Getting a Handle on Vulnerabilities in App and Web Frameworks
Getting a Handle on Vulnerabilities in App and Web Frameworks
Web and application frameworks have revolutionized how modern applications and websites are developed and maintained. Whether using WordPress to quickly develop a blog or building fully dynamic web applications using Ruby on Rails, Angular JS, or Apache Struts, frameworks let developers work faster while building sites that are more dynamic and typically safer due to reducing the chances for manual coding errors.
However, these frameworks, and the languages they are built on, are not without their own vulnerabilities. The Apache Struts vulnerability, CVE-2017-5638, which led to one of the largest breaches in history at Equifax, provides a painful reminder of the damage that can be caused when vulnerabilities in frameworks go unpatched. However, Apache Struts is just the tip of the iceberg, and vulnerabilities remain plentiful in a wide variety of frameworks and languages.
These vulnerabilities can quietly be some of the most challenging vulnerabilities in an enterprise. Being in what are typically web-facing applications, these vulnerabilities are exposed to virtually any would-be attacker on the internet. And since they are built into the fabric of the application, they will be present even if developers follow best coding practices. Lastly, depending on the vulnerability, they can be hard to patch due to potentially requiring an upgrade to a new version of the framework.
With these factors in mind, we decided to take a closer look at the various frameworks and languages in our latest RiskSense Spotlight Report, Cracks in the Foundation: Web and Application Framework Vulnerabilities to see which had the most vulnerabilities, which were being weaponized the most by attackers, what types of weaknesses were the most common, and how things have changed over time.
Where the Weaponized Things Are
To get an understanding of the most vulnerable frameworks, we needed to know both the overall number of vulnerabilities as well as how many of those vulnerabilities were weaponized. Weaponized vulnerabilities are those for which actual exploit code exists, making them far more likely to be attacked in the real world.
Our analysis shows that certain frameworks and languages consistently generate the most total vulnerabilities and weaponized vulnerabilities. For example, the top 3 most weaponized frameworks over the past 5 years were WordPress, Apache Struts, and Drupal. WordPress accounted for a whopping 30% of all weaponized vulnerabilities in the study, while Struts and Drupal accounted for 12% and 7% of weaponized vulnerabilities respectively.
Interestingly enough, the languages underlying these frameworks also had high rates of vulnerabilities and weaponization. Note that these are separate CVEs attributed to the language itself, and do not include vulnerabilities attributed to their related frameworks. PHP, which WordPress and Drupal is built on, had by far the largest total number of vulnerabilities overall, and the second most weaponized vulnerabilities behind WordPress. Likewise, Java, the underlying language for Apache Struts, was the next most weaponized language.
The table below shows both frameworks and languages in a single view. The list is ranked in terms of the most weaponized for vulnerabilities. For example, while PHP had the most total vulnerabilities, WordPress had the most which are weaponized. The lower red bar shows the percent weaponization rate to highlight cases such as Laravel where vulnerabilities may be rare but weaponization is high.
Of note, the top 5 sources of weaponized vulnerabilities remained consistent both over a 5 and 10 year time horizon. In order, WordPress, PHP, Struts, Java, and Drupal accounted for the most weaponized vulnerabilities. This is interesting because even as the total number of vulnerabilities has declined over the decade and the types of weaknesses have changed, weaponization remains tied to the same frameworks and languages.
While it is important to know where the vulnerabilities are, it is also important to know what types of weaknesses are behind those vulnerabilities. To this end, we analyzed vulnerabilities in terms of Common Weakness Enumeration (CWE) classifications.
Frameworks Get a Handle on Cross-Site Scripting
Our analysis showed some big changes in the types of weaknesses being found in frameworks over the past several years. For example, cross-site scripting (XSS) issues have long been some of the most common problems facing web applications. And this was true when we analyzed the full 10 year data set, with XSS accounting for both the most total number of vulnerabilities and weaponized vulnerabilities.
However, the majority of these problems occured in the first half of the decade. When we focused on the most recent 5 years, XSS dropped to 4th in terms of vulnerabilities and 5th in terms of weaponization. In the first half of the decade XSS weaknesses accounted for 27% of all weaponized vulnerabilities, but only 5.5% in the second half of the decade. This provides strong evidence that frameworks have made considerable improvements in recent years in avoiding cross-site scripting weaknesses in their code.
Input Validation Becomes the #1 Weakness
While XSS has dropped in the last 5 years, Input Validation has taken over the top spot. Input Validation can address a wide range of techniques and injection attacks, and is one of the most important capabilities of an application framework. In the first half of the decade, CWE-20, Input Validation, accounted for 15.6% of weaponized vulnerabilities, but rose to 24% in the second half of the decade. Problems in Struts, WordPress, and Drupal were the main contributors to this rise. Access control issues were also on the rise, and mostly attributable to Java.
Injection Weaknesses Are Rare But Highly Weaponized
In addition to the many forms of injection attacks covered by input validation issues, the study tracked several specific forms of injection attacks including SQL injection, code injections, and various command injections. While the overall volume of these vulnerabilities remained fairly low, they had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were Command Injection (60% weaponized), OS Command Injection (50% weaponized), and Code Injection (39% weaponized). This makes injection issues, while rare in frameworks, some of the most sought after weaknesses by attackers.
These are just a few of the findings available in the new RiskSense Spotlight Report, Cracks in the Foundation: Web and Application Framework Vulnerabilities. In the full report you can find detailed analysis of a wide variety of additional frameworks, details on the specific weaknesses found in each, as well as details that can help your development and security practices, such as the importance of supplementing CVSS scores with real-world weaponization data. We hope that this report helps shine light on one of the most important yet overlooked areas of vulnerabilities in applications today.