A study carried out by experts from the Kaspersky Security Assessment team has identified the most dangerous and widespread vulnerabilities in internally developed corporate web applications. Between 2021 and 2023, flaws related to access control and data protection were found in the majority of the applications examined, totaling several dozen. The largest number of high-risk vulnerabilities were SQL injections.

Corporate web applications such as social networks, email and online services are web pages where users interact with a server through a browser. Kaspersky's latest study investigated vulnerabilities in these applications used by IT, insurance, telecommunications, cryptocurrency, e-commerce, healthcare, and government companies to identify the most common types of attacks that occur to businesses1.

The most notable vulnerabilities involved the potential for malicious use of access control flaws, as well as in the protection of sensitive data. Between 2021 and 2023, 70% of the apps examined in the study showed weaknesses in these categories.

When a vulnerability breaks access control, attackers attempt to bypass website policies that limit users' authorized permissions. This may result in unauthorized access and alteration or deletion of data, among other things. The second most common breach recorded is the exposure of sensitive information such as passwords, credit card details, medical records, personal data and sensitive business information, highlighting the need for greater security measures.

“The rating was carried out taking into account the most common vulnerabilities in web applications developed internally in various companies and their risk level. For example, one of these vulnerabilities could allow attackers to steal user authentication data, while another could help execute malicious code on the server, each with varying degrees of consequences for business continuity and resilience. This is reflected in our rankings based on the team's practical experience in carrying out security analysis projects,” explains Oxana Andreeva, security expert on the Kaspersky Security Assessment team.

Likewise, Kaspersky experts analyzed the danger posed by these defects in the companies mentioned above. According to the study, the largest proportion of high-risk vulnerabilities were associated with SQL injections, specifically, 88% of all SQL injection vulnerabilities analyzed were considered high risk. On the other hand, analysts found another major flaw linked to weak passwords used by users, with a total of 78% of vulnerabilities classified as high risk. According to the Kaspersky Security Assessment team, only 22% of all web applications studied had weak passwords. This may be because the applications included in the study sample were run on real systems, not test versions.

Fixing vulnerabilities found in web applications will help companies protect sensitive data and avoid compromising these apps, as well as related systems. To improve security and detect possible attacks, the Kaspersky Security Assessment team recommends:

     Use secure software, such as Secure Software Development Lifecycle (SSDLC).
     Perform periodic security assessments on applications.
     Use logging and monitoring mechanisms to track application performance.

To delve deeper into the study, visit the Securelist website. The vulnerabilities described in the research align with the categories and subcategories of the OWASP Top Ten classification.