Cyber Security

Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne

Bug bounty hunters are increasingly unearthing cloud-based vulnerabilities as organizations undergo ‘digital transformation’, a new report has found.

Researchers have uncovered more than 65,000 software vulnerabilities through bug bounty platform HackerOne in 2022, a year-on-year rise of 21%.

The increase, revealed in HackerOne’s 2022 Hacker-Powered Security Report, released today (December 13), is precisely the same percentage jump recorded in last year’s edition.

Misconfigurations on the rise

Now on its sixth instalment, the report also explores the continued impact of digital transformation on attack surfaces.

Cloud migration and the shift to remote work have seen organizations instituting ever-more granular permissions, a trend reflected in growing numbers of misconfiguration vulnerabilities – jumping 150% – and improper authorization issues, increasing by 45%.

Web applications continue to dominate the landscape, with 95% of hackers prioritizing websites. The next most popular targets are APIs (45%), Android mobile apps (38%), cloud platforms (24%), and open source (24%).

Meanwhile, companies running bug bounty programs should take note that slow response times (51%), limited scopes (50%), and poor communication (49%) were the most significant deterrents to engaging with a program.

HackerOne, which polled 5,000 hackers between September and October 2022, also found that 38% of bug hunters cited in-house expertise as the biggest cybersecurity challenge facing organizations. This finding reflects the intertwined trends of growing attack surfaces and the cybersecurity skills gap.

The utility of utilities

The most popular hacking tools used by ethical hackers are Burp Suite (87%), fuzzing utilities (47%), and web proxies or scanners (38%). One in three (34%) even build their own tools.

Nevertheless, 92% still back themselves to find vulnerabilities missed by scanners, with tools often proving useful for reconnaissance, according to the report.

“I use automated tools in my reconnaissance flow to find opportunities where to focus my efforts,” US hacker Jon Colston told HackerOne.

“While it can send immediate notification of a quick win, I’m more interested in collecting as much information as possible from various data repositories to analyze trends.

“Specifically, I’m identifying where an organization will likely store specific files or documentation which I can leverage into more advanced attacks. Performing recon with a purpose helps me develop a better picture of the landscape and quickly narrow down my list of targets from 5000 to 500.”

Although seven-figure payouts are increasingly common, HackerOne reports that mean and median bounty prices have not risen markedly – save for in the cryptocurrency and blockchain world, where average payouts soared by 315%.

While bug hunting only turns a select few into millionaires, 41% earned enough to consider it a career in itself, while 25% believed their freelance exploits had helped them get a promotion in their salaried position or otherwise progress their career.

Advertisement. Scroll to continue reading.

Cross-site scripting (XSS) was again the most common bug reported, with total submissions up 32% year on year.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/cloud-flaws-brought-to-the-fore-as-bug-bounty-vulnerabilities-hit-65k-in-2022-hackerone

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version