A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.
The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week by risk analysis firm RiskSense.
In terms of programming languages, vulnerabilities in PHP and Java apps were the most weaponized bugs of the last decade.
Keep an eye on Node.js and Django
"Likewise, Django had 66 vulnerabilities with only one weaponized.
Injection vulnerabilities are the most sought after
But RiskSense researchers didn't only look at what application bugs were getting weaponized. They also looked at the vulnerability types.
Per the research team, while cross-site scripting (XSS) bugs were the most common security bugs disclosed in the 2010s, they were not the most weaponized ones.
That title goes to "injection-based" vulnerabilities, which can be abused to allow hackers to inject and run their own commands in the context of the victim's app or OS.
"Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%," the RiskSense team said.
"In fact, the top 3 weaknesses by weaponization rate were Command Injection (60% weaponized), OS Command Injection (50% weaponized), and Code Injection (39% weaponized)," researchers added.
Readers interested in learning more about vulnerability weaponization trends for the last decade can find out more in RiskSense's 22-page report, titled "Cracks in the Foundation: Web and Application Framework Vulnerabilities."
What's in a name? These DevOps tools come with strange backstories