Search Go hack yourself with Detectify

A web security blog from Detectify

First encounters through the eyes of the Detectify scanner

December 16, 2015

What do typical websites look like through the eyes of our vulnerability scanner the first time they are tested? How does that picture change over time? Take a look behind the scenes, in the first of a long series of insights into our data.

In 2015 we have tracked down over 2 million vulnerabilities in more than 20 thousand websites all around the world, about once every other eye blink in the sole month of November. These, of course, cover a wide variety of security flaws and are classified on-the-fly with respect to their characteristics and overall impact according to the Common Vulnerability Scoring System (CVSS) specifications.

From this point of view, every website appears to be very peculiar in its own way, as typically the number of vulnerabilities increases with the size of the website itself, and their severity is highly dependent on many different factors. We asked ourselves if we could identify common weaknesses and if we could illustrate somehow a typical website with respect to its vulnerability status.

Such picture is shown in the bubble chart below, which represents a typical website as it is seen through the eyes of our vulnerability scanner the first time that it is tested.

Detectify Vulnerability Scanner

Each bubble represents a specific vulnerability.

The bubbles come in three different colors, corresponding to our categorization of vulnerabilities according to their severity:

  • in red the most critical ones with a CVSS score bigger or equal than 6;
  • in yellow those with a CVSS score bigger or equal than 3 and smaller that 6;
  • in blue the lower severity ones with a CVSS score bigger than zero and smaller than 3.

The size of each bubble is proportional to the frequency with which the vulnerability that it represents is found over all the websites that we tested. Such frequency is shown as a percentage in the for the most frequent vulnerabilities.

To make the long story short, with the risk of oversimplifying the whole picture, we can say that the smaller a bubble is, the less a vulnerability is likely to be found. And everything looks also more secure when bigger percentages are in yellow or, even better, blue bubbles.

What vulnerabilities are mostly found during the first test?
The majority are medium and low severity ones, i.e. yellow and blue bubbles, with Missing DNSSEC showing up in about 85% of the cases, followed with SSL BEAST found in 48% of the cases. The most relevant medium severity vulnerabilities are instead Cookie is not set to be HttpOnly and Technology Disclosure, which are respectively found in 74% and 72% of all the cases. Finally, among the most harmful ones, Login Cross Site Request Forgery is the most common one, found in 33% of all the cases.

What happens after the first test?
Quite interestingly, despite the size of yellow and blue bubbles change quite a lot after the first test, there are 4 red bubbles which are always at the top of the list among the most found critical vulnerabilities.

Top 4 critical vulnerabilities found on websites

  • Login Cross Site Request Forgery (CSRF/XSRF)
  • Email Spoofing / Missing SPF Records
  • Potential Vulnerabilities In The Web Server
  • Cross Site Scripting

All in all, hopefully you have found this helpful to prevent some of the weak spots that we most frequently find in websites.

Until next time, and may all the bubbles shrink!

Andrea Palaia
Data Scientist, Detectify