Threat Center Security News Vulnerabilities in 90 percent of Web sites
Vulnerabilities in 90 percent of Web sites Print E-mail
Written by Rebecca Mints   
Wednesday, 26 March 2008 17:37
According to White Hat Security, nine out of 10 Web sites are vulnerable to some sort of attack. On average, Web sites have seven vulnerabilities each, which of course leaves them susceptible to attacks. Successful exploitation can lead to system outages, incident handling costs, legal liability, brand damage, loss of business, or regulatory sanctions and fines.

The biggest threat cited in the report is known as XSS (Cross-Site Scripting) and it is believed to be a problem in about 70 percent of Web sites. An XSS attack happens when a Web application gathers malicious data from a user. This is most commonly done using a hyperlink that contains malicious content.

After XSS, the next most common threat is information leakage, which is shown in 40 percent of Web sites. Information leakage is just what it sounds like - when sensitive data such as account numbers or peoples social security numbers somehow is revealed to those that should not have access.

About 25 percent of Web sites are vulnerable to content spoofing, which is a way of tricking an Internet user into accessing spoofed content via email, chat rooms or bulletin boards. It is commonly used as part of a phishing scam.

To finish off the top five types of vulnerabilities found in Web sites there is predictable resource allocation and SQL injection. Predictable resource allocation is automatic scanning of forgotten Web pages that may contain sensitive data. This one is found in about 16 percent of Web sites. SQL injections occur when a hacker inserts malicious SQL statements in an application that tricks the back-end SQL database into revealing sensitive information that could lead to such things as identity theft.

After the aforementioned, vulnerability numbers six through 10 are: insufficient authentication; insufficient authorization; abuse of functionality; HTTP response splitting; and directory indexing.

Another type of vulnerability that is becoming a very popular exploit is CSRF (Cross Site Request Forgery). This method preys on the trust a site has for a user. CSRF works by forcing a user's Web browser to send unintended HTTP requests, such as downloading illegal content or fraudulent wire transfers. While this type of vulnerability has not reached the top ten yet, it is quickly on the rise and expected to be second only to XSS.

Seeing that Web site hacking is not going to go away, it is highly recommended that the appropriate action be taken. According to Mid-Market eWeek, a good plan of attack would be: "finding and prioritizing all Web site properties by designating their importance to the business and a party responsible for their security; finding and fixing Web site vulnerabilities by assessing them for weaknesses with each code change; remediation of vulnerabilities done on a schedule based on severity; implementing a secure software development process using an organizational standard development framework; and implementing an in-depth Web site vulnerability management strategy."


REFERENCES:
Mid-Market eWeek
Report: 9 of 10 Sites Are Sitting Ducks
 

WTW Threat Level