Bug bounty hunters are increasingly unearthing cloud-based vulnerabilities as organizations undergo ‘digital transformation’, a new report has found.
Researchers have uncovered more than 65,000 software vulnerabilities through bug bounty platform HackerOne in 2022, a year-on-year rise of 21%.
The increase, revealed in HackerOne’s 2022 Hacker-Powered Security Report, released today (December 13), is precisely the same percentage jump recorded in last year’s edition.
Misconfigurations on the rise
Now on its sixth instalment, the report also explores the continued impact of digital transformation on attack surfaces.
Cloud migration and the shift to remote work have seen organizations instituting ever-more granular permissions, a trend reflected in growing numbers of misconfiguration vulnerabilities – jumping 150% – and improper authorization issues, increasing by 45%.
Web applications continue to dominate the landscape, with 95% of hackers prioritizing websites. The next most popular targets are APIs (45%), Android mobile apps (38%), cloud platforms (24%), and open source (24%).
Meanwhile, companies running bug bounty programs should take note that slow response times (51%), limited scopes (50%), and poor communication (49%) were the most significant deterrents to engaging with a program.
HackerOne, which polled 5,000 hackers between September and October 2022, also found that 38% of bug hunters cited in-house expertise as the biggest cybersecurity challenge facing organizations. This finding reflects the intertwined trends of growing attack surfaces and the cybersecurity skills gap.
The utility of utilities
The most popular hacking tools used by ethical hackers are Burp Suite (87%), fuzzing utilities (47%), and web proxies or scanners (38%). One in three (34%) even build their own tools.
Nevertheless, 92% still back themselves to find vulnerabilities missed by scanners, with tools often proving useful for reconnaissance, according to the report.
“I use automated tools in my reconnaissance flow to find opportunities where to focus my efforts,” US hacker Jon Colston told HackerOne.
“While it can send immediate notification of a quick win, I’m more interested in collecting as much information as possible from various data repositories to analyze trends.
“Specifically, I’m identifying where an organization will likely store specific files or documentation which I can leverage into more advanced attacks. Performing recon with a purpose helps me develop a better picture of the landscape and quickly narrow down my list of targets from 5000 to 500.”
Although seven-figure payouts are increasingly common, HackerOne reports that mean and median bounty prices have not risen markedly – save for in the cryptocurrency and blockchain world, where average payouts soared by 315%.
While bug hunting only turns a select few into millionaires, 41% earned enough to consider it a career in itself, while 25% believed their freelance exploits had helped them get a promotion in their salaried position or otherwise progress their career.
Cross-site scripting (XSS) was again the most common bug reported, with total submissions up 32% year on year.
Copyright 2021 Associated Press. All rights reserved.
