I’m often asked about the biggest bugs we see come in through the platform. It’s a natural question to ask, as big vulnerabilities elicit ideas of big headline grabbing breaches that affect millions of consumers. In reality, the vulnerabilities that lead to these big breaches are often much more naissant. And the real answer to the question about the biggest bugs is that the ones we see most often are incredibly common. What’s probably the more interesting is the way our Crowd of whitehat hackers works to identify these vulnerabilities, often chaining together different methodologies and attack scenarios.
And while the vulnerabilities in IoT devices – refrigerators and DVRs – capture our attention for their novelty and fear factor, they are by far outnumbered by vulnerabilities in web applications which account for more than 50% of all submissions. In fact web application vulnerabilities have always been the top submitted vulnerabilities across our programs and correspondingly account for the highest percentage of awards paid (more than 80% according to our last State of Bug Bounty report). But what are the top submitted vulnerabilities on web applications?
Below is a list of the top ones we’ve seen over the last 12 months.
- Cross Site Scripting (XSS) > Reflected > Non-Self
- Cross Site Scripting (XSS) > Stored > Non-Privileged User to Anyone
- Broken Access Control (BAC) > Insecure Direct Object References (IDOR)
- Broken Authentication and Session Management > Privilege Escalation
- Unvalidated Redirects and Forwards > Open Redirect > GET-Based
- Cross-Site Request Forgery (CSRF) > Action-Specific > Authenticated Action
- Broken Authentication and Session Management > Failure to Invalidate Session > On Password Reset and/or Change
- Server Security Misconfiguration > Mail Server Misconfiguration > Email Spoofing on Email Domain
- Broken Authentication and Session Management > Authentication Bypass
- Broken Authentication and Session Management > Failure to Invalidate Session > On Logout (Client and Server-Side)
These are the top web application vulnerabilities across targets, which means every industry. For perspective, the top 5 industries currently embracing the crowdsourced security model are Computer Hardware, Software & Networking, IT Services, eCommerce / Retail, Financial Services, and Telecom / Communication Services.
While it likely won’t surprise most that cross site scripting (XSS) remains number one, it’s important for understanding the threat landscape. It’s also interesting in the context above: cross site scripting is the number one web application vulnerabilities across industries, not just in IT, retail or fintech.
Three of the top ten bugs (Access Controls and Authentication related) are predominantly classified as P1, the most critical submission on Bugcrowd. Additionally, polling the Bugcrowd data for just critical P1 and P2 vulnerabilities you get other insidious bug classes as well:
- Server Side Request Forgery
- Insecure Direct Object Reference
- XML External Entity Injection
- Security Misconfigurations in:
- AWS s3 buckets
- Subdomain takeover
- Credential leakage and default credentials exposed publicly
- Variants of command and code injection (RCE)
- Blind XSS / Stored XSS & XSS+CSFR chains leading to full user account takeover
Understanding the most common vulnerabilities is important not just for the defenders who continuously face the challenge of making remediation decisions around vulnerabilities without access to all of the facts (it’s also why the VRT (Vulnerability Rating Taxonomy) is so important for determining business impact quickly), but it’s also key for bug hunters, especially those who are just getting started with bug hunting.
To that end, if you’re interested in learning the tools of the trade or if you want a refresher I encourage you to check out Bugcrowd University. Bugcrowd University was created to teach basics of hacking and bug bounty hunting to address the skill shortage by introducing new researchers to the crowdsourced security field and up-leveling the skills of the white hat hacker community across the board.