Leading bug bounty platform HackerOne has released its list of top ten security vulnerabilities for 2020. Companies have spent more than 23.5 million dollars to identify these 10 vulnerabilities by the ethical hackers of HackerOne.
Due to the COVID-19 pandemic, organizations worldwide were forced to go digital faster with their product offerings and services than they may have anticipated.
“Tens of millions of workers started working remotely whether or not they were ready. With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems,” said HackerOne Senior Director of Product Management Miju Han.
“Faced with these obstacles, security leaders have gained newfound appreciation for hacker-powered security as a nimble, scalable, and cost-effective solution to augment their own resources and offer a pay-for-results approach that’s more justifiable under tightened budgets.”
HackerOne maintains the most authoritative database of vulnerabilities in the industry. With over 200,000 valid vulnerabilities found by hackers, HackerOne took a look into this data to glean insights from the top 10 most impactful and rewarded vulnerability types.
HackerOne’s Top 10 Most Impactful and Rewarded Vulnerability Types of 2020, in descending order, are:
- Cross-site Scripting (XSS)
- Improper Access Control
- Information Disclosure
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object Reference (IDOR)
- Privilege Escalation
- SQL Injection
- Improper Authentication
- Code Injection
- Cross-Site Request Forgery (CSRF)
Taking a closer look at this year’s list of ten vulnerabilities, key findings include:
At the top of the 2020 ranking are the famous XSS (Cross Site Scripting) vulnerabilities that continue to be a major threat to web applications as attackers exploiting XSS attacks can gain control of the user’s account and steal personal information.
Improper Access Control (up from ninth place in 2019) and Information Disclosure (still holding the third spot) remain common. Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year. Access control design decisions have to be made by humans, not technology, and the potential for errors is high, and both errors are nearly impossible to detect using automated tools.
SSRF vulnerabilities, which can be exploited to target internal systems behind firewalls, show the risk of cloud migrations. Previously, SSRF bugs were fairly benign and held HackerOne’s seventh place spot. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.
SQL Injection is dropping year-over-year. Earlier, SQL injection was one of the most common vulnerability types. However, it’s been dropping year-over-year from fifth in 2019 to seventh in 2020.