RiskSense experts did a great job and
studied all vulnerabilities disclosed between 2010 and 2019. As it turned out, in 55% of cases, attackers exploit bugs in WordPress and Apache Struts in real attacks.
The Drupal CMS is the third most popular among hackers, followed by Ruby on Rails and Laravel. As for programming languages, the most attacked were vulnerabilities in PHP and Java applications.
At the same time, bugs in JavaScript and Python were the least popular, although RiskSense experts believe that this may change in the coming years, as both languages are now quite popular and their adoption is growing rapidly.
In particular, users and information security companies are advised to keep an eye on Node.js and Django, two of the most popular frameworks for the JavaScript and Python ecosystems. So, significantly more vulnerabilities were found in Node.js than in other JavaScript frameworks – 56 vulnerabilities, although only one has been actively exploited so far. Similarly, 66 vulnerabilities were discovered in Django, but only one was exploited. RiskSense expects that hackers will soon turn their eyes to these rising stars of the programming world and explore the possibility of exploiting old bugs.
It is also noted that Perl and Ruby, which were extremely popular in the early 2010s, are now being attacked less and less as programmers switched to JavaScript and Python by the end of the decade.
In addition, RiskSense researchers studied the types of exploitable vulnerabilities. It turned out that although cross-site scripting (XSS) errors were the most common security errors found in the 2010s, they were not the most used. This designation is given to various injection-related bugs that can be abused to inject and run their own commands in the context of the victim's application or OS.
“Vulnerabilities associated with injection of SQL, code and various commands, were quite rare, but at the same time they had one of the highest exploitation rates – often more than 50%, ”specialists summarize.