a web application has insufficient validation for such requests, it may be prone to OS injection.

Like RCE, OS command injection attacks increases in the last year from 2% in 2020 to 4% in 2021. This flaw is especially dangerous as it could lead to harmful actions that affect the end user’s operating system. In 2014, the ShellShock vulnerability affected systems worldwide, allowing countless DDoS attacks.

Final Thoughts: Practice Secure Design

Vulnerabilities are multiplying and addressing them all can be a drain on productivity. In fact, 51% of a web developer’s time is spent chasing security issues, according to the fall 2021 Invicti AppSec Indicator. Plus, 80% of respondents said security processes delay delivery times. This is complicated by multi-cloud and hybrid remote working conditions, which widen the attack surface area and potential for bad actors.

Nevertheless, mitigating the threats posed above is a necessary evil to protect systems from the dangers of attack. Still, one in three security issues makes it to production without getting flagged in the test or development stages, demonstrating that the average organization has much more to do when it comes to instilling secure design practices that sufficiently safeguard their applications.

Avatar photo

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst based in Seattle. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high impact blog on API strategy for providers. He loves discovering new trends, researching new technology, and writing on topics like DevOps, REST design, GraphQL, SaaS marketing, IoT, AI, and more. He also gets out into the world to speak occasionally.

bill-doerrfeld has 22 posts and counting.See all posts by bill-doerrfeld