SQL Injection, XSS Vulnerabilities Continue to Plague Organizations

BreachLock was featured in a CSO Online article, SQL Injection, XSS Vulnerabilities Continue to Plague Organizations, after releasing our Annual Pen Testing Intelligence Report in 2022.

What’s in the Pen Testing Intelligence Report?

The intelligence report highlighted statistics from over 8,000 pen testing exercises performed by BreachLock in 2022, including industry-specific, organization size-specific, and asset-specific insights based 100% on sanitized data we analyzed from our pen testing as a service (PTaaS) platform. In the report, we include top vulnerabilities in each type of asset categorized by risk, including Internal and External Networks, Web Applications, Mobile Applications, and APIs. We also include benchmarking data in the report to be used by security leaders such as Mean Time to Remediate certain vulnerabilities based on organization size and industry.

SQL Injection and Cross-Site-Scripting (XSS) Vulnerabilities in Pen Test Results

After releasing the report, CSO Online reached out to us to dive deeper into one finding included in the report – SQL Injection and Cross-Site Scripting attacks being the top vulnerabilities found by our pentesters, specifically in smaller companies.

The author of the CSO Online article, John P. Mello Jr., drew attention to the fact that, despite topping common vulnerability lists for years, SQL injection and Cross-Site Scripting (XSS) continue to plague organizations’ systems and create headaches for security teams. As Mello drew attention to, BreachLock found that 35% of critical vulnerabilities in web applications were attributed to injection or data exposure, which is something to be concerned about considering the sheer number of applications that are hosted on the internet in the age of digitalization. Even BreachLock’s security experts were surprised to see how common SQL injection still was in 2021, which is comparable to how common the vulnerabilities were back in 2014 and 2015.

Although the SQL injection-related findings are a cause for concern in some ways, cross-site scripting vulnerabilities accounting for more than 50% of the high-risk findings in web apps is an even greater cause for concern. As the intelligence report explained, developers often take the “deny list” approach to data validation over the “allow list” approach, which increases the risk of the exploitation of cross-site scripting vulnerabilities.

As Mello mentioned, critical and high-risk findings for web apps luckily only represent 5% of all findings out of the total vulnerabilities found in web applications, confirming that web application security being more widely adopted by DevOps has resulted in improved application security.

Reduce Risk and Meet Compliance with Pen Testing from BreachLock

BreachLock specializes in fast and comprehensive Pen Testing as a Service as a recognized global leader in cybersecurity. We leverage a human-led, AI-enabled pen testing methodology that makes pen testing 50% faster and lowers TCO for our clients by 50%. We’re helping over 700 clients meet compliance and certification standards such as SOC 2, GDPR, ISO 27001 HIPAA, and PCI DSS, and improving their cybersecurity resilience through practical and easy-to-follow recommendations and 1-1 support.

Ready to rapidly improve your cyber resiliency and reach your security goals faster than ever? Contact us to learn more about what our hybrid pen testing approach can do for your organization.