A study by Kaspersky Security Assessment experts has identified the most dangerous and widespread vulnerabilities in corporate web applications developed in-house.
In the period between 2021 and 2023, flaws related to access control and data protection were found in the majority of the examined applications, totaling several dozen. The highest number of high-risk level vulnerabilities referred to SQL injections.
Web applications like social networks, email, and online services are basically web sites where users engage with a web server via a browser. In its latest study, Kaspersky researched vulnerabilities in web applications used by IT, government, insurance, telecommunications, cryptocurrency, e-commerce, and healthcare organisations to identify the most prevalent types of attacks that are likely to occur to enterprises¹.
The predominant types of vulnerabilities involved the potential for malicious use of access control flaws, and failures in protecting sensitive data. Between 2021 and 2023, 70% of the web applications examined in this study exhibited vulnerabilities in these categories.
A broken access control vulnerability can be used when attackers try to bypass website policies that limit users to their authorised permissions. This can lead to unauthorised access, the alteration, or deletion of data, and beyond.
The second common type of flaw involves the exposure of sensitive information like passwords, credit card details, health records, personal data, and confidential business information, highlighting the need for increased security measures.
“The rating was compiled by considering the most common vulnerabilities in web applications developed in-house in various companies and their level of risk,” explains Oxana Andreeva, a security expert at Kaspersky Security Assessment team. “For instance, one vulnerability could enable attackers to steal user authentication data, while another could help execute malicious code on the server, each with varying degrees of consequences for business continuity and resilience.
“Our rankings reflect this consideration, drawing from our practical experience in conducting security analysis projects.”
| Type of vulnerability | The share of web applications that contain it | Share of high-risk vulnerabilities | Share of medium-risk vulnerabilities | Share of low-risk vulnerabilities |
| Broken Access Control | 70% | 37% | 49% | 14% |
| Sensitive Data Exposure | 70% | 9% | 28% | 63% |
| Server-Side Request Forgery (SSRF) | 57% | 15% | 66% | 19% |
| SQL Injection | 43% | 88% | 12% | – |
| Cross Site Scripting (XSS) | 61% | 11% | 78% | 11% |
| Broken Authentication | 52% | 21% | 47% | 32% |
| Security Misconfiguration | 43% | 15% | 41% | 44% |
| Insufficient Protection from Brute Force Attacks | 39% | 11% | 39% | 50% |
| Weak User Password | 22% | 78% | 22% | – |
| Using Components with Known Vulnerabilities | 13% | 43% | 43% | 14% |
Kaspersky experts also looked at how dangerous the vulnerabilities in the groups listed above were. The largest proportion of vulnerabilities posing a high risk were associated with SQL injections. In particular, 88% of all the analysed SQL Injection vulnerabilities were deemed to be high-risk.
Another significant share of high-risk vulnerabilities was found to be linked with weak user passwords. Within this category, 78% of all vulnerabilities analysed were classified as high-risk.
It is important to note that only 22% of all the web applications Kaspersky Security Assessment team studied had weak passwords. One possible reason is that the apps included in the study sample may have been test versions rather than actual live systems.