Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne – The Daily Swig




Prototype pollution
Prototype pollution project yields another Parse Server RCE
Bug Bounty Radar
The latest programs for November 2022
All Day DevOps
AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach
Infosec beginner?
A rough guide to launching a career in cybersecurity
Cybersecurity conferences
A schedule of events in 2022 and beyond
Impact of cloud migration and shift to remote work evident in new report
Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 - HackerOne
Bug bounty hunters are increasingly unearthing cloud-based vulnerabilities as organizations undergo ‘digital transformation’, a new report has found.
Researchers have uncovered more than 65,000 software vulnerabilities through bug bounty platform HackerOne in 2022, a year-on-year rise of 21%.
The increase, revealed in HackerOne’s 2022 Hacker-Powered Security Report, released today (December 13), is precisely the same percentage jump recorded in last year’s edition.
Now on its sixth instalment, the report also explores the continued impact of digital transformation on attack surfaces.
Cloud migration and the shift to remote work have seen organizations instituting ever-more granular permissions, a trend reflected in growing numbers of misconfiguration vulnerabilities – jumping 150% – and improper authorization issues, increasing by 45%.
Web applications continue to dominate the landscape, with 95% of hackers prioritizing websites. The next most popular targets are APIs (45%), Android mobile apps (38%), cloud platforms (24%), and open source (24%).
RECOMMENDED Bug Bounty Radar // The latest bug bounty programs for December 2022
Meanwhile, companies running bug bounty programs should take note that slow response times (51%), limited scopes (50%), and poor communication (49%) were the most significant deterrents to engaging with a program.
HackerOne, which polled 5,000 hackers between September and October 2022, also found that 38% of bug hunters cited in-house expertise as the biggest cybersecurity challenge facing organizations. This finding reflects the intertwined trends of growing attack surfaces and the cybersecurity skills gap.
The most popular hacking tools used by ethical hackers are Burp Suite (87%), fuzzing utilities (47%), and web proxies or scanners (38%). One in three (34%) even build their own tools.
Nevertheless, 92% still back themselves to find vulnerabilities missed by scanners, with tools often proving useful for reconnaissance, according to the report.
“I use automated tools in my reconnaissance flow to find opportunities where to focus my efforts,” US hacker Jon Colston told HackerOne.
“While it can send immediate notification of a quick win, I’m more interested in collecting as much information as possible from various data repositories to analyze trends.
“Specifically, I’m identifying where an organization will likely store specific files or documentation which I can leverage into more advanced attacks. Performing recon with a purpose helps me develop a better picture of the landscape and quickly narrow down my list of targets from 5000 to 500.”
RELATED Million-dollar bug bounties: The rise of record-breaking payouts
Although seven-figure payouts are increasingly common, HackerOne reports that mean and median bounty prices have not risen markedly – save for in the cryptocurrency and blockchain world, where average payouts soared by 315%.
While bug hunting only turns a select few into millionaires, 41% earned enough to consider it a career in itself, while 25% believed their freelance exploits had helped them get a promotion in their salaried position or otherwise progress their career.
Cross-site scripting (XSS) was again the most common bug reported, with total submissions up 32% year on year.
DON’T MISS HackerOne encourages customers to adopt standard policy to protect hackers from legal problems
Adam Bannister
@Ad_Nauseum74
Burp Suite
Vulnerabilities
Customers
Company
Insights
© 2022 PortSwigger Ltd.

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page