What were the top 10 web exploits used by malicious attackers in 2018?

16 Jan 2019

Image: © maciek905/Stock.adobe.com

WhiteHat Security outlines the most prevalent web exploits used last year and what you can do about them.

On a daily basis, you are likely to interact with a variety of applications as you go about your business. While apps are critical for the growth of many businesses, vulnerabilities and risks continue to surface. From Ticketmaster to British Airways, many companies fell victim to application security vulnerabilities last year.

Today (16 January), WhiteHat Security experts have revealed the most common web exploits used by malicious actors, in an effort to reduce the number of breaches and incidents in 2019. The top 10 application security vulnerabilities of 2018 reflect a combination of observed trends from the WhiteHat Security vulnerability data lake and the active customer feedback on the threats across its enterprise application portfolio.

The top 10 web exploits of 2018

jQuery File Upload RCE – CVE-2018-9206

jQuery File Upload is a popular open source package that allows users to upload files to a website. A common vulnerability and exposure (CVE) within it can be abused by creating a shell that is uploaded to run commands on the server.

This vulnerability can be traced back to 2015, and all versions prior to 9.22.1 are vulnerable. Organisations should ensure any site using jQuery is updated to the most current version.


Although not a CVE, Magecart is a card-skimming attack that cannot be overlooked. It originated from a black-hat group in 2018, and companies such as Ticketmaster, British Airways, Feedify, ABS-CBN and Newegg were among the victims of this attack.

It breaches systems and replaces the JavaScript that handles payments with malicious code. This code sends payment details to the hackers, unbeknownst to the end user. Bryan Becker of WhiteHat Security has detailed how companies can defend against this attack.

WordPress DoS

In WordPress, this CVE means unauthenticated users can perform a denial of service (DoS) attack by abusing the functionality of the load-scripts.php file to request a large number of JavaScript files via a single request. This allows for each request to quickly consume the resources of the server, leading to a DoS.

Drupalgeddon 2

With the release of Drupalgeddon 2 and immediate proof of concept (PoC) exploit, more than 100,000 websites using the open source CMS Drupal were considered vulnerable to this remote code execution vulnerability. The exploit worked by manipulating the functionality to inject a render array containing executable code, then tricking the application into rendering the injection.

Upgrading to the most recent version of Drupal 7 or 8 core mitigates the vulnerability. The vulnerability was used to infect servers with cryptocurrency miners, among other things.

Drupalgeddon 3

Coming in fast following the patch for Drupalgeddon came Drupalgeddon 3, which reported that the exploit could still be achieved by using the destination parameter in Drupal. This parameter could be found on the cancel links during confirmation of deletions on various functions for Drupal 7.

It also required the attacker to be authenticated and have delete permissions to execute this attack. Again, upgrading to the most recent version of Drupal 7 or 8 core mitigates the issue.

Telerik’s RadAsyncUpload

RadAsyncUpload uses a default, hardcoded key, which, if not changed, allows an attacker to decrypt the data and modify configurations such as ‘where to upload the file’ and ‘what are the allowable extensions’. The hacker can encrypt data and send it back to the server with a request, which results in unrestricted file upload. WhiteHat advises setting strong custom encryption keys to protect against this threat.

Spring Data Commons

Within the Spring Framework, the data commons are used to provide an API for accessing NoSQL and relational databases. However, in versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions of Spring Data Commons, the MapDataBinder class could be exploited using projection-based request payload binding through the Spring Expression Language Injection, leading to remote code execution. Upgrading the version will remediate the vulnerability.

Cross-site scripting

While cross-site scripting (XSS) can occur in any event where the server does not validate input and encode output, CVE-2018-1999024 was created to report an instance in MathJax where a certain macro could be manipulated to execute malicious JavaScript in the victim’s browser. Upgrading to version 2.7.4 remediates this specific XSS instance.

Flash Player hack

Remote code execution is possible within Adobe Flash Player before version

The issue lies within the Primetime software development kit, which contains a dangling pointer in the media player’s handling of the listener object. A successful attack can lead to arbitrary code execution. This was the case in the wild in January and February 2018.

Spring OAuth Approval

The default approval endpoint for Spring Security OAuth found in versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15, and older unsupported versions is vulnerable to remote code execution through a Spring Expression Language Injection.

This remote code execution occurs when a malicious attacker creates an authorised request to the authorisation endpoint, and the resource owner is then able to forward to the approval endpoint. To ensure sites are not vulnerable, companies should upgrade to the latest version.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects