Since early 2022, interest in attack surface products has grown, with more security teams seeing the value EASM products provide in solving key challenges such as:

Challenge #1

Seeing the current state of security and understanding what is exposed and how it has evolved

_{and if needed, being able to drill down into specific aspects of the attack surface, such as critical web apps, and security policies.}

Challenge #2

Understanding what is exposed across the entire attack surface, and how to continuously monitor what is exposed

_{such as whether or not certain assets are being scanned, types of vulnerabilities at present, and how security has improved over time.}

Challenge #3

Quickly resolving vulnerabilities and exposures across the entire attack surface

_{by helping developers know what needs be fixed and that they have the information they need to resolve important issues quickly.}

Challenge #4

Validating that security policies are being followed

_{and spotting anomalies across the entire attack surface that can be followed up by relevant stakeholders.}

EASM trends identified by analysts

1) Accepting a degree of risk across the attack surface

Although many companies are thoughtful about how they cover their attack surface, there is an accepted degree of risk that many are willing to take. A good example of this is with third-party vendors - a company might accept a certain level of risk from such vendors as long as they can be alerted to vulnerabilities in their third-party tech that developers can resolve quickly.

EASM TRENDS IDENTIFIED BY ANALYSTS

2) Exposures, not just vulnerabilities

More companies are thinking about exposures, not just vulnerabilities. Gartner refers to exposures as “non-patchable vulnerabilities” or vulnerabilities not covered by standard patching workflows.

Vulnerabilities are the core metric that security teams measure themselves on; however, assessing the exploitability of new threats, e.g., whether a vulnerability is exploitable and resolving it, is increasingly top of mind for security teams.

EASM TRENDS IDENTIFIED BY ANALYSTS

3) Actionable data

High-quality data about the attack surface is critical, but it's not helpful if security teams can't use it in their existing workflows. Many security teams focus on getting the most out of their current security toolkit, including ensuring their tools work well together.

Most common vulnerabilities
per region in 2023

In the following section, we dig deeper into the top vulnerabilities discovered across North America, South America, the Nordics, UKI, Southern Europe, DACH, and Oceania.

Top vulnerabilities in North America

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. Apache Server Status Exposure
The /server-status endpoint exposes visitors' IP addresses and requests, allowing an attacker to discern server load, visitor details, and accessed URLs.

4. WordPress Full Path Disclosure, Twenty Sixteen Theme
Full path disclosure vulnerability in the WordPress theme Twenty Sixteen. When combined with other vulnerabilities, it could enhance an attacker's success rate and impact the web server.

5. Google Cloud Storage Bucket Directory Listing
A Google Cloud Storage bucket has directory listing enabled, so an attacker could list the files in the bucket and request them.

6. Directory Listing
If directory listing on paths is enabled, an attacker can list all files and sub-directories in the current directory.

Top vulnerabilities in South America

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave in volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In the case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. DNS Hijacking using Amazon Route53
Attackers can gain unauthorized control over a domain's DNS settings within the Amazon Route 53 DNS service. In a DNS hijacking attack, the attacker typically gains access to the victim's Route 53 account or exploits vulnerabilities in the domain registrar's authentication process. Once control is established, the attacker can manipulate the DNS records, redirecting traffic intended for the victim's domain to malicious servers.

4. OpenAPI Specification Exposure
OpenAPI specification files describe ways to access the application and could contain information that can aid an attacker.

Top vulnerabilities in the Nordic region

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. NPM Packages Disclosure
Exposed package.json files for npm may contain internal information that may aid an attacker scoping up platforms.

4. Open Redirect
An attacker can force users to land on an origin of their choice. This is usually used in chains with other vulnerabilities.

5. PHP-Info Exposure
Vulnerability for exposed phpinfo() status pages. An attacker can read PHP-related configurations made on the web server and use that knowledge in further attacks.

Top vulnerabilities in the UKI region

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. Statamic Configuration Exposure
Presence of sensitive Statamic configuration files that are not intended for exposure on the Internet.

4. Directory Listing
If directory listing on paths is enabled, an attacker can list all files and sub-directories in the current directory.

5. CVE-2009-3555: SSL/TLS Insecure Renegotiation
SSL and TLS protocol versions are examined, including up to TLS/1.2, for potential vulnerabilities to a Man-in-the-Middle attack (CVE-2009-3555) during renegotiation. In this scenario, an attacker can prepend chosen plaintext to the HTTP request visible to the web server.

Top vulnerabilities in Southern Europe

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. Access Log Exposure
If publicly-exposed access logs on the Internet can be accessed, an attacker could obtain requests made by legitimate users, potentially leading to the exposure of personally identifiable information (PII) and other sensitive data.

3. Prometheus Metrics Exposure
If Prometheus is accessible from the Internet an attacker can retrieve metrics on internal systems.

4. CVE-2021-40438: Apache mod_proxy SSRF
SSRF vulnerability in Apache HTTP Server. A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Successful exploitation would allow an attacker to access internal services.

Top vulnerabilities in the DACH region

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. Path based XSS
HTML injection through arbitrary URL paths. By exploiting this vulnerability, an attacker can potentially steal a victim's cookies, including session cookies, posing a risk of user session hijacking.

3. Mixed Content
A page served over HTTPS incorporates resources served over HTTP, introducing a potential bypass of the HTTPS protocol. This vulnerability could allow an attacker to eavesdrop on communication between a victim and the website, gaining unauthorized access to sensitive information intended to be served over a secure connection.

4. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

5. Java Stack Trace
Existence of verbose Java stack traces in the returned response body. A verbose stack trace often indicates an unhandled bug in the application and is typically accompanied by other error messages. Revealing the execution flow within the application, a stack trace can be exploited by attackers to gain insights into the running processes.

6. Apache HTTP Server Icon Leakage
Apache, by default, serves a /icon/ directory containing resources related to the web server. A remote attacker can determine the server version by analyzing checksums of exposed files.

Top vulnerabilities in Oceania

1. SSL/TLS X.509 Hostname Mismatch Certificate
The assessed hostname doesn't match the domains (or IP addresses) defined in the certificate. Rotating IP addresses may behave volatility and should be investigated, even if the vulnerability is considered fixed. An attacker with traffic interception capabilities could conduct man-in-the-middle attacks by generating new bogus certificates.

2. SSL/TLS X.509 Certificate Expired
The server's HTTPS X.509 certificate has expired. The server is identified by the combination of domain name, IP address and port number. In case of rotating IP addresses, we advise investigating this finding regardless of apparent status. An attacker who can intercept the traffic between the server and the victim can conduct man-in-the-middle attacks by generating new certificates.

3. Directory Listing
If directory listing on paths is enabled, an attacker can list all files and sub-directories in the current directory.

4. Subdomain Takeover
Subdomain takeover is a process of taking control of a subdomain. This can be done when a subdomain is pointing to a third party provider that is no longer in use - seeing that an attacker can register another non-existing domain name on the third party service and hijack the subdomain.