Top Ten Vulnerabilities | HackerOne

To that end, we're providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most ... SkiptomaincontentHowlargeisyourorganizationsattackresistancegap?Injust5minutes,thisassessmentsizesyourunknownattacksurfacesoyoucanstarttakingactiontocloseyourgap.TaketheAttackResistanceAssessmenttoday Security@2022:AchieveAttackResistanceRegisternowtogetyourcomplimentarypasstoSecurity@2022JoinusonOctober13thinLondonorvirtuallyforourlive-streamedeventRegisternow The2022AttackResistanceReportNearlyhalfoforganizationslackconfidencetoclosesecuritygapsaccordingtoanewreport.Checkoutthereport TopTenVulnerabilitiesTheHackerOneTop10MostImpactfulandRewardedVulnerabilityTypes–2020EditionAsasecurityleader,you’reresponsibleforaconstantlyevolvingattacksurface.ThepastyearhaschangedtheroleoftheCISO,makingittoughertonavigateyouroperatingenvironment.Distributeddecision-makinghasexpandedthevolumeandvarietyofrisksyoumustconfront,regulatorsareapproachingdataprivacywithgreaterscrutiny,andexecutiveteamsandboardsofdirectorsarestartingtothinkabouthowinformationriskimpactsstrategicplanning.Today'sCISOmustthinkabout:verified_userFunctionalleadershipCanwehandleandmitigatebreaches,incidentsandcrises?lockInformationsecurityservicedeliveryArewemeetingdeadlines?verifiedScalinggovernance,riskandcomplianceArewemeetingregulatorystandards?updateResponsivenessandagilityAreweleveraginginformationrisktomakedecisions?SeemoreSeelessSecurityleadersarelookingforcreativewaystomeetthesedemands.Vulnerabilitydisclosurepolicies(VDPs)haveemergedasapowerfulsolution.VDPsquicklyestablishaprocessforreceivingvulnerabilityreportsfromhackersandsecurityresearchers.Butwhatarethehackersfinding?Howaretheychangingthesecuritylandscape?Andwhatdosecurityleadersneedtoknow?HackerOnemaintainsthemostauthoritativedatabaseofvulnerabilitiesintheindustry.We’reheretohelpyoumakesmarterdecisionsaboutvulnerabilitymitigationandremediation,andtoempoweryoutoallocateyourresourcesefficiently.Tothatend,we’reprovidingalistofthetop10vulnerabilitytypesasindicatedbybountyawardsandcustomerimpacttohelpyouunderstandthemostcommon,formidablesecurityrisksyou’refacing.GettheFullReportAndforacomprehensivelookatthedatabehindthissnapshot,readThe4thHacker-PoweredSecurityReport.DownloadNowKeyTakeawaysOrganizationsareusingcreativetoolstocutdownonXSS.OrganizationsareusingcreativetoolstocutdownonXSS.Cross-siteScripting(XSS)continuestobethemostawardedvulnerabilitytypewithUS$4.2millionintotalbountyawards,up26%fromthepreviousyear.XSSvulnerabilitiesareextremelycommonandhardtoeliminate,evenfororganizationswiththemostmatureapplicationsecurity.XSSvulnerabilitiesareoftenembeddedincodethatcanimpactyourproductionpipeline.Thesebugsaccountfor18%ofallreportedvulnerabilities,buttheaveragebountyawardisjustUS$501.Thatmeansorganizationsaremitigatingthiscommon,potentiallypainfulbugonthecheap.ImproperAccessControlandInformationDisclosureareIncreasinglyCommon.ImproperAccessControlandInformationDisclosureareIncreasinglyCommon.AwardsforImproperAccessControlincreased134%yearoveryeartojustoverUS$4million.InformationDisclosurewasnotfarbehind,increasing63%yearoveryear.Bothmethodsexposepotentiallysensitivedatalikepersonallyidentifiableinformation.Whiletheyrangewidelyincriticality,theycanbedisastrousifsensitivecustomerorinternalinformationisleakedbymisconfiguredpermissions.Thesevulnerabilitiesareprevalentbecausethey’renearlyimpossibletodetectusingautomatedtools.Hacker-poweredsecurityprovidesarelativelyinexpensiveandextremelyeffectivemethodformitigatingthesevulnerabilities.SSRF(ServerSideRequestForgery)showstheriskofcloudmigrations.SSRF(ServerSideRequestForgery)showstheriskofcloudmigrations.AnSSRFexploitthatcausesconnectionstoexternalthird-partysystemsmightresultinmaliciousonwardattacksthatappeartooriginatefromtheorganizationhostingthevulnerableapplication,leadingtopotentiallegalliabilitiesandreputationaldamage.Previously,SSRFbugswerefairlybenign,astheyonlyallowedinternalnetworkscanningandsometimesaccesstointernaladminpanels.Butinthiseraofrapiddigitaltransformation,theadventofcloudarchitectureandunprotectedmetadataendpointshasrenderedthesevulnerabilitiesincreasinglycritical.Infact,SSRFcanleadtototalcompromiseofthesystemsthey’refoundonandallowfurtheraccesstothetarget’scloudinfrastructure.ThankstoVDPandbugbountyprograms,organizationsareincreasinglyabletofindandmitigatethesebugsbeforetheycanbeexploited.Overall,organizationsspentaboutUSD$3millionmitigatingSSRFlastyear—comparedtothemillionstheywouldhaveneededtospendifanSSRFattackhadbeencarriedoutbyabadactor.SQLInjectionisdroppingyear-over-year.SQLInjectionisdroppingyear-over-year.Inyearspast,SQLinjectionwasoneofthemostcommonvulnerabilitytypes.However,ourdataindicatethatit’sbeendroppingyear-over-year.Modernsecurityframeworksandmethods,includingthecentralroleofhackers,haverenderedthisbugnearlyathingofthepast.SQLinjectiontendstooccurwhenorganizationsaren’tmonitoringwhichappsaremappedtoadatabaseandhowtheyinterface.Byshiftingsecurityleft,organizationsareleveraginghackersandothermethodstoproactivelymonitorattacksurfacesandpreventbugsfromenteringcode.Findingthemostcommonvulnerabilitytypesisinexpensive.Findingthemostcommonvulnerabilitytypesisinexpensive.Ofthetop10mostawardedweaknesstypes,onlyImproperAccessControl,Server-SideRequestForgery(SSRF),andInformationDisclosuresawtheiraveragebountyawardsrisemorethan10%.Theothersfellinaveragevalueorwerenearlyflat.Unliketraditionalsecuritytoolsandmethods,whichbecomemoreexpensiveandcumbersomeasyourgoalschangeandyourattacksurfaceexpands,hacker-poweredsecurityisactuallymorecost-effectiveastimegoeson.Withhackers,it’sbecominglessexpensivetopreventbadactorsfromexploitingthemostcommonbugs.TheBigPictureSecurityvulnerabilitiesarearealityofmoderntechnology.Fortunatelyforus,hackersaretoo.Thislisthighlightsthathackersarehelpingmitigatethemostseriousriskstoyourbusiness.DownloadNowTotalbountyamountbyweaknesstypenew_releasesXXSweaknesstypepayments$4,211,006Bountiestotalfinancialrewardsamountshow_chart26%YOY%CHANGEWeaknesstypeBountiestotalfinancialrewardsamountYOY%change1XSS$4,211,00626%2ImproperAccessControl-Generic$4,013,316134%3InformationDisclosure$3,520,80163%4Server-SideRequestForgery(SSRF)$2,995,755103%5InsecureDirectObjectReference(IDOR)$2,264,83370%6PrivilegeEscalation$2,017,59248%7SQLInjection$1,437,34140%8ImproperAuthentication-Generic$1,371,86336%9CodeInjection$982,247-7%10Cross-SiteRequestForgery(CSRF)$662,751-34%AveragebountypayoutperindustryforcriticalvulnerabilitiesMethodologyThiseditionoftheHackerOneTop10MostImpactfulandRewardedVulnerabilityTypeswasbasedonHackerOne’sproprietarydataexaminingsecurityweaknessesresolvedontheHackerOneplatformbetweenMay2019andApril2020.Vulnerabilitiesincludedherewerereportedbythehackercommunitythroughvulnerabilitydisclosuresandpublicandprivatebountyprograms.AllvulnerabilityclassificationsweremadeorconfirmedbyHackerOnecustomers,includingweaknesstype,impact,andseverity.Note:Thevulnerabilityratingtaxonomy,whichHackerOnemapstotheindustrystandardCommonWeaknessEnumeration,isusedbyHackerOnecustomersandhackerstocategorizereportedvulnerabilities.DatapresentedhereisfromMay2019throughApril2020.Questions?Wehaveanswers.Howelsecanwehelp?Letusknowandwe’llgetintouch.