The 10 vulnerabilities most commonly discovered by bug bounty hunters in 2020

HackerOne's list was topped by cross-site scripting, and found improper access control and SSRF vulnerabilities to be climbing in number and risk potential.

Hacker bug for internet protection. Computer data defense

Image: iStockphoto/ArtHead-

Bug bounty platform HackerOne has released its list of the most commonly discovered security vulnerabilities for 2020, with the 10 vulnerabilities listed accounting for $23.5 million in payouts to white hat hackers hunting down bugs and reporting them on its platform.

As the COVID-19 pandemic continues, businesses of all kinds have been forced to go digital faster than they may have planned, leading to a whole host of new potential security vulnerabilities. 

"Tens of millions of workers started working remotely whether or not they were ready," said HackerOne senior director of project management, Miju Han. "With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems." 

Lists like this one from HackerOne are invaluable information for CISOs, especially in 2020: It could clue them in to problems they didn't know they had that arose in the wake of the coronavirus.

SEE: Identity theft protection policy (TechRepublic Premium)

HackerOne calls its top 10 list one of "the most impactful and rewarded vulnerability types," and it consists of the following, in descending order:

  1. Cross-site Scripting (XSS)
  2. Improper Access Control 
  3. Information Disclosure
  4. Server-Side Request Forgery (SSRF)
  5. Insecure Direct Object Reference (IDOR)
  6. Privilege Escalation
  7. SQL Injection
  8. Improper Authentication 
  9. Code Injection
  10. Cross-Site Request Forgery (CSRF)

HackerOne has four key findings that it takes away from the list: The persistent threat of XSS, a rapid rise in improper access control and information disclosure, SSRF vulnerabilities becoming much more dangerous, and a decline in SQL injection attacks.

Topping the list for the second year in a row is cross-site scripting, which involves an attacker injecting code into a website to steal data, user credentials, and other information. 2020 saw a 26% rise in XSS bug payouts, and XSS accounted for 18% of all bugs reported on HackerOne. 

Improper access control (IAC) involves an attacker leveraging poorly designed access restrictions to get their hands on sensitive data, and information disclosure can be seen as the result of an IAC attack. Information disclosure held on to the third spot, but it's IAC that is alarming: It rose from ninth place in 2019 to second place in 2020, with a 134% increase year over year. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

"Access control design decisions have to be made by humans, not technology, and the potential for errors is high, and both errors are nearly impossible to detect using automated tools," HackerOne said in a press release. 

With employees increasingly working remotely thanks to the pandemic, good access control is essential, and now may be the time for zero trust architecture to shine.

Server-side request forgery involves an attacker sending a malicious request through a vulnerable web application that causes the app to grant access to secured systems that aren't supposed to be accessible from outside. 

SSRF is usually benign, HackerOne said, with attacks typically just allowing network scanning or access to an administrator panel. "In this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical," HackerOne said. With cloud services being a key component of remote work restrictions imposed by COVID-19, SSRF is an even more important risk to protect against. 

In a small bit of good news, SQL injections, simple yet potentially devastating attacks, have been on the decline. HackerOne saw it drop from fifth to seventh place from 2019 to 2020, which the company attributes to a shift in security posture to proactive monitoring of attack surfaces and more use of penetration testing.  

Also see