IT security staff and ethical hackers are constantly playing a game of cat-and-mouse as hackers employ their nefarious tricks of the trade to break into systems, report vulnerabilities, and get paid for their efforts.

It’s a win-win situation: organisations get to patch potentially devastating security oversights and hackers walk away with a nice bit of perfectly legal cash.

The amount a company will pay naturally depends on the nature and scale of the vulnerability.

In early October, for example, five cybersecurity researchers picked up over $410,000 for successfully breaking into Apple.

So if you wanted to start getting paid for your hacking efforts – or avoid having to make a pay-out – what should you look out for?

According to data from cybersecurity firm HackerOne, the following are the top ten most valuable vulnerabilities regularly found by hackers:

  1. Cross-site Scripting (XSS)
  2. Improper Access Control
  3. Information Disclosure
  4. Server-Side Request Forgery (SSRF)
  5. Insecure Direct Object Reference (IDOR)
  6. Privilege Escalation
  7. SQL Injection
  8. Improper Authentication
  9. Code Injection
  10. Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) is a form of attack where that sees the bad actor inject malicious code that tricks the website into running an unauthorised script.

This vulnerability can exist in any web application that has user inputs, such as comment boxes or search bars.

If the input is not appropriately sanitised – built such that it does not parse user input as back-end code – then hackers can trick the site into reading a search query, for example, as Javascript that it will execute.

Cross-site scripting vulnerabilities accounted for 18 per cent of those reported by ethical hackers between May 2019 and April 2020.

But while this attack vector can alone be devastating, organisations spent, on average, just $715 to bounty hunters.

Miju Han, HackerOne’s Senior Director of Product Management, said it shows how bug bounty and penetration testing programs were a value-for-money way to secure systems.

“Unlike traditional security tools and methods, which become more expensive and cumbersome as goals change and attack surface expands, hacker-powered security is actually more cost-effective as time goes on,” Han said.

“With hackers, it’s becoming less expensive to prevent bad actors from exploiting the most common bugs.”

The HackerOne data also shows that trends in common vulnerabilities has been changing over recent years.

Server-side request forgery (SSRF) vulnerabilities have become more common in the past 12 months as organisations continue leveraging cloud infrastrucutre for digital transformation projects.

These forms of attack see bad actors modify requests sent through web apps that can reach other resources or devices that were supposed to be protected by firewalls.

Another interesting finding from HackerOne is that the number of SQL injection vulnerabilities has steadily declined.

Similar to XSS attacks, SQL injections tend to involve inputting non-common strings of text into website input boxes that cause the application to output information about an underlying database.

This can lead to the discovery of passwords and other sensitive information.

HackerOne said the fact SQL injections are becoming less prominent is a sign that modern mitigation methods are stamping out this attack surface.