In our previous blog we have discussed how the GambleForce attacker group primarily relies on SQL injection as the main attack vector when targeting companies in the APAC region. While it highlights the fact that attackers still exploit it, it doesn't show how common such weaknesses are in everyday applications.
Because modern development includes libraries with built-in security layers such as object-relational mapping (ORM) and prepared statement frameworks, it seems like code vulnerabilities such as SQL injection are things of the past. But are they?
Many attacks and incidents involving code vulnerabilities in first party code are not being publicly disclosed, making it hard to know the frequency of weaknesses such as SQL injection
In the last 6 years more than 110K vulnerabilities were published in the National Vulnerability Database (NVD) and were classified into weakness type (CWE). This allows us at Backslash to build lists of top 10 most common CWEs each year and analyze the commonality and over-time trends of CWE types in real world applications.
We also rely on GHSA (Github security advisory) as a vulnerability database. Which provides better focus on software written in more modern and upper-level languages like Typescript, Go, Python, etc.
Analyzing the data in the last 6 years based on NVD, shows that the top 10 most common CWEs in 2023 are nearly identical (8 of 10) to those from the previous six years (2018 to 2023). Furthermore, when critical severity is considered, 8 of the top critical vulnerabilities CWEs in 2023 persist compared to the past six years. Notably, weaknesses like Cross-Site Scripting, SQL injections, Path Traversal, and more continue to be prevalent.
NVD top CWEs in 2018-2023 compared to 2023 (source: Backslash based on NVD)
After running this analysis in Backslash we found that the MITRE team also recognized that some CWEs persist in the top 25 CWE tables they publish every year, and define the list of stubborn weaknesses
A closer look at vulnerabilities in the SQL injection category (CWE-89) indicates a significant uptrend of 450% from 2020 to 2023, with the total vulnerabilities increasing from 370 to 1692 in this category. Other vulnerability types showing an upward trend include path traversal (CWE-22), Cross-Site Scripting (CWE-79), CSRF (CWE-352) and more.
Analyzing the GHSA vulnerability database highlights once again the prevalence of six out of 10 stubborn CWEs in their list.
The following reveals three noteworthy insights into the top CWEs that differ from those found in the NVD database.
NVD top CWEs in 2023 compared to GHSA top CWE in 2023 (source: Backslash based on NVD and GHSA)
GHSA top critical CWEs compared to GHSA top CWEs per language (source: Backslash based on GHSA)
Recognizing the persistent nature of certain weakness types over the years prompts questions about the effectiveness of security practices employed by organizations and individuals.
To address this, we've created the Backslash Weakness Database to educate security professionals on weakness trends and provide developers with best practices and remediation guides.