Security Watch | Matt Hines » Pervasive Web apps flaws under siege

February 28, 2008 | Comments: (0)

Pervasive Web apps flaws under siege

TAGS: Security

The volume of threats leveled at Web-based applications continues to surge and the sheer number of flaws existent in many such programs is making it easy for attackers to be successful in their efforts to steal data and generating income, according to the latest research report issued by Cenzic.

Researchers with the applications security testing specialist estimate that 71 percent of all the vulnerabilities reported worldwide during Q4 2007 were related to Web apps -- affecting everything from servers to browsers -- representing a three percent increase over the previous quarter.

The biggest issue contributing to the growth in the problem appears to be a lack of secure development skills among those people creating the programs.

For instance, of the reported flaws, applications developed using PHP accounted for roughly 30 percent of the vulnerabilities, a slight dip over Q3 2007 when they represented 31 percent of the security holes.

However, as the number of vulnerabilities found in the PHP programming language itself accounted for less than one percent of the flaws, most of the issues continue to arise purely from insecure code development practices, the company said.

Even worse, Cenzic contends that roughly 70 percent of all the reported Web applications vulnerabilities could be classified as "trivially exploitable."

Unless coders begin to improve their techniques for writing Web applications, the situation is likely to get worse before it gets better, experts said, as the continued demand among business users for new Web-based business tools and a lack of secure development skills fuels the issue.

"Some might look at the trend and feel good about the total number of vulnerabilities stabilizing. Personally, I think it's alarming. In 2007 alone, we had over 4,000 application related published vulnerabilities," said Mandeep Khera, vice president of marketing at Cenzic.

"While attacks through Web applications continue to occur at an astounding pace, very few organizations are doing anything about securing their Web applications," he said. "Corporations have to [put a stop to] this inertia before it's too late."

Cenzic reports that vulnerabilities in server or Web application server technologies accounted for approximately 10 percent of all the vulnerabilities in Q4 2007, a one percent gain over the previous quarter.

Flaws found in Web browsers represented some five percent of all the reported application flaws, down three percent from Q3 2007.

Vulnerabilities in multimedia applications including Microsoft's Windows Media Player and Apple' QuickTime accounted for only one percent of the flaws during the fourth quarter, a four percent reduction compared the third quarter.

Cenzic noted that vulnerabilities discovered in other browser-based tools were also down during Q4, with ActiveX-based issues accounting for less than one percent of the total volume.

The company reported that vulnerabilities that could lead to cross-site scripting and SQL injection attacks remained at almost the same level of frequency as in previous quarters.

However, the percentage of Web application security flaws as highlighted in the Open Web Application Security Project's (OWASP) Top 10 listings grew by almost 8 percent, including more frequent availability of directory traversal and cross-site request forgery (CRSF) problems.

The ability for attackers to utilize cross-site scripting remains a serious problem, Cenzic contends, illustrated by the fact that 21 percent of the reported Web application vulnerabilities during Q4 could be exploited by such threats, a one percent increase over Q3 2007.

The company said that cross-site scripting was the most frequently reported breed of Web application vulnerability during Q4 2007. And in the real world, versus only those vulnerabilities that are reported publicly, the company said it expects that the problem is far more prevalent.

As Khera noted, some of the numbers may appear to make it seem that things are actually improving in the world of Web applications vulnerabilities, but the problem has become so pervasive that the minor gains do not represent much real improvement.

"In 2007, we saw a number of creative and lethal security attacks; Web site hacking continued to gain momentum as hackers had a field day exploiting vulnerabilities across all geographies and across different types of Web applications," Cenzic said in its report summary.

"From SQL Injection Robot to a Russian Malware gang attacking a government site to exploitation of various Google vulnerabilities to various universities – attacks continue," the report states. "Financial gains continue to be the primary goal but we also saw attacks to steal intellectual property, student records, and a few defacement incidents. The bad guys go where the vulnerabilities are and Web applications are certainly appealing and inviting to these constituents."

Posted by Matt Hines on February 28, 2008 11:44 AM

RATE THIS ARTICLE: