Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12:30 PM

Fewer Vulnerabilities in Web Frameworks, but Exploits Remain Steady

Attackers continue to focus on web and application frameworks, such as Apache Struts and WordPress, fighting against a decline in vulnerabilities, according to an analysis.

The number of vulnerabilities in major web-application frameworks has declined since peaking most recently in 2016, but attackers have remained focused on exploiting weaknesses in the software platforms, according to an analysis published by cybersecurity firm RiskSense on March 16.

The result is that while major frameworks such as Apache Struts and platforms such as WordPress have seen fewer overall vulnerabilities, the weaponization rate climbed to 8.6% in 2019, exceeding the 3.9% rate for the National Vulnerability Database as a whole. The data suggests that although the groups and organizations responsible for maintaining the frameworks have become better at securing the code, attackers remain focused on finding ways to use the even smaller number of security bugs to compromise web application servers, says Wade Williamson, a researcher with RiskSense.

"Web application frameworks are the last piece of code that people pay attention to," he says. "But they are Internet-facing, there are a lot of them, and they are easy to find once they are out there."

The data suggests that companies should take stock of their web application frameworks from the standpoint of security. The typical website is scanned by automated attacks targeting exploitable vulnerabilities dozens of times a day, past research has shown

Because developers typically are not going to help maintain the actual framework, and producing patches for web application frameworks can sap a great deal of developer productivity, selecting the right platform for a company's web applications is extremely important, Williamson says.

"No matter how good of a developer you are, if there is a vulnerability in your framework, your application is going to be vulnerable," he says. "As a developer and an organization, choosing a framework is a big deal — it is what the security of your apps will rely on."

While the rate of exploitation — or weaponization, as RiskSense calls it — has increased, the absolute number of exploits has not risen by much. The increase in the rate of weaponization is more due to the drop in vulnerabilities in the frameworks overall — a positive sign.

However, WordPress, Apache Struts, and Drupal — along with their parent languages PHP and Java — continue to have the highest rates of weaponization, Williamson says. 

"We have been seeing very different types of problems in the past five years versus the past 10, but even as that changed, the problems with weaponization were still in the same spots," he says. "The hot spots remained the same."

It's not just a measure of their popularity or of the framework's age, he adds. Apache Struts, for example, is declining in popularity but has had a significant number of vulnerabilities, 

"I think Apache Struts is one of the first frameworks that I, as a developer, would consider moving away from," he says. "It is not just about who has the broadest footprint, because the attackers are still very active in investigating certain frameworks, even as their popularity goes down."

The Python frameworks have become very popular and both the number of vulnerabilities found in popular frameworks, such as Django and Flask, and the weaponization rates have been very low. 

JavaScript has also become increasingly scrutinized by researchers, with many more vulnerabilities discovered. But so far, only one issue in the Node.js framework has been exploited in the past five years, according to RiskSense data.

However, web application frameworks have evolved over time, as have the vulnerabilities that attackers have found. In 2010, cross-site scripting, input validation, and permission errors topped the list of reported security issues. In 2019, the top three issues were input validation, information exposure, and access control. Cross-site scripting has fallen to the fifth most exploited issue.

From a vulnerability standpoint, Python-based and JavaScript-based frameworks seem to have the fewest vulnerabilities and the fewest weaponized vulnerabilities, and perhaps those frameworks should be increasingly considered, Williamson says.

"Upgrading frameworks is kind of a pain and risky for developers because as you move from version to version, you have to maintain your changes," he says. "So, to me, the choice of framework is one of risk and the level of maintenance you can tolerate."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/18/2020 | 5:34:09 AM
Not just the numbers but the who
You mention trends and numbers but what we should be looking at is the "who". Web application numbers are exploading into the millions. But the target interest remains much smaller. It's the large cooperations that are the fat targets. So looking and overrall Struts trend is misleading. What is the trend at the large, legacy development organizations? They are still relying heavily on the well established frameworks and will likely continue to do so for a long time coming.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...