XSS bugs, information leakage top list of website vulnerabilities

By Robert Westervelt, News Editor 18 May 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Cross-site scripting (XSS) continues to top the list of vulnerabilities plaguing websites, according to the latest trend report from website vulnerability assessment vendor, WhiteHat Security Inc.

WhiteHat said about 70% of websites it scans are likely to have at least one critical website vulnerability, while another 63% are likely to have flaws that are in need of attention.

The security vendor found that the websites it scans have a 65% chance of containing XSS bugs followed by information leakage (47%) and content spoofing errors (30%). The firm said business logic website vulnerabilities, which enable hackers to take advantage of the functionality of a site, occupied more than half of the top spots. Other errors in its top ten list to be released tomorrow include insufficient authorization, SQL injection, predictable resource location, session fixation, cross-site request forgery, insufficient authentication and HTTP response splitting.

"These are real, live production websites that showed a whole range of errors," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security.

The WhiteHat Website Security Statistics Report pulls together statistics based on more than 1,000 websites the vendor scans with its Web-based Sentinel vulnerability scanning software. The latest report contains data collected between January 1, 2006 and March 31, 2009.

Social networking sites topped the list of most vulnerable websites with an 82% chance of having an urgent, critical or high severity vulnerability. They were followed by education websites with 76% chance of containing flaws and IT websites came in a close third with a 75% chance of containing flaws.

Gross man said the state of website security is improving as companies with high profile websites use scanning tools to find flaws and deploy Web application firewalls to apply virtual patches quickly to defend against cyberattacks.

"When you are able to assess on a weekly basis you can see what's working and what's not and adjust accordingly," Grossman said. "Virtual patches are an effective tool to address serious vulnerabilities quickly."

The security vendor said it took on average about 58 days for companies to correct an XSS vulnerability. It took firms 85 days to correct website information leakage errors and about 71 days to fill content spoofing holes. Insufficient authentication, likely found in about 10% of websites it scans, take the longest to correct at about 125 days. Virtual patches, which allow companies to shield vulnerabilities through a Web application firewall can significantly increase the time it takes to patch a critical hole.

WhiteHat labels content spoofing, insufficient authorization, HTTP response splitting, directory traversal and SQL injection flaws as needing the most urgent attention. The vendor said it uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.

The vendor will hold a webinar on Tuesday at 2 p.m. ET to discuss its study's findings. Grossman said the firm takes two approaches: how to treat sites that haven't been created with a more mature software development lifecycle and ways companies can secure websites already in full production.

Tags: Web Application Security,  Secure Coding and Application Programming,  Enterprise Data Storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Metasploit Project acquired by vulnerability management firm Rapid7 Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary