Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 25th, 2008

Nine Out Of Ten Websites Are Vulnerable To Attack

Nine out of ten public websites are vulnerable to attack, according to a new report from White Hat Security, a website security services vendor in Santa Clara, Calif. About 70% of sites suffer from XSS vulnerabilities, while two out of five are leaking sensitive data.

The report was released on March 24 and among other things, it says that nine out of 10 websites have serious vulnerabilities, with an average of seven vulnerabilities per website. These issues leave websites vulnerable to attack, which can result in loss of business, loss of clients or members database, system outages, incident handling costs, brand damage, legal liability, regulatory sanctions and fines.

The report mentioned the top vulnerability as XSS (Cross-Site Scripting), which occurs when a web application gathers malicious data from a user, usually via a hyperlink that contains malicious content. Cross-Site Scripting appears in about 70 percent of websites.

The next most reported vulnerability is information leakage, occurring in two out of five websites. It occurs when a website knowingly or unknowingly reveals sensitive information such as developer comments, user information, internal IP addresses, source code, software versions numbers, error messages or error codes.

Next is content spoofing, occurring in one in four websites. Content spoofing, which is often used in phishing scams, causes an Internet user to unwittingly access spoofed content through e-mail, chat rooms or bulletin boards.

Rounding out the top five are predictable resource allocation—the automated scanning of forgotten web pages that might contain sensitive information, found on one in six sites—and SQL injection, a method of inserting malicious SQL statements into applications that confuse the back-end SQL database into giving up information and potentially leading to identity theft, among other compromises.

The rest of the top 10 are insufficient authentication, insufficient authorization, abuse of functionality, HTTP response splitting and directory indexing. CSRF (Cross Site Request Forgery) didn’t get it to the top 10 but its rising fast. CSRF exploits the trust that a site has for a user. CSRF can force user’s web browser to send unintended HTTP requests, such as fraudulent wire transfers or requests to change passwords or to download illegal content. According to White Hat Security Chief Technology Officer Jeremiah Grossman, CSRF will break the top 10 soon.

The report also ranked various verticals in terms of how well they executed website security. Retail came out on top, while the worst verticals were insurance, IT, health care and financial services.

Website attacks showing no signs of slowing down and action should be taken as soon as possible.

Share this item with others:

More on CyberInsecure:
  • Turkey And Russia Are The Riskiest Places To Go Online
  • Drive-by Download Attack Hits Multiple Sites Running Vulnerable ColdFusion Application
  • Above 8 Million Vulnerable Adobe Flash Files Expose Websites Hosting Them
  • New Tool To Be Released Can Steal Authentication Credentials Through Encrypted Secure Channels
  • McAfee “Hacker Safe” Certified Websites Found To Be Vulnerable

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Nine Out Of Ten Websites Are Vulnerable To Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.