SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
New study exposes flaw-riddled corporate web applications
Tue, 19th Mar 2024

A new study from Kaspersky has uncovered the most common and hazardous vulnerabilities in locally developed corporate web applications. From 2021 to 2023, access control and data protection flaws were discovered in the majority of applications analysed.

Web applications, such as social networks, email, and online services, operate as websites where users and web servers interact through a browser. The Kaspersky study analysed web applications utilised by a range of organisations, including those in IT, government, insurance, telecommunications, cryptocurrency, e-commerce and healthcare. This was done to identify the most likely types of cyber attacks that enterprises may face.

The primary vulnerabilities exposed in the research involved potential malicious access control flaws and failures in protecting sensitive data. During the 2021 to 2023 timeframe, 70% of the web applications explored in this study showed vulnerabilities in these areas.

Security expert at Kaspersky Security Assessment team, Oxana Andreeva, explains, "A broken access control vulnerability can occur when cyber attackers attempt to evade website policies that confine users to their authorised permissions. This can lead to unapproved access, modification, or erasure of data. The second most common type of flaw involves the exposure of sensitive information like passwords, credit card details, health records, personal information, and confidential business data."

The research highlighted that one type of vulnerability may allow attackers to steal user authentication data, whereas another could assist in executing malicious code on the server. These situations have varying consequences for business continuity and resilience. The ratings compiled reflect these considerations and are based on practical experience from conducting security analysis projects.

The threat analysis provided within the report, which studied the proportion of different types of vulnerabilities, indicates that the most dangerous security risks are related to SQL injections. Around 88% of all analysed SQL Injection vulnerabilities were considered high-risk. Weak user passwords were also a notable issue, with approximately 78% of all analysed vulnerabilities categorised as high-risk within this aspect.

Interestingly, only 22% of all the web applications studied by the Kaspersky team had weak passwords. A potential justification for this may be that the applications incorporated in the sample could have been test versions rather than functioning live systems.

To enhance the security of web applications and detect potential attacks promptly, Kaspersky recommends utilising a Secure Software Development Lifecycle (SSDLC), regular application security assessments, and using logging and monitoring mechanisms to track application operation. Effective remediation of these widespread web application vulnerabilities will help corporations to protect confidential data and prevent compromises to web applications and related systems.