The Growing Security Risk On Websites — Third-Party Components

Building websites like a lego!

Component security risk on web applications has received the highest prevalence score (3) by the Open Web Application Security Project on their list of Top 10 web application security issues.

The list is based primarily on 40+ data submissions from firms that specialize in application security and an industry survey that was completed by over 500 individuals.

Web development has become much easier and tools such as WordPress allow even non-techies to provide web development services. By using different components (plugins, themes, extensions, libraries, etc.) they can build fully functional websites often with zero lines of code written. Every website like that has a significant component security risk.

Component security risk on Content Management Systems (CMS)

Screenshot from “The State of Web Application Vulnerabilities in 2018” report.

Vulnerabilities within CMS components are heavily exploited, and there’s a reason for it. Whenever an attacker finds a vulnerability in a popular component, there’s a possibility to gain access to hundreds of thousands of websites.

At the end of 2018, Imperva released a report by which a whopping 98% of vulnerabilities within the WordPress ecosystem were related to components — third-party plugins installed on the websites.

Outdated components pose the highest risk

Plugin management within WebARX security dashboard

Web development requires less and less technical knowledge. As long as the component delivers expected functionality, most don’t even bother to check who wrote the code nor even check if it’s properly maintained.

Even if the components are properly maintained by the developer, getting people to update their websites is a standalone challenge by itself.

Analyzing 15,000+ websites, that’s what we found.

Source: at WebARX we have built a website security platform that is trusted by thousands of web development agencies worldwide. We automate vulnerability monitoring, offer managed endpoint WAF, etc.

Just by taking a quick look at September, even without going deep, we can see some interesting data.

For example:

  1. Websites built on a WordPress run an average of 23 components built by a third-party developer.
  2. Meanwhile, ~4 of those components are outdated and haven’t been updated to the latest version.

Here are the top components outdated on those WordPress installations:

  1. Yoast SEO (has 5M+ active installations)
  2. Elementor (has 3M+ active installations)
  3. Akismet Anti-Spam (has 5M+ active installations)
  4. UpdraftPlus — Backup/Restore (has 3M+ active installations)
  5. Contact Form 7 (has 5M+ active installations)

Analyzing the traffic of WordPress sites (September 2019)

Just to dig a little bit deeper, let’s see what kind of attacks are most common. Let’s analyze 1.5 million firewall records from September, specific to WordPress.

Top 5 malicious GET requests:

You can see the bots being massively opportunistic, trying to leverage poor plugin code to access configuration files.

Top 5 malicious POST requests:

While the GET requests against WordPress are fairly basic, the POST requests often contain payloads that are very specific to a logic errors on some of the components.

On the chart below you can see that attacks against component security vulnerabilities happen in waves while multiple vulnerabilities are exploited at the same time.

Conclusion

Today content management systems and platforms like WordPress power more than 35% of the top 1M sites. Meanwhile, 98% of the security vulnerabilities within WordPress are coming from third-party components.

Such component security risk is apparent in most content management systems and on modern web development frameworks.

Take some time to get familiar with the components you’re using. Try to keep the number of components as low as possible and have a proper maintenance plan. It’s also good to stick to a trusted development stack!

Oliver is the founder and CEO of WebARX. WebARX is a security platform that enables web developers to monitor component vulnerabilities and to protect the sites with a managed endpoint WAF.

WebARX is also running the first open-source component focused bug bounty platform PlugBounty.com.

Feel free to say Hi! @ Twitter!

Passionate cyber-security entrepreneur. Founder of @webarx_security.