External Attack Surface Management insights
from Detectify's customer base

External Attack Surface Management insights
from Detectify's customer base

In brief

100% of the top three vulnerabilities across all industries didn't have an assigned CVE.
Overreliance on CVE-assigned vulnerabilities will continue to weaken organizations' security postures while giving them an even more unrealistic sense of security.

0 critical findings* were present among the Top 30 vulnerabilities for the SaaS industry.
The modern web tech stack faces more threats than ever, but most security scoring systems aren't helping teams understand their risk.

*Under CVSS definition.

EASM and how it's evolving

A brief overview of EASM


EASM is one of the Attack Surface Management (ASM) subcategories whereby tooling “continuously scans for, discovers, and enumerates unknown internet-facing assets, establishes the unique fingerprints of discovered assets, and identifies various exposures.” EASM leverages an outside-in approach to understand what is being exposed on the attack surface.

EASM is providing modern AppSec teams more value than traditional Application Security tooling, and is quickly becoming a growing use case for the gaps missed by AppSec testing solutions.

EASM has been full speed ahead since its emergence in mid-2021, following research from leading analyst firms such as Gartner and Forrester. Since 2014, Detectify has addressed challenges security teams face that fit some of the use cases that today align with the EASM space.

Detectify has seen an increased purchase of its EASM platform from 30% to 95% since 2020.

Since early 2022, interest in attack surface products has grown, with more security teams seeing the value EASM products provide in solving key challenges such as:

Challenge #1

Seeing the current state of security and understanding what is exposed and how it has evolved

and if needed, being able to drill down into specific aspects of the attack surface, such as critical web apps, and security policies.

Challenge #2

Understanding what is exposed across the entire attack surface, and how to continuously monitor what is exposed

such as whether or not certain assets are being scanned, types of vulnerabilities at present, and how security has improved over time.

Challenge #3

Quickly resolving vulnerabilities and exposures across the entire attack surface

by helping developers know what needs be fixed and that they have the information they need to resolve important issues quickly.

Challenge #4

Validating that security policies are being followed

and spotting anomalies across the entire attack surface that can be followed up by relevant stakeholders.

Product capabilities of EASM are evolving

Product capabilities of Best-in-class EASM solutions should include:

The ability to test the modern tech stack: Focusing on tools and strategies that will effectively protect the modern tech stack.

Crowdsourcing vulnerabilities: Payload-based testing that utilizes payloads sourced from elite ethical hackers to deliver 99.7% accurate assessments.

Taking the customer’s unique business context into account: Not flagging vulnerabilities that don’t represent a real risk.

Looking beyond patch lists: Scrambling to fix bugs identified by the CVE program is not a complete solution. Companies need to look at patch management in the context of holistic cybersecurity solutions.

Crowdsource, Detectify's ethical hacker community, has identified almost 240,000 vulnerabilities in customer assets, submitted more than 1,765 modules, and received over 300 0-days in recent years.
Rickard Carlsson, CEO, Detectify

EASM trends identified by analysts

1) Accepting a degree of risk across the attack surface

Although many companies are thoughtful about how they cover their attack surface, there is an accepted degree of risk that many are willing to take. A good example of this is with third-party vendors - a company might accept a certain level of risk from such vendors as long as they can be alerted to vulnerabilities in their third-party tech that developers can resolve quickly.

EASM is an emerging technology that can help address the expanding attack surface, such as through policy alerts and remediation.
Gartner Emerging Tech Impact Radar, November 2022

EASM TRENDS IDENTIFIED BY ANALYSTS

2) Exposures, not just vulnerabilities

More companies are thinking about exposures, not just vulnerabilities. Gartner refers to exposures as “non-patchable vulnerabilities” or vulnerabilities not covered by standard patching workflows.

Vulnerabilities are the core metric that security teams measure themselves on; however, assessing the exploitability of new threats, e.g., whether a vulnerability is exploitable and resolving it, is increasingly top of mind for security teams.

EASM TRENDS IDENTIFIED BY ANALYSTS

3) Actionable data

High-quality data about the attack surface is critical, but it's not helpful if security teams can't use it in their existing workflows. Many security teams focus on getting the most out of their current security toolkit, including ensuring their tools work well together.

The State of EASM in 2023

Insights from Detectify's customer base

About this research

We've taken anonymous and aggregated data and insights from internal Detectify databases to explore the state of External Attack Surface Management within our customers. Here, we share what we've learned from this data and what this tells us about the state of our customers' attack surfaces.

235 companies & organizations

Including large enterprises and mid-market companies from across a range of industries.

361,028 vulnerabilities

The total number of vulnerabilities found across the attack surfaces of our sample.

30 countries

We used a representative sample of our customer base to gather geographical insights regarding company size and industry.

Core Industries

Banking & Financial Services, Public Sector, Internet Software & Services, Consumer Packaged Goods, Media & Gaming

These represent the core industries and customer base at Detectify.

● Due to their aggressive modernization efforts, Banking & Financial Services and Public Sector companies have experienced the largest share of critical-severity vulnerabilities, reflected in the different business sizes that Detectify serves most commonly for each industry.

Enterprises within the Banking & Financial Services and SaaS industries had the largest share of high-severity threats, reflecting the trend that companies of all sizes face the same challenge of navigating a growing attack surface.

INDUSTRY

Banking & Financial Services

The Banking and Financial Services industry includes diverse activities such as financial services, insurance, investment banking, brokerage, and real estate. This sector's key challenges include navigating digital transformation, ensuring regulatory compliance, and gaining visibility and control during M&A processes.

Top vulnerabilities in this industry

Financial institutions typically have well-established vulnerability management programs, which makes them desirable targets for attackers looking for industries with mature systems and practices to exploit. Given the vast amount of sensitive information these organizations store, it's unsurprising to see SQL Injection as one of the top vulnerabilities for the Banking & Financial Services industry during 2023.

1. Git Configuration Exposure

2. SQL Injection

3. Google Cloud Storage Bucket Directory Listing

4. CVE-2021-40438: Apache mod_proxy SSRF

INDUSTRY

Public Sector

The Public Sector industry, comprising organizations like governmental agencies and higher education establishments, has witnessed accelerated digital innovation driven by the COVID-19 pandemic. As this industry embarks on modernization journeys, challenges like low digital maturity, unmet citizen expectations, resource constraints, and scaling difficulties emerge.

Top vulnerabilities in this industry

Public Sector organizations are trying to keep up with their accelerated transformation rate by bringing new cloud components online and building web applications quickly, whereby a whole new set of technologies and methodologies are often used.

1. SQL Injection in PostgreSQL, MySQL, Oracle, Microsoft, IBM DB2

2. Mini Profiler Exposure

3. Statamic Configuration Exposure

4. CVE-2009-3555: SSL/TLS Insecure Renegotiation

INDUSTRY

Consumer Packaged Goods (CPG)

Consumer packaged goods (CPG) companies face challenges securing their digital products, managing digital transformation, and understanding their security posture during M&As.

Top vulnerabilities in this industry

CPG companies frequently use tools such as Adobe Experience Manager to provide customized online experiences for their customers, so vulnerabilities associated with this technology are usually prevalent. Our data also indicates that CPG companies often have more associated domains than other industries, making them most vulnerable to subdomain takeover.

1. Adobe AEM CRX Explorer Exposure

2. Subdomain Takeover using Gemfury

3. Adobe AEM Denial-of-Service via Flushing Cached Pages

4. CVE-2021-40438: Apache mod_proxy SSRF

5. Adobe Experience Manager CRX Search Exposed

6. GraphQL Introspection Enabled

INDUSTRY

Internet Software & Services (SaaS)

Technology and Internet Software & Services companies face many challenges in securing their attack surfaces, from digital transformation and securing digital products to mergers and acquisitions.

Top vulnerabilities in this industry

Based on the top 30 vulnerabilities for this industry, there were no critical findings (under the Common Vulnerability Scoring System definition), demonstrating how CVSS may not accurately represent risk, especially for modern web technology. We have also observed a trend highlighting the challenges security teams face when managing cloud assets.

1. Adobe AEM Query Builder Exposure

2. DNS Hijacking using Amazon Route53

3. Open Redirect

4. Directory Listing

5. CVE-2021-40438: Apache mod_proxy SSRF

INDUSTRY

Media & Gaming

The Media & Gaming industry grapples with challenges such as over-reliance on public and hybrid cloud platforms for scalable video workflows and content innovation. This broad and evolving sector faces the task of innovating content monetization strategies, emphasizing the need to maximize return and customer lifetime value.

Top vulnerabilities in this industry

Vulnerabilities arise from outdated or weak security systems, misconfigurations, and an expanding attack surface, making the industry an attractive target for attackers seeking financial gain. Specific sectors, notably gambling and betting services, are particularly targeted, highlighting the heightened risks associated with sensitive data like PII.

1. Metabase Installer Exposure

2. PHP "Zerodium" Backdoor RCE

3. DNS Hijacking using Expired Domain

4. Google Cloud Storage Bucket Directory Listing

5. SSL/TLS X.509 Hostname Mismatch Certificate

Most common vulnerabilities
per region in 2023

In the following section, we dig deeper into the top vulnerabilities discovered across North America, South America, the Nordics, UKI, Southern Europe, DACH, and Oceania.

Top vulnerabilities in North America

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. Apache Server Status Exposure
The /server-status endpoint exposes visitors' IP addresses and requests, allowing an attacker to discern server load, visitor details, and accessed URLs.

4. WordPress Full Path Disclosure, Twenty Sixteen Theme
Full path disclosure vulnerability in the WordPress theme Twenty Sixteen. When combined with other vulnerabilities, it could enhance an attacker's success rate and impact the web server.

5. Google Cloud Storage Bucket Directory Listing
A Google Cloud Storage bucket has directory listing enabled, so an attacker could list the files in the bucket and request them.

6. Directory Listing
If directory listing on paths is enabled, an attacker can list all files and sub-directories in the current directory.

Top vulnerabilities in South America

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave in volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In the case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. DNS Hijacking using Amazon Route53
Attackers can gain unauthorized control over a domain's DNS settings within the Amazon Route 53 DNS service. In a DNS hijacking attack, the attacker typically gains access to the victim's Route 53 account or exploits vulnerabilities in the domain registrar's authentication process. Once control is established, the attacker can manipulate the DNS records, redirecting traffic intended for the victim's domain to malicious servers.

4. OpenAPI Specification Exposure
OpenAPI specification files describe ways to access the application and could contain information that can aid an attacker.

Top vulnerabilities in the Nordic region

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. NPM Packages Disclosure
Exposed package.json files for npm may contain internal information that may aid an attacker scoping up platforms.

4. Open Redirect
An attacker can force users to land on an origin of their choice. This is usually used in chains with other vulnerabilities.

5. PHP-Info Exposure
Vulnerability for exposed phpinfo() status pages. An attacker can read PHP-related configurations made on the web server and use that knowledge in further attacks.

Top vulnerabilities in the UKI region

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. Statamic Configuration Exposure
Presence of sensitive Statamic configuration files that are not intended for exposure on the Internet.

4. Directory Listing
If directory listing on paths is enabled, an attacker can list all files and sub-directories in the current directory.

5. CVE-2009-3555: SSL/TLS Insecure Renegotiation
SSL and TLS protocol versions are examined, including up to TLS/1.2, for potential vulnerabilities to a Man-in-the-Middle attack (CVE-2009-3555) during renegotiation. In this scenario, an attacker can prepend chosen plaintext to the HTTP request visible to the web server.

Top vulnerabilities in Southern Europe

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. Access Log Exposure
If publicly-exposed access logs on the Internet can be accessed, an attacker could obtain requests made by legitimate users, potentially leading to the exposure of personally identifiable information (PII) and other sensitive data.

3. Prometheus Metrics Exposure
If Prometheus is accessible from the Internet an attacker can retrieve metrics on internal systems.

4. CVE-2021-40438: Apache mod_proxy SSRF
SSRF vulnerability in Apache HTTP Server. A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Successful exploitation would allow an attacker to access internal services.

Top vulnerabilities in the DACH region

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. Path based XSS
HTML injection through arbitrary URL paths. By exploiting this vulnerability, an attacker can potentially steal a victim's cookies, including session cookies, posing a risk of user session hijacking.

3. Mixed Content
A page served over HTTPS incorporates resources served over HTTP, introducing a potential bypass of the HTTPS protocol. This vulnerability could allow an attacker to eavesdrop on communication between a victim and the website, gaining unauthorized access to sensitive information intended to be served over a secure connection.

4. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

5. Java Stack Trace
Existence of verbose Java stack traces in the returned response body. A verbose stack trace often indicates an unhandled bug in the application and is typically accompanied by other error messages. Revealing the execution flow within the application, a stack trace can be exploited by attackers to gain insights into the running processes.

6. Apache HTTP Server Icon Leakage
Apache, by default, serves a /icon/ directory containing resources related to the web server. A remote attacker can determine the server version by analyzing checksums of exposed files.

Top vulnerabilities in Oceania

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. Directory Listing
If directory listing on paths is enabled, an attacker can list all files and sub-directories in the current directory.

4. Subdomain Takeover
Subdomain takeover is a process of taking control of a subdomain. This can be done when a subdomain is pointing to a third party provider that is no longer in use - seeing that an attacker can register another non-existing domain name on the third party service and hijack the subdomain.

What's ahead for 2024?

CVSS will continue to be unrepresentative of the true risk vulnerabilities represent:
As some of the data in this report has pointed out, CVSS fails to represent what constitutes risk accurately. Organizations are expected to move away from traditional CVSS metrics for vulnerability prioritization. The limitations of CVSS have prompted a reevaluation of prioritization methods. In 2024, we will see a shift towards more dynamic and context-aware approaches.

Prioritization based on high-fidelity assessments:
The prioritization of threats will continue evolving to rely on security teams trusting their tools to generate high-fidelity findings and effectively integrate those into their workflow to speed up remediation.

Leveraging the power of crowdsourced research:
In 2024, we will continue seeing strong growth in the demand for solutions that crowdsource security research. Research from ethical hackers proves its value in democratizing and streamlining the response to threats, surpassing the limitations of established disclosure processes, as highlighted in this report.

A continued need for market education:
Security teams must continue to educate themselves on how EASM can complement their organization’s existing security stack, particularly around how EASM can fill the gaps missed by AppSec tooling.

Effective prioritization will be key in 2024; organizations must reduce their vulnerability backlog by leveraging solutions that offer highly accurate findings and integrate their unique business context into the equation. One-size-fits-all strategies don’t fit the bill
Rickard Carlsson, CEO, Detectify

Detectify logo

Complete External Attack Surface Management for AppSec & ProdSec teams

Start covering your external attack surface with rigorous discovery, 99.7% accurate vulnerability assessments, and accelerated remediation through actionable guidance.

Get to know Detectify in less than 5 minutes