Low-Hanging Fruit (LHF) are vulnerabilities that are easy to find and exploit. We certainly don't want these types of issues in our websites, especially if they can be quickly mitigated with a small amount of effort. In network security, scanning does the trick for LHF identification. Unfortunately, in website security, though scanning is absolutely vital, it’s not that simple or sufficient. That’s because LHF may fall into either technical vulnerabilities, which website vulnerability scanners can find, or business logic flaws, which they can't find much of any.
Technical vulnerabilities, including Cross-Site Scripting (XSS) and SQL Injection, can be found in large supply by scanners and usually can be classified as LHF. For instance, when a website echoes user-supplied HTML, that’s a dead giveaway of an XSS vulnerability. The same with SQL Injection and the notorious ODBC error messages dumping database statements. These instances are easy to spot and exploit. Though as common as these issues are, they’re not always classifiable as LHF.
New XSS issues in YahooMail, MySpace, Gmail, sla.ckers.org (heh) and other high profile websites have become significantly harder to come by because so many people already cherry picked the easy stuff. Discoveries often rely on clever filter-bypass tricks (XSS Cheat Sheet), complex input encoding techniques (UTF-7 or US-ASCII), or sophisticated combinations. SQL Injection exploits frequently have to be performed blind because helpful error messages are suppressed. These instances could be comfortably labeled Mid-tier or even (shall we say) Golden Apples since they reside far out of the reach of scanners, and most humans for that matter.
Then we have business logic flaws like Abuse of Functionality and Insufficient Authentication/Authorization. These mostly require humans (security experts) to uncover them even when classifiable as LHF. For example, during the MacWorld 2007 Expo, several people discovered an easy (LHF) way to obtain free Platinum Passes (a $1,695 value with a chance to see Apple's CEO Steve Jobs up close). By viewing the source code of the sign-up web page, they found "hidden" Priority (Discount) Codes freely usable during registration. Unlike humans, scanners wouldn’t recognize the significance of Priority Codes, how to use them, what the page looks like when they're accepted/denied, let alone being able to pick up the badge to verify the attack succeeded.
WhiteHat Security's engineers continually discover a wide variety LHF business logic flaws in a majority of the websites they assess. The more sophisticated the business logic flaw, the more expertise is required to identify the vulnerability and its remediation. Anyone can find one or two business logic flaws, but it takes a team of experts to try to find them all, all of the time. That’s a big reason why good, complete website vulnerability management is so hard to achieve.
From my experience, any class of attack can be LHF, Mid-tier, or Golden Apples. And, any vulnerability identifiable through a purely automated fashion (a scanner) can be classified as LHF – since anyone without much skill may buy/download a scanner, find a few technical vulnerabilities, and begin exploiting websites. Still, WhiteHat believes the goal of an effective website security program should be to find and manage all the vulnerabilities all the time. Weeding out the LHF can be a good first step. There’s no reason to make exploiting websites that easy for the bad guys.