HackerOne customers have received more than 120,000 (and counting!) valid security vulnerabilities across more than 1,400 programs of all sizes. Combined, they represent a clear picture of the real-world risks we face today.
For the first time ever, HackerOne is providing our list of the top 10 rewarded vulnerability types as indicated by bounty awards and customer impact, all based on weaknesses resolved through 2018. The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types is an interactive site allowing you to explore bounty award levels, severity scores, total report volumes, and more. You can also filter by industry.
Here are the highlights and key findings of The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types:
- The technology world’s mass migration to the cloud has resulted in increased risks from vulnerabilities like Server Side Request Forgery.
- Despite the ever-growing attention on protecting user privacy and data, Information Disclosure vulnerabilities are still common.
- Less than half of this edition of the HackerOne Top 10 overlap with the OWASP Top 10.
- Highly impactful vulnerabilities, like SSRF, IDOR, and Privilege Escalation, are harder to come by but continue to be the most valuable vulnerabilities based on bounties awarded.
Risk is a fact of life. Today, technology unicorns, governments, startups, financial institutions, and open source projects are embracing collaboration with hackers to identify their unknown vulnerabilities. What are the most impactful vulnerabilities that may not be in the OWASP Top 10? What’s the top 10 listing of vulnerabilities submitted by volume? Stay tuned for our Hacker-Powered Security Report 2019 coming later this summer for the answer to these questions and more. Or, if you’re at Gartner Risk Management Summit, hear the live talk on this very subject.
Until then, you can view the data on the The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types today and share your newfound knowledge with your colleagues and friends.
Need a refresher on the top weaknesses? We have you covered with the following definitions from OWASP and Mitre.
1. Cross-site Scripting
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. (more)
2. Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. (more)
3. Information Disclosure
A vulnerability is a weakness in an application (frequently a broken or missing control) that enables an attack to succeed. Be sure you don't put [attacks] or [controls] in this category. (more)
4. Privilege Escalation
Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. (more)
5. SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. (more)
6. Code Injection
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example: allowed characters (standard regular expressions classes or custom), data format, or amount of expected data. (more)
7. Server-Side Request Forgery (SSRF)
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. (more)
8. Insecure Direct Object Reference (IDOR)
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. (more)
9. Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. (more)
10. Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. (more)