Explore how attackers operate and their favorite tools and targets in our new SANS research. Get the Report ›

The State of Vulnerabilities in 2022

Purple background with The State of Vulnerabilities and pie chart showing Severity Classification of 2022 Vulnerabilities

Share

“You’re only as strong as your weakest link.” Or in the cyber space – vulnerabilities. By keeping watch of vulnerabilities that are reported to sources such as bug bounty programs, we offer you insights into current threats that potentially plague your environments. 

We've collected and analyzed publicly disclosed reports from January to July 2022 to better understand the most frequently reported vulnerability types, the highest-disclosed bounties, and more.

The following are some attributes we considered:

Property

Description

Report Title

The name the author gave to the report. It does not always include the vulnerability type.

Date

The date when the vulnerability was first reported to the specified program.

Author

The name or alias of the reporter. Sometimes, multiple authors are credited as team members.

Program

Most likely the name of the company behind the bug bounty program. It can also be the Internet Bug Bounty, which rewards security research into vulnerabilities affecting open-source software projects.

Severity

The severity is calculated based on several factors such as the attack vector, attack complexity, privileges required, user interaction, availability, integrity, confidentiality, and scope.

Bounty

The amount paid to the reporter or team of reporters. This is calculated by the program owner and differs between programs.

After collecting the data, we analyzed and processed the records to facilitate categorization. This allowed us to easily capture the most important information.

The resulting file was then used to make the following filtered table based on the attributes from the data points above:

Image with black background that shows Figure 1: Vulnerability Attributes Example
Figure 1: Vulnerability Attributes Example.

Now, let’s explore some of these remarkable statistics.

Data takeaways

We categorized the noteworthy report data into the following list:

  • Highest Bounty
  • Most Reported Vulnerability Type
  • Most Reported Severity
  • Other Stats

Highest Bounty

The highest bounty of $29,000 was paid to author vakzz for the “arbitrary file read via the bulk imports UploadsPipeline” vulnerability affecting GitLab. This report detailed a critical vulnerability where a user with access to import a group on GitLab could read arbitrary files on the GitLab server due to symlinks not being removed or filtered when the UploadsPipeline was run for the bulk imports API.

The author proved the impact by showing the contents of /etc/passwd as well as the /srv/gitlab/config/secrets.yml file, which contains keys, passwords, API tokens, and other sensitive information.

For those that are curious, here are the next four highest bounties:

Title

Author

Program

Severity

Bounty

bd-j exploit chain

theflow0

PlayStation

High

$20,000.00

Steal private objects of other projects via project import

saltyyolk

GitLab

Critical

$20,000.00

Private objects exposed through project import

saltyyolk

GitLab

Critical

$20,000.00

Full Response SSRF via Google Drive

bugdiscloseguys

Dropbox

Critical

$17,576.00

Figure 2: Four Highest Paid Bounties of 1H 2022. 

Note that one of the top paid bounties was not rated as a critical severity. The PlayStation program chose to assign only a high-severity rating to the bd-j exploit chain, which consists of five vulnerabilities (three medium, two high). However, this vulnerability would effectively allow an attacker to gain JIT capabilities and execute arbitrary payloads that could be used for different purposes, including shipping pirated games on Blu-ray discs.

Most Reported Vulnerability Type

Cross-site scripting (XSS) took the number one spot as the most reported vulnerability (and personal favorite of this blog author). While JavaScript frameworks such as React and Angular provide additional protection against such attacks, penetration testers always figure out ways to bypass and exploit them, even when additional configurations such as content security policies (CSPs) are in place.

Even though XSS can no longer be considered a novel vulnerability, the data shows that it is still very much alive in modern web applications. One example is the Email templates XSS by filterXSS bypass report, where the author used a custom function to trigger the payload. However, this led to only self XSS, so another bypass was needed. This was cleverly resolved by using an authentication feature in the application to force another user to log into the attacker account to execute the script, leading to account takeover.

The following table shows the top three most reported vulnerability types:

Image with light background that shows Figure 3: Top Most Reported Vulnerability Types in 1H 2022
Figure 3: Top Most Reported Vulnerability Types in 1H 2022.

As shown above, server-side request forgery (SSRF) and account takeover were the second and third most reported vulnerability types.

SSRF has become a more severe threat due to the complexity of modern services. It is no longer leveraged as just a “port scanning tool,” but also as a more intricate way of exposing data and even as a remote code execution (RCE)-enabler method. Fetching a resource without validating user-supplied input has proven to be so problematic that it even earned a place in the OWASP Top 10 2021 list. It has affected big names such as Dropbox, GitHub, Slack, Uber, and Stripe. Even an SSRF report classified as low severity can earn a good bounty, as shown below

Image with black background that shows Figure 4: SSRF Reported Vulnerabilities
Figure 4: SSRF Reported Vulnerabilities.

As long as there is a need for users to login to a system, account takeover will be a problem. Its status as the third most reported vulnerability is no surprise, as companies and attackers have long battled one another trying to secure or compromise accounts, respectively.

New mechanisms attached to user accounts increase attack vectors, as there is not a single formula for account takeover. Unsurprisingly, multiple methods were exploited in the reports shown below:

Image with black background that shows Figure 5: Account Takeover Reported Vulnerabilities
Figure 5: Account Takeover Reported Vulnerabilities.

From HTML injection to unauthorized access, this vulnerability continues to be an issue not only for targeted users, but also for mass account takeover where authentication can be bypassed by using an alternate channel or other forms of improper authentication.

Most reported severity

Critical vulnerabilities were—thankfully—the least commonly reported, an expected outcome due to the work companies and developers put into preventing issues that could not only cost them money but also reputational damage, clients, and even lawsuits.

Low-severity issues surprisingly did not take first place either, though the ease of finding them and their lower complexity allows them to serve as an entry point for new bounty hunters.

That leaves medium-severity vulnerabilities as the most reported, affecting all kinds of organizations and earning that rating typically for lacking an easy way to be exploited, depending on specific requirements, or being too complex.

The graph below shows vulnerabilities reported by risk rating:


Image with white background that shows Figure 6: Vulnerability Severity Classification
Figure 6: Vulnerability Severity Classification.

Note: Some reports lack a severity rating, so the numbers on this chart do not represent the total vulnerabilities reported in the analysis timeframe.

Overall, the most common vulnerability rating reflects the current state of security practices for the companies involved in the bug bounty programs, giving us an idea of what kind of issues we can focus on to improve security. While medium-risk vulnerabilities may lack a straightforward means of exploitation or are protected by defense-in-depth mechanisms, they are just one step short of becoming high-severity issues with significant consequences.

Other stats

Interested in more statistics? We compiled some additional data below:

  • Lowest bounty paid: $50
  • Average bounty paid: $1,963
  • RCE reports disclosed: 10
  • SQL injection reports disclosed: 14
  • Total paid in available data: $514,303
  • Internet Bug Bounty reports: 33

Looking Ahead

Understanding the current state of common vulnerabilities on modern applications without neglecting new or uncommon threats allows us to stay one step ahead of attackers while searching for weak points in systems. Review of these issues also helps us to recognize the effort made by companies to reduce common attack vectors. While severe vulnerability remediation is essential, we can’t ignore lower-rated issues that could have a considerable impact or be escalated into something more serious.

Studying the current data and how it aligns with past and current versions of common vulnerabilities such as the OWASP Top 10 can help us find patterns, but there will always be surprises as attackers explore rapidly changing technologies to discover and exploit new vulnerabilities.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Headshot BF Carlos Yanez

About the author, Carlos Yanez

Carlos Yanez is a Security Consultant III at Bishop Fox. His focus areas include web application assessments, cloud penetration tests, as well as mobile devices penetration tests. Prior to joining Bishop Fox, he worked on multiple e-commerce platforms as a Penetration Tester and spent years as a Web Developer and Systems Administrator. When AFK, he enjoys spending time with family and friends as well as learning new things and playing guitar.

More by Carlos

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.