Imperva released “The State of Web Application Vulnerabilities in 2018” report yesterday. The data shows that there were 17,142 new web application vulnerabilities discovered in 2018, an increase of 21% from 2017 and an increase of 159% from 2016. More than half of the vulnerabilities can be exploited by hackers, and more than one-third of the vulnerabilities have no available solutions.
On the CMS side, the number of vulnerabilities in WordPress continues to increase. Although the number of Drupal is lower than WordPress, it has a greater impact and is used for large-scale attacks. In addition, the number of Internet of Things, weak authentication, and PHP-related vulnerabilities has declined.
Overall, the highest proportion is the injection of vulnerabilities, such as SQL injection, command injection, object injection, etc., an increase of 588%, accounting for 19% of the total number of vulnerabilities. In fact, it is an XSS vulnerability, accounting for 14%.
For 2019, Imperva predicts that:
- The number of injected vulnerabilities will continue to grow.
- PHP 5.5, 5.6, and 7.0 have stopped supporting, which means that these versions will no longer receive security updates. Mainstream CMS like WordPress, Drupal, and Joomla are all developed in PHP, and although the version will be updated, the old version is still supported. The result of this is that hackers have found more new security vulnerabilities in unsupported versions of PHP.
- As DevOps becomes a key element of IT, the demand for APIs continues to grow and more API-related vulnerabilities will be discovered.