XSS bugs, information leakage top list of website vulnerabilities

By Robert Westervelt, News Editor 18 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Cross-site scripting (XSS) continues to top the list of vulnerabilities plaguing websites, according to the latest trend report from website vulnerability assessment vendor, WhiteHat Security Inc.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

WhiteHat said about 70% of websites it scans are likely to have at least one critical website vulnerability, while another 63% are likely to have flaws that are in need of attention.

The security vendor found that the websites it scans have a 65% chance of containing XSS bugs followed by information leakage (47%) and content spoofing errors (30%). The firm said business logic website vulnerabilities, which enable hackers to take advantage of the functionality of a site, occupied more than half of the top spots. Other errors in its top ten list to be released tomorrow include insufficient authorization, SQL injection, predictable resource location, session fixation, cross-site request forgery, insufficient authentication and HTTP response splitting.

Cross-site scripting vulnerabilities: Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet. Can fuzzing identify cross-site scripting (XSS) vulnerabilities? Fuzzing may find weaknesses in software, but the testing process can't find every flaw. Ed Skoudis explains what other tools are necessary when looking for cross-site scripting vulnerabilities.

"These are real, live production websites that showed a whole range of errors," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security.

The WhiteHat Website Security Statistics Report pulls together statistics based on more than 1,000 websites the vendor scans with its Web-based Sentinel vulnerability scanning software. The latest report contains data collected between January 1, 2006 and March 31, 2009.

Social networking sites topped the list of most vulnerable websites with an 82% chance of having an urgent, critical or high severity vulnerability. They were followed by education websites with 76% chance of containing flaws and IT websites came in a close third with a 75% chance of containing flaws.

Gross man said the state of website security is improving as companies with high profile websites use scanning tools to find flaws and deploy Web application firewalls to apply virtual patches quickly to defend against cyberattacks.

"When you are able to assess on a weekly basis you can see what's working and what's not and adjust accordingly," Grossman said. "Virtual patches are an effective tool to address serious vulnerabilities quickly."

SearchSecurity radio:

The security vendor said it took on average about 58 days for companies to correct an XSS vulnerability. It took firms 85 days to correct website information leakage errors and about 71 days to fill content spoofing holes. Insufficient authentication, likely found in about 10% of websites it scans, take the longest to correct at about 125 days. Virtual patches, which allow companies to shield vulnerabilities through a Web application firewall can significantly increase the time it takes to patch a critical hole.

WhiteHat labels content spoofing, insufficient authorization, HTTP response splitting, directory traversal and SQL injection flaws as needing the most urgent attention. The vendor said it uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.

The vendor will hold a webinar on Tuesday at 2 p.m. ET to discuss its study's findings. Grossman said the firm takes two approaches: how to treat sites that haven't been created with a more mature software development lifecycle and ways companies can secure websites already in full production.

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary