This report encompasses data gathered by the SpiderLabs Team during 220 forensic investigations and over 2,300 manual penetration tests. Notice the word "manual" was highlighted right? That means that this data was not gathered through the use of automated scanning tools but rather by manually testing target networks and applications. This means that we are able to dig in deeper into the target web application and uncover vulnerabilities that automated tools alone would never identify. While there is a ton of great data within the GSR 2011 report, for this blog post, I wanted to focus a bit of attention to the web application sections of the report.
Top 10 Web Application Risks
This Top 10 list was gathered by the Trustwave SpiderLabs Application Pentest Team. The attacks and vulnerabilities listed below are ranked by collective threat, based on the frequency of findings, difficulty in launching the attack and the potential impact when exploited by criminals. The report explains:
For example, while SQL injection is not the most common vulnerability we encounter, the potential for the bulk extraction of sensitive data makes it the number one threat of 2010. Conversely, cross-site request forgery (CSRF) is one of the most common application vulnerabilities, but requires a more complicated attack scheme, relegating it to eighth on the list.
Here is the Top 10 List:
Cross-site Scripting (XSS)
Vulnerable Third Party Software
Session Handling Flaw
Cross-site Request Forgery (CSRF)
Source Code Disclosure