Security Watch | Matt Hines » One third of all sites vulnerable to data attack

April 23, 2007 | Comments: (0)

One third of all sites vulnerable to data attack

TAGS: Security

New research published by WhiteHat Security concludes that nearly one out of every three Web sites has a serious vulnerability that could lead to an external attack or data leakage.

According to the second-ever installment of the vulnerability specialists' Web Application Security Risk Report -- which spans 15 months of vulnerability assessment of millions of active URLs worldwide dating from Jan. 1, 2006 to March 31, 2007 -- cross-site scripting (XSS) vulnerabilities continue to dominate, with nearly 70 percent of all URLs that the company tested found to be open to that manner of threat.

In a nod to the growing problem of data theft, the second most common type of weakness cited by WhiteHat and its founder/CTO Jeremiah Grossman is its "information leakage" genre of vulnerability -- which means that just like our friends at TJX Companies, these sites can be hacked and mined for data.

The ever-popular "content spoofing" problem is another Web site security problem that won't seem to go away, and other time-honored weaknesses that continue to show up in significant numbers are SQL injection holes and sites that utilize insufficient "authorization controls."

Despite the numbers -- which specifically found that 67 percent of all sites that were studied could be infected using XSS hacks -- WhiteHat said that there are actually fewer URLs online today that are vulnerable to XSS and SQL threats than it found in its previous round of research.

"This may indicate that organizations are beginning to address the growing number and severity of website attacks; however, logical vulnerabilities such as insufficient authorization, where an attacker gains unauthorized access to protected sections of a Web site, have not decreased," the firm said in a synopsis of the report.

When I last interviewed Grossman, he told me that WhiteHat is being hired by a number of well-known financial services and e-commerce companies to hack their transactional systems for potential weak points -- and that they are finding as many, if not more vulnerabilities in those systems than ever.

In addition to well-established threat vectors including those listed above, he cited the increasing use of Web 2.0 programming languages such as AJAX as another growing issue in online security.

As much money as these companies are spending on security tools and consulting services, it appears that most still value the speed with which they can get some type of business application up-and-running over any related security concerns.

"You would be amazed by the stuff we find, it's easy to tell that these companies are telling their developers to build something that works fast without giving the proper consideration to securing it first," Grossman said. "We are talking about critical transactional systems at some of these companies; I think it's fair to say that a lot of these companies are getting ripped off [by cyber-criminals, not security vendors] and we'll never hear about a lot of it."

Posted by Matt Hines on April 23, 2007 02:07 PM

RATE THIS ARTICLE: