Skip to main content

Vast number of vulnerabilities found in source code

(Image credit: Pixabay)

In nine out of ten cases, website visitors could fall victim to hackers. This is according to a new report from Positive Technologies, which also suggests 16 percent of applications contain serious vulnerabilities.

Not only could these vulnerabilities allow hackers to gain full control of a system but also, in certain cases, full control of the web application server. Having accessed the web server, attackers could introduce malware or even deface a website completely.

The report also discovered that most vulnerabilities (82 percent) are found in application source code, suggesting it isn't thoroughly checked and that developers are prioritising functionality over security.

According to the report's analysis of whose web apps performed best and worst, financial institutions have the most secure web applications, while government apps are the least secure.

Almost half of web applications (45 percent) have also had problems with authentication.

"Password-only authentication is a contributing factor in most authentication attacks," says Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies.

"Lack of two factor authentication makes attacks very easy. Users tend to use weak passwords, which makes matters even worse. Bypassing access restrictions usually leads to unauthorized disclosure, modification, or destruction of data."

Overall, the percentage of web apps with high-risk vulnerabilities dropped by 17 percent year-on-year, which Positive Technologies sees as a “significant” drop. The average number of severe vulnerabilities per web application also fell by almost 1.5 times.

But, despite improvements, the overall security of web applications is still considered poor.

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.