As we come close to the end of the year, it is interesting to analyze the vulnerability data to get an idea of what security issues were most commonly exploited in the year. Understanding this data can help us focus on critical and common issues to harden our application.
Note: The products mentioned in this article are not necessarily insecure, but rather large complex projects that are frequently used, and frequently targeted by attackers. It is important to be aware of security vulnerabilities in products, those that report the most vulnerabilities often end up being the most secure.
All of the data in this article is from NVD. To analyze the data, I downloaded the JSON feed, parsed it into a SQL database using Python, then used SQL queries to pull the required data.
Number 1: CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)
The primary ways to avoid this type of vulnerability is through server side verification of user input. If the user attempts to input any special characters such as < or >, they should be sanitized or filtered immediately before they are processed by the application.