N-Stalker studies pointed the cross-site scripting, the exposure of sensitive information and inefficient access control as three main vulnerabilities at apps

The study conducted by N-Stalker Labs, N-Stalker research laboratory, specialized in security of web applications, carried out a comprehensive analysis of over 1000 web applications of companies integrated into different industrial sectors, of which 50% were located in US/Canada, 30% in Europe and 20% in other countries. The results of this study are alarming: the average of vulnerabilities found per each application was 40; 75% of the analysed applications had critical errors and 50% of them had at least one failure at the open pattern and available to developers, the Open Web Application Security Project – OWASP. The highest vulnerabilities incidence was found in eletronic commerce.

According to N-Stalker researcher and CTO, Thiago Zaninotti, who led the reaserch, all the applications could have been improved in terms of security. But 60% of the companies only executed tests after the incidents, and 20% of the aforementioned companies were already aware of the existence of these problems before the tests: “We realized that problems were present throughout all the phases of the development of the applications”, said he.

The three major vulnerabilities found in the applications were: cross-site scripting or XSS (reflected and based on the DOM specification or Document Object Model, of W3C that standarises www); exposition of sensitive information and insufficient access control. Zaninotti explains that XSS vulnerabilities activate malware attacks by allowing the manipulation of web pages and insertion of script statements that are executed in the user’s own computer.

“The exploitation of cross-site vulnerability (XSS) allows attackers to execute scripts in the users browser to obtain confidential data, hijack sessions, redirect them to malicious sites, etc.”, he explains and adds: “the second most common vulnerability found in apps exposes such sensitive information, as credit card data and authentication credentials, which enables stealing other users’ identity, defrauding credit cards, among other crimes. On the other hand, insufficient access control, may favour the access to user profiles without credential needed, or even the administrative features of the applications, allowing stealing of sensitive or classified data”, concludes the researcher.