The Rise of Web Application Vulnerabilities

Request a Demo

"nCircle's mixture of vulnerability scanning, Web application scanning, file-integrity monitoring and configuration management put it at the forefront of those trying to deliver risk-based security.  "

- 451 Group

The last five years have seen a dramatic increase in the number of Web application vulnerabilities. Cross-Site Scripting (XSS), SQL Injection (SQLi) attacks and Cross-Site Request Forgery (CSRF) vulnerabilities comprise the majority of current vulnerability discoveries and attacks. Businesses and consumers are both at risk; attackers target businesses with sensitive and valuable data, and consumers for their personal information, banking details, or simply their computer resources in order to create botnets.

According to the National Vulnerability Database and nCircle VERT (Vulnerability and Exposure Research Team), Web application vulnerabilities have increased from 1.9% of all published vulnerabilities in 2006 to over 52% in 2009 (projected based on Q1 and Q2 growth rate). It is important to note that these figures only represent web application vulnerabilities in libraries, languages, frameworks and canned web applications; they do not account for the numerous custom Web Applications that contain their own web application vulnerabilities. These vulnerabilities are numerous, will never be assigned a CVE, and cannot be accurately counted.

Vulnerability by YearWeb application vulnerabilities have increased from 1.9% of all published vulnerabilities in 2006 to over 52% in 2009 (projected based on Q1 and Q2 growth rate).


Real-world Web Application Vulnerability Examples


Cross-site Request Forgery (CSRF)
CSRF allows an attacker to force you to perform tasks on authenticated websites that they have gained access to without your knowledge. A common, “minor” CSRF that is well-known is the Gmail logout issue in which an attacker can log anyone out of their Gmail session by having them visit a website.

Using online bank transfers as an example, here’s how it works:

  1. The Attacker determines the criteria required to formulate a proper request to send money from your bank account.
  2. The Attacker then uses input injection vulnerabilities to modify pages to contain an image (or similar website element) but it really points to the Attacker’s formulated request.
  3. When the victim visits the (now) evil page, and they have their online banking open, they unknowingly send a request that transfers money to the Attacker.


SQL Injection (SQLi)
SQL Injection attacks allow an attacker to retrieve supposedly protected information from a Web server's database. Vulnerable web applications can allow attackers to insert database functions into web forms instead of valid information, and the impact can vary from basic information disclosure to remote code execution and total system compromise.