Bug Bounties: Why These 10 Vulnerabilities Matter the Most

Throughout 2020, as organizations shifted to work-from-home due to COVID-19, finding and stomping out bugs and flaws in enterprise applications took on a new sense of urgency. Company data moved out of corporate networks, making employees and their equipment more vulnerable to attack.

Meanwhile, the rush toward digital transformation continues to drive enterprises to adopt newer technologies, putting more pressure on IT and security teams to make sure these applications are secure and free from major flaws.

To get a better understanding on what common bugs are giving organizations the most trouble, bug bounty platform HackerOne recently released its list of the Top 10 vulnerabilities of 2020. 

All told, these vulnerabilities accounted for over $23 million in payouts to white hat hackers who reported these vulnerabilities on the HackOne platform. The Top 10 list this year includes:

  • Cross-site Scripting (XSS)
  • Improper Access Control
  • Information Disclosure
  • Server-Side Request Forgery (SSRF)
  • Insecure Direct Object Reference (IDOR)
  • Privilege Escalation
  • SQL Injection
  • Improper Authentication
  • Code Injection
  • Cross-Site Request Forgery (CSRF)

Miju Han, senior director of product management at HackerOne, noted that many of the year-over-year changes to the Top 10 list reflect the shift to work-from-home for employees. At the same time, organizations are still looking to complete various digital transformation projects that were in the works long before COVID-19.

“We’re seeing a different mix of vulnerability types in 2020 too, likely because of the changing attack surface of our programs due to work-from-home,” Han told Dice. “Many organizations are undergoing digital transformations before they had planned, and accordingly we’re seeing more server-side request forgery than ever before. It jumped three spots higher, from seven to four, on our top weaknesses list.”

Looking at the list of the top vulnerabilities this year, Dirk Schrader, global vice president at New Net Technologies (NNT), an IT security and compliance software firm, also noted that the combination of human error, desire to make digital transformation work, and the rush to push applications into production is creating more serious flaws that need to be fixed, creating difficulties for security and IT teams.

“HackerOne’s list once again confirms that the single most impacting cause for vulnerabilities in web applications [is] the human being. There is an asymmetric situation between two parties,” Schrader told Dice. “One is the growing number of companies wanting to have a web application for their newly invented digital business model or their digitally transformed ones as quick as possible—driven by ambitious plans. The other party are the capable developers, limited in numbers and resources, shackled by ‘We need it quick and cheap requests.’ It is Pareto’s principle in action, and as long as ‘it is working, that’s good enough’ is good enough for business leaders, thorough testing will remain a CISO’s wish.”

The HackerOne data shows that four trends stood out over the last year when it comes to bug hunting and persistent vulnerabilities. The first is that cross-site scripting remains a consistent problem, while flaws such as improper access controls and server-side request forgeries are a growing issue. At the same time, SQL injection attacks continue to decline.

When it comes to cross site scripting or XSS, which involves injecting malicious code into a website to steal data or credentials, Han notes the popularity of JavaScript means this vulnerability is common to many web applications. Over the last year, XSS accounted for 18 percent of all vulnerabilities reported on the HackerOne platform.

“Part of the reason we see XSS at the top of our list every year is because of how widespread and popular JavaScript is,” Han said. “XSS pays the most money to our beginning hackers and our elite hackers alike. JavaScript is everywhere and therefore so is XSS.”

The HackerOne report also notes that improper access control attacks, where threat actors leverage poorly-designed access restrictions to access data, and server-side request forgeries, where attackers trick a server into accessing resources that should be forbidden, are also on the rise due to employees working from home and organizations adopting more digital transformation practices.

And these vulnerabilities can cause major security concerns. The 2019 breach of Capital One, for example, appears to have been the result of the alleged hacker using a server-side forgery request to help bypass the bank’s security procedures, according to media reports.

Ray Kelly, principal security engineer at WhiteHat Security, noted that vulnerability lists such as HackerOne’s Top 10 list or similar data produced by OWASP don’t change much year-over-year, since most organizations are confronted with similar security challenges. This is why bug bounty programs help the overall security community.

“If you look at the OWASP Top 10 over the past decade, you will notice that very little has changed. HackerOne’s latest research shows that this remains true. Organizations today are facing challenges with shrinking budgets for infosec training, tools and skilled cybersecurity employees,” Kelly told Dice. “Bug bounty programs are a great way to augment these shortages and can certainly save a company money when it comes to a potential data breach.”

Schrader echoed those sentiments: “All of the listed vulnerabilities are ‘door openers’ for more sinister attacks, where the impact can be minimized when an organization has visibility of its overall attack surface, encompassing assets and processes, when it controls any unwanted change to it.”

Hack Away

While the number of vulnerabilities is rising and the number of threats to networks and infrastructure continues to grow, HackerOne notes that more security-minded professionals are also using bug bounty programs as a way to expand their skillsets and make money… whether as a full-time living or a way to supplement their income. Organizations can then benefit from knowing which bugs that they need to fix.

“We think with more folks being at home, hacking has increased. The data on our platform definitely shows that this is the case, with hacktivity [sic] being up during the pandemic and an influx of new hackers joining the community,” said Ben Sadeghipour, head of hacker education at HackerOne.

Sadeghipour also noted that, beyond knowledge of a particular programming language, successful bug hunters tend to study an application and then think outside the box for what an attacker might find interesting to exploit.

“Spending time to understand an application in depth is also a plus and helps you put the pieces together,” Sadeghipour told Dice. “Thinking outside of the box is also key in becoming successful. At the end of the day, thousands of hackers are looking at these assets. You want to be able to find and look at things that other hackers aren’t looking at.”