Skip to main content
close search
site logo
Dive Brief

Web application vulnerabilities top reported flaw by bug bounty hunters

Published Aug. 1, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Getty Images

Dive Brief:

  • There was a 92% increase in reported vulnerabilities from 2018 to 2019, according to Bugcrowd's 2019 State of Security report.
  • Broken access control, sensitive data exposure, server security misconfiguration, broken authentication/session management, and cross-site scripting were the top five vulnerabilities in the past year. 
  • Average payouts for finding critical vulnerabilities increased by 27% to $2,670 in bug bounty programs. There was a 29% increase in bug bounty program launches this year compared to 2018 because companies are "taking their programs public as a part of their corporate social responsibility on the internet," according to Bugcrowd's report.

Dive Insight:

As more applications are introduced to a company's technology stack, there is a corresponding increase in risk. 

Having additional security oversight, in the form of hackers, researchers and pentesters, protects individual companies' assets and public well-being. This is especially important when some of the most devastating bugs — EternalBlue, Meltdown, Spectre, and the Apache Struts2 — are still causing problems. 

Because big breaches often spawn from "nascent" vulnerabilities​, intentionally looking for the more subtle and "easy" flaws sets the foundation for basic cybersecurity practices, according to Bugcrowd. 

Web application flaws are the most reported, including issues with: 

  • Cross-site scripting

  • Broken access control

  • Server security misconfiguration

Cross-site scripting is a popular attack method executed by injecting malicious scripts on trusted websites

Capital One is the latest company to feel the impact of a misconfigured web application, which failed to protect credentials. The bank is in the midst of cleaning up a data breach impacting 106 million customers. 

Equifax's 2017 data breach was the result of a web application flaw in Apache Struts. The vulnerability allowed attackers to inject malicious code into every server running Apache Struts applications. However, a patch for the flaw was available two months prior to its exploit, leading Equifax to pay a record fine for negligence.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell