RiskSense Company analysis of 1622 vulnerabilities in frameworks and platforms for the Web, identified from 2010 to November 2019. Some conclusions:
- WordPress and Apache Struts account for 57% of all vulnerabilities for which exploits are prepared for attacks.
Next come Drupal, Ruby on Rails and Laravel. The list of platforms with exploited vulnerabilities also includes Node.js and Django, but they each found one vulnerability with an exploit out of 56 and 66 available vulnerabilities. The most common vulnerabilities in WordPress are cross-site scripting, and in Apache Struts they are problems with input validation. - Projects in PHP and Java languages ββlead in the number of vulnerabilities with existing exploits.
- In 2019, the total number of vulnerabilities decreased, but the share of vulnerabilities with exploits increased from 3.9% to 8.6%, mainly due to an increase in the number of exploits for Ruby on Rails, WordPress and Java.
- The most common vulnerability in the 10-year sample is cross-site scripting (XSS). In the 5-year sample, the leaders are vulnerabilities caused by incorrect verification of input data (24% of all vulnerabilities with exploits), and XSS dropped to 5th place.
- Vulnerabilities that allow substitution of SQL, code and commands are relatively rare, but they lead in terms of the availability of exploits - exploits have been prepared for more than 50% of such vulnerabilities (60% for command substitution and 39% for code substitution).
Source: opennet.ru