XSS is Most Rewarding Bug Bounty as CSRF is Revived
Cross-site scripting (XSS) is the most rewarding security vulnerability, according to data on the number of bug bounties paid.
According to HackerOne’s top 10 most impactful security vulnerabilities, which have earned hackers over $54m in bounties and based on over 1400 HackerOne customer programs and 120,000 reported vulnerabilities, XSS is the most paid out vulnerability, followed by “improper authentication – generic” and “information disclosure.”
HackerOne’s Top 10 security vulnerabilities are:
- Cross-site Scripting – All Types (dom, reflected, stored, generic)
- Improper Authentication – Generic
- Information Disclosure
- Privilege Escalation
- SQL Injection
- Code Injection
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object Reference (IDOR)
- Improper Access Control – Generic
- Cross-Site Request Forgery (CSRF)
In comparison to the current OWASP Top Ten, which was last refreshed in 2017, XSS only featured in seventh place in the last top 10. While SQL Injection, which was in the top position of the OWASP top 10, appeared in fifth place in HackerOne’s list.
Speaking to Infosecurity, Rahim Jina, COO of edgescan, said that from their stats XSS accounts for nearly 15% of application layer vulnerabilities found, showing a slight increase year on year.
“This is a vulnerability we nearly expect to find when we are assessing a web application (you tend to find multiple instances in an application, if you find them),” he said. “XSS has been around a long time and when highlighted, developers typically can resolve these, however we frequently see the same issues being introduced by these developers subsequently. I believe there is an educational problem here which needs to be addressed (people do get training, however they often seem to re-introduce XSS issues subsequently for whatever reason).”
Miju Han, director of product management at HackerOne, said: “We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.”
Cross-Site Request Forgery, which was removed from the last OWASP Top 10, having appeared in seventh place in the 2013 OWASP Top 10, was the tenth most paid bug for HackerOne.
Jina said that CSRF “is an interesting one” as last year it accounted for 1.75% of total app-layer vulnerabilities as found by edgescan and the reason cited by many here is that most of the modern web app frameworks include CSRF defenses built-in which can be enabled easily.
“Scanners tend to report this issue with high frequency, however when you actually look at the issue, the transaction may not be relevant – CSRF is about abusing a transaction in some meaningful way,” he said.
“Finding it may be relatively easy, however validating the real issue takes some effort. Additionally, due to the often complex nature of actually abusing such an issue successfully, these are often presented as lower risk items.”
Jina said that there is a slight increase in CSRF issues in general, as fixing them appears to be much easier and often simply turning on such a defense (if available in a given framework and is usually a configuration change) will protect the entire application in one go, as opposed to having to go into the code and fix each instance.
“We find that explaining the underlying risk and cause of CSRF issues can be confusing to developers and is often misunderstood.”
Source: Information Security Magazine