A recent study shined a light on an attack vector that is often overlooked: the insecurity of web applications.

According to the report, issued by Positive Technologies, 44 percent of web applications are vulnerable to data leakage and security problems. In other words, threat actors have easy access to the personal customer data those applications handle across a variety of verticals such as banking, e-commerce and communications.

In addition, 48 percent of the applications were found to be vulnerable to unauthorized access, with 17 percent having exploits that could result in a full takeover by a threat actor. But perhaps the most eye-opening finding is that 100 percent of the web applications tested had some sort of vulnerability in general.

Security as an Afterthought

The web app as an attack vector isn’t a new problem, although we may not have realized how severe the vulnerabilities were. And worse, we’ve allowed the problem to linger: Many developers and IT decision-makers don’t take web app security seriously. Mozilla gave 93 percent of websites it observed a failing grade for security against cross-site scripting (XSS), for example. Application security tends to be treated as an afterthought, pushed behind other, more pressing security issues.

The biggest problem, no matter the programming language used, is XSS, according to the report. The authors also pointed to data leakage, fingerprinting and brute-force attacks as common issues across the board.

App Security Lags Despite Increasing Awareness

“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Leigh-Anne Galloway, Positive Technologies cybersecurity resilience lead, as quoted in Infosecurity Magazine. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”

Why is web app security falling behind? In a blog post for Secure Code Warrior, Pieter Danhieux blamed human behavior, stating that not only do humans behave in ways that introduce vulnerabilities and security threats, but developers aren’t always brought into the security loop.

“How are developers supposed to write secure code if nobody ever teaches them about why it’s important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?” he wrote.

How Cybercriminals Exploit Web Applications to Spread Malware

The Postitive Technologies report cited two primary areas of motivation for cybercriminals to take advantage of web application vulnerabilities. The first is to use apps to infect and spread malware throughout enterprise networks.

“This method was used to spread the Bad Rabbit ransomware: attackers compromised web applications belonging to media outlets and masked malware as an Adobe Flash Player update installer,” the report explained.

In another case, an attacker exploited a vulnerability to disseminate phishing emails targeting bank employees.

Some threat don’t even involve direct attacks against web apps; cybercriminals can use applications in various ways to launch malware attacks. The moment your website or web application is compromised — no matter the method — your organization’s reputation takes a hit, which can lead to financial loss.

Data Theft in a Regulated World

The report also cited data theft as a key motivation for targeting web applications. Data leakage is a problem in any situation, be it customer data or corporate intellectual property. However, the stakes of stolen data have been raised in a post-General Data Protection Regulation (GDPR) and a pre-California Consumer Privacy Act (CCPA) world.

As more states decide to step up measures to protect customer data, any type of data loss can create extraordinary headaches for company leaders. Loss of data can cost an organization hundreds of thousands to millions of dollars in fines, according to data compiled by TermsFeed. At the same time, as more effort is put into data protection, stolen data will become more valuable on the dark web, encouraging threat actors to improve their targeting and attack styles.

How Can Companies Protect Web Applications?

Data privacy regulations require most companies to improve their web application security capabilities. IT leaders can start by building security measures directly into the app’s design as a way to put consumer security and privacy front and center.

“For application security, this means that security and privacy need to be thought about in the planning stages of the Software Development Life Cycle (SDLC),” cybersecurity expert Amit Ashbel wrote for ITProPortal. “Unfortunately, this is not currently the case with many organizations so this will be a large task for the industry.”

Built-in security and privacy measures are crucial. Web app developers should also implement a web application firewall, bolster password management, deploy mobile application management features and install security plugins where available.

As the Positive Technologies report pointed out, it is clear that security issues in web applications aren’t getting the attention they require, because their annual studies are finding the same mistakes and concerns repeating themselves. Lax security may have been overlooked in the past, but as privacy regulations and their consequences gain traction, application vulnerabilities and data leakage can cost your organization more than just a light fine and a slap on the wrist.

Read the IBM e-guide: 5 Steps to Achieve Risk-based Application Security Management

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…