Top ten security vulnerabilities most exploited by ethical hackers

Top ten security vulnerabilities most exploited by ethical hackers

1771
155
SHARE

Leading bug bounty platform HackerOne has released its list of top ten security vulnerabilities for 2020. Companies have spent more than 23.5 million dollars to identify these 10 vulnerabilities by the ethical hackers of HackerOne.

Due to the COVID-19 pandemic, organizations worldwide were forced to go digital faster with their product offerings and services than they may have anticipated.

“Tens of millions of workers started working remotely whether or not they were ready. With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems,” said HackerOne Senior Director of Product Management Miju Han. 

“Faced with these obstacles, security leaders have gained newfound appreciation for hacker-powered security as a nimble, scalable, and cost-effective solution to augment their own resources and offer a pay-for-results approach that’s more justifiable under tightened budgets.”

HackerOne maintains the most authoritative database of vulnerabilities in the industry. With over 200,000 valid vulnerabilities found by hackers, HackerOne took a look into this data to glean insights from the top 10 most impactful and rewarded vulnerability types.

HackerOne’s Top 10 Most Impactful and Rewarded Vulnerability Types of 2020, in descending order, are:

  1. Cross-site Scripting (XSS)
  2. Improper Access Control 
  3. Information Disclosure
  4. Server-Side Request Forgery (SSRF)
  5. Insecure Direct Object Reference (IDOR)
  6. Privilege Escalation
  7. SQL Injection
  8. Improper Authentication 
  9. Code Injection
  10. Cross-Site Request Forgery (CSRF)

Taking a closer look at this year’s list of ten vulnerabilities, key findings include:

At the top of the 2020 ranking are the famous XSS (Cross Site Scripting) vulnerabilities that continue to be a major threat to web applications as attackers exploiting XSS attacks can gain control of the user’s account and steal personal information. 

Improper Access Control (up from ninth place in 2019) and Information Disclosure (still holding the third spot) remain common. Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year. Access control design decisions have to be made by humans, not technology, and the potential for errors is high, and both errors are nearly impossible to detect using automated tools. 

SSRF vulnerabilities, which can be exploited to target internal systems behind firewalls, show the risk of cloud migrations. Previously, SSRF bugs were fairly benign and held HackerOne’s seventh place spot. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

SQL Injection is dropping year-over-year. Earlier, SQL injection was one of the most common vulnerability types. However, it’s been dropping year-over-year from fifth in 2019 to seventh in 2020.

155 COMMENTS

  1. Can I simply say what a reduction to search out somebody who really knows what theyre speaking about on the internet. You undoubtedly know find out how to carry an issue to mild and make it important. More folks must learn this and perceive this aspect of the story. I cant consider youre no more common since you definitely have the gift.

  2. I’ve been absent for a while, but now I remember why I used to love this blog. Thank you, I will try and check back more often. How frequently you update your web site?

  3. Definitely believe that which you stated. Your favorite reason appeared to be on the internet the simplest thing to be aware of. I say to you, I certainly get annoyed while people consider worries that they just do not know about. You managed to hit the nail upon the top and defined out the whole thing without having side effect , people can take a signal. Will probably be back to get more. Thanks

  4. Hi there would you mind letting me know which hosting company you’re utilizing? I’ve loaded your blog in 3 completely different internet browsers and I must say this blog loads a lot quicker then most. Can you recommend a good web hosting provider at a fair price? Many thanks, I appreciate it!

  5. I was just searching for this information for a while. After 6 hours of continuous Googleing, finally I got it in your site. I wonder what’s the lack of Google strategy that do not rank this type of informative websites in top of the list. Generally the top web sites are full of garbage.

  6. When I originally commented I seem to have clicked on the -Notify me when new comments are added- checkbox and now whenever a comment is added I receive four emails with the same comment. Is there a means you can remove me from that service? Thanks a lot!

  7. I seriously love your website.. Excellent colors & theme. Did you make this website yourself? Please reply back as Iím trying to create my own website and want to learn where you got this from or what the theme is named. Many thanks!

  8. Iím impressed, I have to admit. Rarely do I encounter a blog thatís both educative and amusing, and without a doubt, you have hit the nail on the head. The problem is something which not enough folks are speaking intelligently about. I’m very happy that I found this in my hunt for something regarding this.

  9. I have been exploring for a little bit for any high-quality articles or blog posts in this sort of area . Exploring in Yahoo I at last stumbled upon this web site. Reading this information So i?¦m happy to convey that I’ve an incredibly good uncanny feeling I found out just what I needed. I such a lot without a doubt will make certain to don?¦t fail to remember this site and give it a look regularly.

  10. Its like you learn my thoughts! You seem to grasp so much about this, such as you wrote the book in it or something. I think that you simply can do with some p.c. to power the message home a bit, but instead of that, that is excellent blog. An excellent read. I will definitely be back.

  11. Hello! I could have sworn I’ve been to this blog before but after browsing through some of the post I realized it’s new to me. Anyways, I’m definitely happy I found it and I’ll be book-marking and checking back frequently!

  12. I think other site proprietors should take this site as an model, very clean and great user friendly style and design, as well as the content. You’re an expert in this topic!

  13. Thank you for some other fantastic post. The place else may just anyone get that type of information in such a perfect approach of writing? I’ve a presentation next week, and I am on the search for such info.|

  14. What’s up colleagues, how is the whole thing, and what you want to say about this paragraph, in my view its genuinely awesome in support of me.|

  15. Today, I went to the beach with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear. She never wants to go back! LoL I know this is completely off topic but I had to tell someone!

  16. Hi there, I found your web site via Google while looking for a related topic, your website came up, it looks great. I have bookmarked it in my google bookmarks.

  17. Thank you for another informative blog. Where else may I get that kind of info written in such a perfect approach? I have a venture that I’m just now working on, and I have been on the look out for such info.|

  18. Normally I don’t read article on blogs, but I wish to say that this write-up very pressured me to take a look at and do so! Your writing taste has been surprised me. Thanks, quite nice article.|

  19. First of all I would like to say excellent blog! I had a quick question in which I’d like to ask if you don’t mind. I was curious to find out how you center yourself and clear your thoughts before writing. I have had a hard time clearing my thoughts in getting my thoughts out. I truly do enjoy writing however it just seems like the first 10 to 15 minutes are generally wasted just trying to figure out how to begin. Any ideas or hints? Kudos!|

  20. Hello it’s me, I am also visiting this site on a regular basis, this website is genuinely nice and the users are really sharing fastidious thoughts.|

  21. Hi there! This blog post couldn’t be written any better! Looking through this article reminds me of my previous roommate! He constantly kept preaching about this. I am going to send this article to him. Fairly certain he’s going to have a great read. I appreciate you for sharing!|

  22. Hmm is anyone else encountering problems with the images on this blog loading? I’m trying to find out if its a problem on my end or if it’s the blog. Any suggestions would be greatly appreciated.|

LEAVE A REPLY