Abandoned Web Applications: Achilles' Heel of FT 500 Companies

Read Time: 10 min.

Abandoned, shadow and legacy applications undermine cybersecurity and compliance of the largest global companies despite growing security spending.

Key Findings

70% of FT 500 can find access to some of their websites being sold on Dark Web

92% of external web applications have exploitable security flaws or weaknesses

19% of the companies have external unprotected cloud storage

2% of external web applications are properly protected with a WAF

Every single company has some non-compliances with GDPR

Research in a Nutshell



Source: IFSEC Global

Table of Content

1. Preamble

A legendary quote from the 21st U.S. Secretary of Defense Donald Rumsfeld said:

“ There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. ”

Nowadays, his wisdom is particularly applicable in the technology and cybersecurity fields. Shadow, legacy and abandoned IT assets usually fall into the known unknowns or unknown unknowns categories and represent an immense risk for modern companies and organizations. Left without maintenance and protection they create a vicious cycle, where companies can be easily compromised regardless of their security efforts and growing cybersecurity spending.

In November 2017, High-Tech Bridge announced a launch of ImmuniWeb® Discovery, a non-intrusive Open Source Intelligence (OSINT) service to locate all external applications and related IT assets attributable to a particular company or organization. In other words, ImmuniWeb Discovery quickly builds a comprehensive snapshot of your web-based attackable surface. One needs just to enter a company name and its main website to launch a non-intrusive reconnaissance of all its external websites, web systems, domain names, SSL certificates, web-based APIs and micro services, as well as unprotected cloud storage.

We recently sent a brief questionnaire to corporate and governmental users of ImmuniWeb Discovery to explore their experience with our service. The poll revealed that up to 80% of the discovered applications were unknown to cybersecurity teams, leaving us with a bitter surprise about the scale and prevalence of this often underestimated problem.

2. Research Data

To shed some light on the known unknowns and unknown unknowns, associated risks and threats, we took the 1,000 largest global companies as per the Financial Times: FT US 500 and FT Europe 500. We performed a large-scale discovery and non-intrusive assessment of their external web and mobile applications, SSL certificates, web software and unprotected cloud storage.

For the purposes of this research, we use the following terms (that may have a broader or narrower meaning elsewhere):

Shadow IT – IT assets created within an organization to serve legitimate business purposes, however, built without proper coordination with the organization’s central management and IT/security personnel. Thus, often unmaintained and not properly protected.

Example: sales team file-sharing cloud-based service with current deals and contracts.

Legacy IT – IT assets built a long time ago to serve legitimate (and still existing) business purposes but left without proper maintenance due to complexity, human factors, or lack of resources - including departure of the engineers without proper transfer of code and knowledge. Thus, often outdated and vulnerable.

Example: module for core e-banking system with the integrity of client data.

Abandoned IT – IT assets built for legitimate business purposes but forgotten, abandoned or lost in the wild during the course of business. Thus, often outdated and vulnerable.

Example: pre-production test version of ERP system with real customers’ data.

In this research we concentrate on applications and related IT infrastructure that today possess one of the biggest external threats to organizations of all sizes.

For this research we used the following free products publicly available here:

This research is purposefully dedicated to applicative IT infrastructure (i.e. external systems accessible via HTTP/S protocols) – not the network infrastructure explorable with Shodan for example.

3. Research Statistics

3.1 External Applications

The 500 largest US companies have 293,512 external systems accessible from the Internet. 42,549 out of them have a live web application with a dynamic content and functionality.

The 500 largest EU companies have 112,750 external systems accessible from the Internet. 22,162 of them have a live web application with a dynamic content and functionality.



Diagram 1. Total external web applications of FT US 500 and FT EU 500 companies

This means a US company has an average of 85.1 applications that can be easily discovered externally and are not protected by 2FA, strong authentication or other security controls aimed to reduce application accessibility to untrusted parties. As for an EU company, there are 44.3 such applications per company.

We counted only unique and live web applications, disregarding all types of redirects, default installation pages (e.g. Apache) or HTTP errors (e.g. 404 or 500):

Web applications accessible from the Internet 64711 FT US 500 Total 42549 FT 500 EU Total 22162 Average quantity of applications per company 66.25 FT US 500 85.1 FT EU 500 44.3

Table 1. Web applications freely accessible from the Internet

3.2 SSL/TLS Encryption

48.81% of web servers belonging to the US companies have an “A” grade for their SSL/TLS encryption, while 32.21% have a failing “F” grade. 7.82% still have vulnerable and deprecated SSLv3 protocol enabled.



Diagram 2. FT US 500 distribution of grades for SSL/TLS encryption

62.4% of web servers belonging to the EU companies have an “A” grade, and 16.02% have a failing “F” grade, still placing European companies in a much better position compared to the US ones. SSLv3 is enabled on 5.15% of the EU systems.



Diagram 3. FT EU 500 distribution of grades for SSL/TLS encryption

43.2% of the US companies have at least two servers with “F” grade, compared to 29.6% from the EU.

14% of the US companies have no single server with “A” grade, juxtaposed to 10% in the EU.

35.2% of the US companies have at least two servers with an exploitable SSL/TLS vulnerability (allowing at least to decrypt intercepted HTTPS traffic) compared to 24% in the EU.

3.3 PCI DSS and TLS

Among the US companies, only 16.4% of the discovered web servers have an SSL/TLS configuration compliant with the most recent version of PCI DSS 3.2.1 (Requirements 2.3 and 4.1).

The EU companies are doing even worse with 14.7% of compliant web servers.

It has to be noted, however, that a configuration non-compliant with PCI DSS does not necessarily mean poor encryption, but in many cases it does.



Diagram 4. FT US 500 and FT EU 500 TLS configurations compliant with PCI DSS requirements

3.4 SSL Certificates and Domain Names

The US companies have 45.1% invalid SSL certificates because of untrusted Certificate Authority (CA), expiration or issuance for a different domain name. Untrusted CAs include the distrusted Symantec KPI legacy certificates.

The European companies come out with much better results of “just” 28.9% invalid certificates.



Diagram 5. FT US 500 and FT EU 500 SSL certificates on external web applications

42% of the US companies have at least one web application with an external resource (e.g. JS library, external image, font or CSS file) located on expired or non-existing domain name (often due to a programmer’s typo in the URL), enabling attackers to register them and inject arbitrary or malicious content to web application users.

The European companies are more susceptible to the problem with at least one uncontrollable domain in 69% of cases.

3.5 Web Server Security

The US companies from this research have just 2.94% of web servers with an “A” grade for properly implemented security hardening and configuration, mostly for security and privacy related HTTP headers. Vast majority - 76.9% - have a failing “F” grade.

The situation is quasi identical with the EU companies that managed to get just 2.98% of “A” and 77.4% of “F” grades.

3.6 Content Security Policy

Content Security Policy (CSP) is widely known for its capacity to mitigate XSS and CSRF attack vectors on the web server side even if a web application is vulnerable.

The US companies have 9.1% of web applications with enabled and properly configured CSP compared to just 4.39% in Europe.

3.7 Vulnerable Web Software

Amid the research results, the US companies have 8% of web applications on average that use a third-party CMS, library or web system (e.g. WordPress, jQuery or MS SharePoint) that is (i) outdated and (ii) contains at least one known and publicly disclosed security vulnerability.

While the European companies have 15.8% of perilous third-party web software that can be easily leveraged to breach the web application and under some circumstances the surrounding infrastructure (e.g. database, web server, etc.).

This minor but statistically considerable difference can be possibly explained by wealthier US companies that can afford more spending on internal software development from scratch.

3.8 Default WordPress Installations

Among the web applications of the US companies that run WordPress, 94% have a default admin location (on /wp-admin URL) not protected by any additional means (e.g. supplementary .htaccess authentication or IP whitelisting).

Same is valid for 99.5% of the EU companies.

Default WordPress admin area location simplifies bruteforcing and other authentication-related attacks, including password re-use in case of admin account compromise on a third-party resource, exploitation of XSS vulnerabilities in WP plugins and themes, etc.

3.9 Web Application Firewalls

Among the discovered web applications of the US companies, 98.4% have no Web Application Firewall (WAF) filtering enabled or have in it in a too permissive mode.

The situation is almost identical in the EU, where 98.1% of externally exposed web application are underprotected or not protected at all with a WAF.

For the WAF test we sent 3 consecutive HTTP requests to an existing HTTP GET parameter with <script>document.alert(cookie)</script> string (and its variations) appended to, or inserted into, the existing parameter’s value. If the requests were not blocked or altered in a visible manner, we did not consider the system to be properly protected by a WAF.



Diagram 6. FT US 500 and FT EU 500 external web applications protected by a WAF

Surprisingly low data can be possibly explained by a widespread concept to implement WAF only for business-critical applications known to web security teams. The problem is greatly exacerbated by underprotected APIs and Web Services that are frequently omitted when deploying WAF protection.

3.10 ISC/SCADA and IoT

0.91% of the US web applications are externally exposed web interfaces to administrate internal ISC/SCADA systems or IoT (e.g. video surveillance systems, smart offices or even industrial machines), compared to 0.63% in the EU companies.

It is important to highlight that those systems are openly accessible to everyone from the Internet and do not require any special knowledge or insider information in order to be detected and attacked.

3.11 GDPR Compliance

Among the discovered applications, 16.2% of the US companies have at least two web applications that permit entry of Personally Identifiable Information (PII) (e.g. via web forms) and run (i) a vulnerable version of SSL/TLS, and/or (ii) outdated and vulnerable CMS or another web software.

Same failure of GDPR’s Art. 32 is attributable to 15.4% of the European companies.



Diagram 7. FT US 500 and FT EU 500 and GDPR compliance for web applications that accept PII

Numbers of non-compliant web applications may likely be much higher, but it is impossible to say how many of the outdated and vulnerable websites actually process or store PII without conducting intrusive tests.

3.12 Privacy Policies

For the websites with active web forms capable of accepting PII (e.g. registration form), we analyzed the privacy policy and its content.

The US companies have only 9% of such websites with privacy policies visibly updated since the 25th of May 2018 (enforcement of GDPR) or earlier this year.

The situation is considerably better with the EU companies from the research, where 21% of such web applications have a privacy policy updated in 2018.

3.13 Unprotected Cloud Storage

27% of the US companies have at least one external cloud storage (e.g. AWS S3 bucket) accessible without any authentication from the Internet. Only 12% of the European companies have the same issue.

Some files in storages are expressly marked as “internal” pointing out that these cloud resources are probably not intended for public availability.

The difference between the US and EU statistics can be possibly explained by a more conservative approach to cloud storage in Europe, with prevailing private clouds or even on-premise storage.



Diagram 8. FT US 500 and FT EU 500 with publicly accessible and unprotected Cloud storage

3.14 Open Bug Bounty Reports

Open Bug Bounty is a non-profit platform for coordinated and responsible disclosure of web vulnerabilities (mostly XSS) found by independent security researchers without intrusive testing.



Diagram 9. FT US 500 and FT EU 500 vulnerability report handling on Open Bug Bounty platform

221 US companies have 1,232 vulnerability submissions on Open Bug Bounty, 38% of which are not patched.

While 162 EU companies have 625 reports with 415 patch vulnerabilities, just 34% remain unpatched.

36 US companies (16%) failed to fix a single security vulnerability, compared to 35 companies (22%) from the EU.

3.15 Data Sold on Dark Web

High-Tech Bridge runs continuous monitoring of some information security-related resources on the Dark Web. For the purpose of this research, we performed an extensive search for mentions of the [42,549 US and 22,162 EU] websites and web applications from the list in various compilations of websites allegedly compromised and being sold.

62% of the US companies have at least one website access to which is being sold on the Dark Web.

78% of the EU companies have at least one website access to which is being sold on the Dark Web.

The criminal offering varies from lists of remote S/FTP access, RCE and SQL injections vulnerabilities compilations to just login/password pairs being sold among dumps of many other allegedly compromised websites.



Diagram 10. FT US 500 and FT EU 500 websites and their data being sold on Dark Web

4. Conclusions and Solutions

Ilia Kolochenko, High-Tech Bridge’s CEO and Founder, comments:

“ The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today. Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation.

On the other side, cybercriminals are well organized and very proactive. As soon as a new vulnerability is discovered in a popular CMS - they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance. Some hacking teams and cybercrime gangs will even patch your web application just after the breach – to preclude others from getting in. Therefore, if you don’t patch your web applications – bad guys will do this for you. ”

With valuable input and advice from Gartner technology analysts, High-Tech Bridge developed a vendor-neutral application security testing lifecycle:

Vendor Independent Application Security Testing Lifecycle

The cycle suggests five simple, coherent and common sense steps for a sustainable application security testing strategy. A particular emphasis is made on holistic application discovery and inventory as a quintessential first step. ImmuniWeb® Discovery provides a free first run to enable everyone assessing exposed attackable surface of his or her organization, accomplishing cycle's first step in a few clicks.

On the 24th of October High-Tech Bridge launches an AI-based version of ImmuniWeb® Discovery. The enhanced version leverages Machine Learning technology and Big Data composed of 853,783,291 samples of web vulnerabilities, weaknesses, breaches and misconfigurations to predict application’s Hackability and Attractiveness without conducting any intrusive testing:

Hackability Score (from 0 to 99) provides an estimation of how easily the application can be hacked from a technical point of view.

(from 0 to 99) provides an estimation of how easily the application can be hacked from a technical point of view. Attractive Score (from 0 to 99) provides an estimation of how attractive the application is for an average cybercrime group.

ImmuniWeb® Discovery AI helps companies not just to discover their external applications in a simple and holistic manner but also to assess and prioritize the risks and threats.