“You’re only as strong as your weakest link.” Or in the cyber space – vulnerabilities. By keeping watch of vulnerabilities that are reported to sources such as bug bounty programs, we offer you insights into current threats that potentially plague your environments.
We've collected and analyzed publicly disclosed reports from January to July 2022 to better understand the most frequently reported vulnerability types, the highest-disclosed bounties, and more.
The following are some attributes we considered:
Property |
Description |
Report Title |
The name the author gave to the report. It does not always include the vulnerability type. |
Date |
The date when the vulnerability was first reported to the specified program. |
Author |
The name or alias of the reporter. Sometimes, multiple authors are credited as team members. |
Program |
Most likely the name of the company behind the bug bounty program. It can also be the Internet Bug Bounty, which rewards security research into vulnerabilities affecting open-source software projects. |
Severity |
The severity is calculated based on several factors such as the attack vector, attack complexity, privileges required, user interaction, availability, integrity, confidentiality, and scope. |
Bounty |
The amount paid to the reporter or team of reporters. This is calculated by the program owner and differs between programs. |
After collecting the data, we analyzed and processed the records to facilitate categorization. This allowed us to easily capture the most important information.
The resulting file was then used to make the following filtered table based on the attributes from the data points above:
Now, let’s explore some of these remarkable statistics.
We categorized the noteworthy report data into the following list:
The highest bounty of $29,000 was paid to author vakzz for the “arbitrary file read via the bulk imports UploadsPipeline” vulnerability affecting GitLab. This report detailed a critical vulnerability where a user with access to import a group on GitLab could read arbitrary files on the GitLab server due to symlinks not being removed or filtered when the UploadsPipeline was run for the bulk imports API.
The author proved the impact by showing the contents of /etc/passwd as well as the /srv/gitlab/config/secrets.yml file, which contains keys, passwords, API tokens, and other sensitive information.
For those that are curious, here are the next four highest bounties:
Title |
Author |
Program |
Severity |
Bounty |
bd-j exploit chain |
theflow0 |
PlayStation |
High |
$20,000.00 |
Steal private objects of other projects via project import |
saltyyolk |
GitLab |
Critical |
$20,000.00 |
Private objects exposed through project import |
saltyyolk |
GitLab |
Critical |
$20,000.00 |
Full Response SSRF via Google Drive |
bugdiscloseguys |
Dropbox |
Critical |
$17,576.00 |
Note that one of the top paid bounties was not rated as a critical severity. The PlayStation program chose to assign only a high-severity rating to the bd-j exploit chain, which consists of five vulnerabilities (three medium, two high). However, this vulnerability would effectively allow an attacker to gain JIT capabilities and execute arbitrary payloads that could be used for different purposes, including shipping pirated games on Blu-ray discs.
Cross-site scripting (XSS) took the number one spot as the most reported vulnerability (and personal favorite of this blog author). While JavaScript frameworks such as React and Angular provide additional protection against such attacks, penetration testers always figure out ways to bypass and exploit them, even when additional configurations such as content security policies (CSPs) are in place.
Even though XSS can no longer be considered a novel vulnerability, the data shows that it is still very much alive in modern web applications. One example is the Email templates XSS by filterXSS bypass report, where the author used a custom function to trigger the payload. However, this led to only self XSS, so another bypass was needed. This was cleverly resolved by using an authentication feature in the application to force another user to log into the attacker account to execute the script, leading to account takeover.
The following table shows the top three most reported vulnerability types:
As shown above, server-side request forgery (SSRF) and account takeover were the second and third most reported vulnerability types.
SSRF has become a more severe threat due to the complexity of modern services. It is no longer leveraged as just a “port scanning tool,” but also as a more intricate way of exposing data and even as a remote code execution (RCE)-enabler method. Fetching a resource without validating user-supplied input has proven to be so problematic that it even earned a place in the OWASP Top 10 2021 list. It has affected big names such as Dropbox, GitHub, Slack, Uber, and Stripe. Even an SSRF report classified as low severity can earn a good bounty, as shown below
As long as there is a need for users to login to a system, account takeover will be a problem. Its status as the third most reported vulnerability is no surprise, as companies and attackers have long battled one another trying to secure or compromise accounts, respectively.
New mechanisms attached to user accounts increase attack vectors, as there is not a single formula for account takeover. Unsurprisingly, multiple methods were exploited in the reports shown below:
From HTML injection to unauthorized access, this vulnerability continues to be an issue not only for targeted users, but also for mass account takeover where authentication can be bypassed by using an alternate channel or other forms of improper authentication.
Critical vulnerabilities were—thankfully—the least commonly reported, an expected outcome due to the work companies and developers put into preventing issues that could not only cost them money but also reputational damage, clients, and even lawsuits.
Low-severity issues surprisingly did not take first place either, though the ease of finding them and their lower complexity allows them to serve as an entry point for new bounty hunters.
That leaves medium-severity vulnerabilities as the most reported, affecting all kinds of organizations and earning that rating typically for lacking an easy way to be exploited, depending on specific requirements, or being too complex.
The graph below shows vulnerabilities reported by risk rating:
Note: Some reports lack a severity rating, so the numbers on this chart do not represent the total vulnerabilities reported in the analysis timeframe.
Overall, the most common vulnerability rating reflects the current state of security practices for the companies involved in the bug bounty programs, giving us an idea of what kind of issues we can focus on to improve security. While medium-risk vulnerabilities may lack a straightforward means of exploitation or are protected by defense-in-depth mechanisms, they are just one step short of becoming high-severity issues with significant consequences.
Interested in more statistics? We compiled some additional data below:
Understanding the current state of common vulnerabilities on modern applications without neglecting new or uncommon threats allows us to stay one step ahead of attackers while searching for weak points in systems. Review of these issues also helps us to recognize the effort made by companies to reduce common attack vectors. While severe vulnerability remediation is essential, we can’t ignore lower-rated issues that could have a considerable impact or be escalated into something more serious.
Studying the current data and how it aligns with past and current versions of common vulnerabilities such as the OWASP Top 10 can help us find patterns, but there will always be surprises as attackers explore rapidly changing technologies to discover and exploit new vulnerabilities.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.