Vulnerabilities are a fact of life; risk comes with it. Today, companies, enterprises, and governments are embracing collaboration with hackers to find vulnerabilities before criminals have a chance to exploit them.
A recent webinar held by HackerOne, entitled Hacker-Powered Data - Security Weaknesses and Embracing Risk with HackerOne, outlined the most common vulnerabilities found by HackerOne’s 1,400 bug bounty programs. Many of these aren’t on the OWASP Top 10.
HackerOne’s data set is incredibly rich. One thousand four hundred bug bounties have produced over 360,000 valid vulnerabilities over the past seven years. This robust data source allows for data-backed findings of what vulnerabilities are biting companies most often.
The Top 10 Security Vulnerabilities Found By Hacker-Powered Security
Here are HackerOne’s Top 10 Vulnerabilities based on our data:
1. Cross-site scripting
2. Improper authentication
3. Information disclosure
4. Privilege escalation
5. SQL injection
6. Code injection
7. Server-side request forgery
8. Insecure direct object reference
9. Improper access control
10. Cross-site request forgery
Understanding these risks is important because these are the vulnerabilities companies are paying out for more than any others. Even if other vulnerability lists don’t have them listed in the same order, these are the vulnerabilities we see companies pay for more than any others.
Slicing the data in specific ways helps companies to prioritize their risks. For example, we see that stored XSS vulnerabilities have higher bounty payouts on average than other types of XSS vulnerabilities. We also understand that stored XSS is harder to find than different varieties of XSS vulnerabilities.
We can use this data to get a clear picture of how to handle vulnerabilities like XSS. Higher bounty amounts roughly equate to a higher impact or criticality of a bug. The relative frequency a particular vulnerability is found compared to others relates a lower chance of an attacker finding the vulnerability.
When you put these numbers together, you can begin to paint a clear picture of which vulnerabilities you need to fix first. If the bug is less likely to be found in the wild, you may need to fix it immediately.
Lessons From the HackerOne Top 10
We can take three lessons from the data we’ve found in our top 10 list.
The OWASP Top 10 is useful, but not comprehensive. The OWASP Top 10 has become the defacto vulnerability list for many companies. But the OWASP Top 10 is only meant to be a starting point. Protecting against only ten risks doesn’t mean your software is secure. Only 50% of the vulnerabilities captured on HackerOne’s platform appear on the OWASP Top 10. The HackerOne Top 10 reflects 90% of all vulnerabilities captured on our platform. Our Top 10 list reflects what vulnerabilities we’re seeing in the wild right now.
What scanners find doesn't equal what humans find. Scanners are a necessary part of shifting security left. However, human hackers are better at detecting specific vulnerabilities, such as server-side request forgery and business logic errors. Automated scanners don’t have the creativity, skill, and nuanced knowledge necessary to find the trickiest blogs. Head over to Hacktivity and see what the automated scanners are missing.
Data can lead to better conversations with development teams. Many of our customers want to improve their relationship with development teams. Our data helps security teams to communicate the exact nature and danger of each bug. Development teams will cooperate when they understand why they need to fix a particular vulnerability immediately.
Check out the webinar for insights on what bugs are cropping up the most among your peers. You’ll be better prepared to tackle the vulnerabilities you find and to communicate with your development teams.