Back to Feed

Are SQL injections, Path traversal and other vulnerabilities obsolete?

Amit Bismut

-

January 30, 2024

In our previous blog we have discussed how the GambleForce attacker group primarily relies on SQL injection as the main attack vector when targeting companies in the APAC region. While it highlights the fact that attackers still exploit it, it doesn't show how common such weaknesses are in everyday applications.

Because modern development includes libraries with built-in security layers such as object-relational mapping (ORM) and prepared statement frameworks, it seems like code vulnerabilities such as SQL injection are things of the past. But are they?

Being data driven with NVD and GHSA

Many attacks and incidents involving code vulnerabilities in first party code are not being publicly disclosed, making it hard to know the frequency of weaknesses such as SQL injection

In the last 6 years more than 110K vulnerabilities were published in the National Vulnerability Database (NVD) and were classified into weakness type (CWE). This allows us at Backslash to build lists of top 10 most common CWEs each year and analyze the commonality and over-time trends of CWE types in real world applications.

We also rely on GHSA (Github security advisory) as a vulnerability database. Which provides better focus on software written in more modern and upper-level languages like Typescript, Go, Python, etc.

Stubborn weakness types

Analyzing the data in the last 6 years based on NVD, shows that the top 10 most common CWEs in 2023 are nearly identical (8 of 10) to those from the previous six years (2018 to 2023). Furthermore, when critical severity is considered, 8 of the top critical vulnerabilities CWEs in 2023 persist compared to the past six years. Notably, weaknesses like Cross-Site Scripting, SQL injections, Path Traversal, and more continue to be prevalent.

NVD top CWEs in 2018-2023 compared to 2023 (source: Backslash based on NVD)

After running this analysis in Backslash we found that the MITRE team also recognized that some CWEs persist in the top 25 CWE tables they publish every year, and define the list of stubborn weaknesses

Weaknesses that trend up

A closer look at vulnerabilities in the SQL injection category (CWE-89) indicates a significant uptrend of 450% from 2020 to 2023, with the total vulnerabilities increasing from 370 to 1692 in this category. Other vulnerability types showing an upward trend include path traversal (CWE-22), Cross-Site Scripting (CWE-79), CSRF (CWE-352) and more.

Weaknesses in upper-level languages 

Analyzing the GHSA vulnerability database highlights once again the prevalence of six out of 10 stubborn CWEs in their list. 

The following reveals three noteworthy insights into the top CWEs that differ from those found in the NVD database.

  • Memory-related weaknesses (e.g., out-of-bound write and read, use after free, etc.) are absent from the top 10 weaknesses types based on GHSA.
  • GHSA top CWEs introduce the following weaknesses: code injections and exposure of sensitive information.
  • Considering only critical CVSS vulnerabilities based on GHSA introduce the following weaknesses: Injections, Deserialization of untrusted data, Improper authentication, XXE and prototype pollution.

NVD top CWEs in 2023 compared to GHSA top CWE in 2023 (source: Backslash based on NVD and GHSA)

Are Javascript, Python and others more vulnerable to..?

The answer is yes! Linking GHSA vulnerabilities to specific technologies, such as associating PyPI with Python, reveals that languages like JavaScript are less susceptible to SQL injections and more prone to prototype pollution vulnerabilities. Injection (CWE-74) is found to be more common in Java, Python, and JavaScript.

GHSA top critical CWEs compared to GHSA top CWEs per language (source: Backslash based on GHSA)

Conclusions

Recognizing the persistent nature of certain weakness types over the years prompts questions about the effectiveness of security practices employed by organizations and individuals. 

To address this, we've created the Backslash Weakness Database to educate security professionals on weakness trends and provide developers with best practices and remediation guides.