Top ten security vulnerabilities most exploited by ethical hackers

Top ten security vulnerabilities most exploited by ethical hackers


Leading bug bounty platform HackerOne has released its list of top ten security vulnerabilities for 2020. Companies have spent more than 23.5 million dollars to identify these 10 vulnerabilities by the ethical hackers of HackerOne.

Due to the COVID-19 pandemic, organizations worldwide were forced to go digital faster with their product offerings and services than they may have anticipated.

“Tens of millions of workers started working remotely whether or not they were ready. With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems,” said HackerOne Senior Director of Product Management Miju Han. 

“Faced with these obstacles, security leaders have gained newfound appreciation for hacker-powered security as a nimble, scalable, and cost-effective solution to augment their own resources and offer a pay-for-results approach that’s more justifiable under tightened budgets.”

HackerOne maintains the most authoritative database of vulnerabilities in the industry. With over 200,000 valid vulnerabilities found by hackers, HackerOne took a look into this data to glean insights from the top 10 most impactful and rewarded vulnerability types.

HackerOne’s Top 10 Most Impactful and Rewarded Vulnerability Types of 2020, in descending order, are:

  1. Cross-site Scripting (XSS)
  2. Improper Access Control 
  3. Information Disclosure
  4. Server-Side Request Forgery (SSRF)
  5. Insecure Direct Object Reference (IDOR)
  6. Privilege Escalation
  7. SQL Injection
  8. Improper Authentication 
  9. Code Injection
  10. Cross-Site Request Forgery (CSRF)

Taking a closer look at this year’s list of ten vulnerabilities, key findings include:

At the top of the 2020 ranking are the famous XSS (Cross Site Scripting) vulnerabilities that continue to be a major threat to web applications as attackers exploiting XSS attacks can gain control of the user’s account and steal personal information. 

Improper Access Control (up from ninth place in 2019) and Information Disclosure (still holding the third spot) remain common. Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year. Access control design decisions have to be made by humans, not technology, and the potential for errors is high, and both errors are nearly impossible to detect using automated tools. 

SSRF vulnerabilities, which can be exploited to target internal systems behind firewalls, show the risk of cloud migrations. Previously, SSRF bugs were fairly benign and held HackerOne’s seventh place spot. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

SQL Injection is dropping year-over-year. Earlier, SQL injection was one of the most common vulnerability types. However, it’s been dropping year-over-year from fifth in 2019 to seventh in 2020.


  1. First of all I would like to say excellent blog! I had a quick question in which I’d like to ask if you don’t mind. I was curious to find out how you center yourself and clear your thoughts before writing. I have had a hard time clearing my thoughts in getting my thoughts out. I truly do enjoy writing however it just seems like the first 10 to 15 minutes are generally wasted just trying to figure out how to begin. Any ideas or hints? Kudos!|

  2. Hello it’s me, I am also visiting this site on a regular basis, this website is genuinely nice and the users are really sharing fastidious thoughts.|

  3. Hi there! This blog post couldn’t be written any better! Looking through this article reminds me of my previous roommate! He constantly kept preaching about this. I am going to send this article to him. Fairly certain he’s going to have a great read. I appreciate you for sharing!|

  4. Hmm is anyone else encountering problems with the images on this blog loading? I’m trying to find out if its a problem on my end or if it’s the blog. Any suggestions would be greatly appreciated.|