Companies are paying the highest amount of bounties to fix cross-site scripting (XSS), improper authentication and information disclosure vulnerabilities. Meanwhile, some cloud-based vulnerabilities such as server-side request forgery (SSRF), in which an attacker can abuse functionality on the server to read or update internal resources, are seeing an uptick in bounties.
This is according to HackerOne‘s recently released report on the top 10 list of vulnerabilities based on the total amount of bounties paid per vulnerability type. The report analyzed HackerOne’s proprietary data examining more than 120,000 unique security weaknesses resolved on the HackerOne platform through the 2018 calendar year.
RELATED CONTENT: Why do the same vulnerabilities keep showing up?
“At its core, the vulnerabilities are ranked by the total amount of bounties paid per vulnerability type. These payments are evaluated by severity and dictated by the companies themselves, showcasing the importance they place on each type,” said Miju Han, director of product management at HackerOne.
Cross-site scripting maintains the top spot because it accounts for about 35 percent of all reported vulnerabilities by volume and for about 28 percent of all bounties paid. Information disclosure vulnerabilities known for revealing sensitive information are still common, presenting serious risk to organizations and accounting for large bounty sums, according to Han.
HackerOne noticed that there is a discrepancy between the seriousness of the XML external entities (XXE) vulnerability and the amount that companies are willing to dish out through the white hat hacking platform.
“XXE is an interesting vulnerability because it is often serious (67 percent of the time it is critical or high), but it’s only 2 percent of our bounty payouts, and it’s less than 1 percent of the vulnerabilities found on our platform,” Han said.
Meanwhile, the OWASP Top 10 list, which has seen many iterations since its inception in 2001 and has since become the go-to list for vulnerabilities, ranked XXE as the fourth-highest vulnerability.
HackerOne says that less than half of this edition overlaps with the OWASP Top 10. However, both Top 10 lists still rank injections, broken authentication and sensitive data exposure among the highest vulnerability risks.
OWASP founder Jeff Williams, who is also the co-founder and CTO of Contrast Security, explained bug bounties don’t paint the whole picture of the scope or scale of vulnerabilities.
“I sort of get that there’d be a correlation between what people are paying for and what the bug bounties are, but it’s really not typically like that. The incentives for bug researchers aren’t the same as the incentives for hackers,” Williams said. “Most companies put out a bug bounty that says any high or critical vulnerability will pay you a thousand dollars, but they’re not really parsing it down to all the details saying that SSRF is one point three times as important as XSS.”
Rather than describing the list as redundant, Williams said HackerOne should participate in the OWASP 10 and that a conglomerate of surveys that essentially takes all the sources, weighs and analyzes them would result in a really good picture of what’s going on. He says Top 10 lists don’t cover all of the vulnerabilities companies should be looking out for.
“If all you’re doing is securing against the Top 10, then you’re in a serious world of hurt right now,” Williams said.
Han from HackerOne agreed that reviewing multiple reports of the Top 10 risks would be beneficial for companies looking to bolster their security.
“The reality is that security organizations need multiple frameworks for prioritizing vulnerabilities. Both assets will be able to help security teams identify the top risks, ours just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.” said Miju Han.
HackerOne lists these as the highest security risks:
- Cross-Site Scripting: A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
- Improper Authentication: Software does not prove or insufficiently proves that an identity claim is correct.
- Information Disclosure: A weakness that leaks sensitive data.
- Privilege Escalation: A bug that allows an adversary to obtain a higher level of permissions on a system or network.
- SQL Injection: Insertion of a SQL query via the input data from the client to the application.
- Code Injection: A general term for attack types that consist of injecting code that is then interpreted/executed by the application.
- Server-Side Request Forgery (SSRF): Allows the attacker to abuse functionality on the server to read or update internal resources.
- Insecure Direct Object Reference (IDOR): Enables attackers to bypass authorization and access resources in the system directly.
- Improper Access Control: Software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- Cross-Site Request Forgery (CSRF): Forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
The full report is available here.