HP Security Research | Cyber Risk Report 2015Because more attention is paid to critical issues, we decided to create a view of top 10critical issues that plague Web applications. Below is the representation of the subset of thevulnerabilities of critical <strong>risk</strong> found in Web applications and their prevalence.Figure 22. Top 10 critical vulnerabilities noted in Web applications in 2014Cross-frame scripting: Reflected 33%Often misused: Login formCross-frame scripting17%18%Credential management: Sensitive information in URL15%Null dereference13%Unreleased resource: StreamsPassword management: Weak policy enforcementXML internal entity injectionPrivacy violation10%10%10%9%Insecure transport: Weak SSL cipher9%0% 5% 10% 15% 20% 25% 30% 35%While there is no surprise that Cross-Site scripting: Reflected is the top critical concern affectingmost Web applications, it is notable to see various authentication-related vulnerabilities in thetop 10. Erroneous implementation or configuration of login forms, credentials, passwords, andsecure transport may provide the right ingredients for privilege escalation.The trend with server misconfigurations seems to be very similar to last year, and it is thenumber-one issue across all analyzed applications within this category.Looking deeper into the breakdown, access to unnecessary files and directories seemsto dominate the misconfiguration-related issues. In comparison to the top 10 commonvulnerabilities shown in Figure 21, Unprotected File and Directory are the second and fourthmost pervasive, affecting 46.86 percent and 45.63 percent of applications respectively.54
HP Security Research | Cyber Risk Report 2015Breakdown of the top five mobile applicationvulnerabilitiesLet’s discuss the more general or aggregated trends in vulnerabilities observed this year beforewe review more specific trends.Mobile application vulnerabilities continue to evolve as the platforms become attractive targetsfor application developers. Due to the nature of mobile devices, their vulnerability surfacesshare some attributes with traditional client/server applications and Web applications. However,the type of information that is trusted on mobile devices creates some unique attack vectors aswell. Mobile devices contain sensors and actuators of types not historically common in personalcomputers or servers, which collect and transmit private information about the user of thedevice. The list of sensors that can reveal sensitive information include cameras, microphones,accelerometers, gravity sensors, rotational vector sensors, gyroscopes, magnetometer, globalpositioning system (GPS) sensors, near-field communication (NFC), light sensors, M7 trackingchips, barometers, thermometers, pedometers, heart-rate monitors, and fingerprint sensors.Figure 23. Top five mobile vulnerabilities noted in 2014, aggregated by category80%70%60%74%71%66%62%50%47%40%30%20%10%0%Privacy violationInsecure storageInsecure transportInsecuredeploymentPoor loggingpracticeIn contrast to the top five aggregated vulnerabilities found in Web applications, mobile appshave four completely different categories, with only Privacy Violation in common. WhilePrivacy Violation was the fourth most common vulnerability observed in the Web applicationswe analyzed (52.91 percent), it takes the top spot in mobile apps (73.54 percent). Mobileapplications are unique in that they have access to a wealth of personal information from thearray of sensors built into modern mobile devices. Furthermore, privacy violation weaknessesoccurring on mobile devices can lead to the disclosure of location, sensitive images, dataentered from the keyboard or displayed on the screen, and other personal information. In total,there were 15 specific privacy violation categories observed in the sample population. Thepotential for disclosing geolocation information was the most common, found in 31 percent ofall mobile applications in the study.Part of securing sensitive information on mobile devices involves ensuring that the data isstored in such a way that it is adequately protected. Insecure Storage weaknesses, whichtake the second spot (70.63 percent), are introduced into mobile applications through eitherthe misuse of APIs, which are provided to help ensure the protection of data using encryptionschemes, or through their lack of use. On Android devices, this can take the form of databeing written to external storage (including backup storage) without the use of encryption,or of making data stored on internal storage world readable or writeable. For iOS devices,a data protection API is provided that uses hardware encryption to protect data; however,without proper understanding of the various levels of data protection and what they apply to,developers easily can make mistakes that leave the data vulnerable.55