Cross-site scripting (XSS) remained the most common vulnerability, & thus the one creating the largest rewards for ethical hackers in 2020, for a 2nd year running, observes a list of top 10 vulnerabilities out on Thurs., & produced by Hacker One.
The most-rewarded flaw is XSS, which is among those that are ’relatively cheap’ for organisations to identify most easily.
This vulnerability, which lets attackers ‘inject’ client-side scripts into web pages viewed by other users, earned hackers $4.2 million in total bug-bounty awards in 2019, a 26% increase from 2019 payments for finding XSS flaws, explains the report.
After XSS on the ethical hacking company’s list of “Top 10 Most Impactful & Rewarded Vulnerability Types of 2020” are: Improper access control, information disclosure, server-side request forgery (SSRF), insecure direct object reference (IDOR), privilege escalation, SQL injection, improper authentication, code injection & cross-site request forgery (CSRF).
In totality, organisations paid ethical hackers $23.5 million in bug bounties for all of these flaws during 2020, according to Hacker One, which maintains a database of 200,000 vulnerabilities found by hackers.
Attackers use XSS vulnerabilities to gain control of an online user’s account & steal personal information e.g. passwords, bank account numbers, credit card info, personally identifiable information (PII), Social Security numbers etc.
While they account for 18% of all reported vulnerabilities, ethical hackers are actually ‘underpaid’ for finding them, according to Hacker One.
A bug-bounty award for an XSS flaw is about $501, well below the $3,650 average award for a critical flaw, allowing organizations to mitigate the common bug on the cheap, researchers noted.
Researchers discovered that the more common a vulnerability is, the less ethical hackers are paid, & thus the less that organisations pay out to locate & mitigate it, observed Hacker One Senior Director of Product Management, Miju Han.
“Finding the most common vulnerability types is inexpensive,” he commented by press statement, saying that only t3 of the top 10 vulnerabilities on the list — improper access control, server-side request forgery (SSRF) & information disclosure — saw their average bounty awards rise more than 10% over the course of 2020.
This shows that using ethical hackers to root out bugs potentially can be a more ‘cost-effective value proposition’ for organisations than using “traditional security tools & methods, which become more expensive & cumbersome as goal change & attack surface expands,” Han suggested.
Of the vulnerabilities that arose during 2020, improper access control rose from 9th place to 2nd, & information disclosure, which held steady in 3rd place for commonality, became more valuable on the bug-bounty market, researchers noted.
Awards for improper access control increased 134% year on year to a little over $4 million, while bug bounties for information disclosure rose 63% year over year.
Because access-control design decisions have to be made by people, not technology, the potential for errors is high, researchers commented. These flaws also are nearly impossible to detect using automated tools, which makes an ethical hacker’s ability to identify them more valuable, they stated.
Even large tech companies who were historically resistant to being transparent about their product’s security protocols have warmed to the idea of awarding ethical hackers for their work. Both Apple & Byte Dance’s TikTok launched public, award-based bug-bounty programs in the last year.
Han noted that the ‘boost in interest’ in ethical hacking in 2020 also has come about due to the increased digitalisation of organisations’ products & services, caused by the pandemic & its stay-at-home requirements.
“Businesses scrambled to find new revenue streams, creating digital offerings for customers whose lifestyles had dramatically changed,” he outlined in the statement. “10s of millions of workers started working remotely ‘whether or not’ they were ready.”
This “accelerated pace of digital transformation” gave security leaders a new perspective on using ethical hacking to augment existing security resources, making them more willing to support a ‘pay-for-results-based’ approach, Han concluded.