Security Watch | Matt Hines » Most sites still hack-able

March 24, 2008 | Comments: (0)

Most sites still hack-able

TAGS: Security

The latest research report out of Web applications security specialist WhiteHat finds that most sites are still woefully vulnerable to hacker attacks.

Just as in its previous research, WhiteHat estimates that some 90 percent of all pages are hack-able, the same figure that it has attached to several previous reports.

The message? Things aren't getting much better out there!

Over the last two years that WhiteHat has been issuing its paper, the company has reported that the volume and variety of Web site attacks have in fact only continued to rise, with Cross-Site Request Forgery (CSRF) tabbed as the next big thing by the experts this go round.

According to the company, nine out of ten sites still have serious vulnerabilities with an average of seven vulnerabilities per site.

The leading forms of exploit that WhiteHat is observing on the Net haven't budged much in recent months either, with classic techniques including SQL injection, buffer overflows and cross-site scripting (XSS) leading the way. However, the company is predicting that CSRF threats will soon begin to multiply.

Cross-Site Request Forgery (CSRF), as defined by OWASP, is an attack that attempts to fool end users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.

Using the technique, hackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.

CSRF attacks are also known by a number of other names, including XSRF, Sea Surf, Session Riding, Cross-Site Reference Forgery, and Hostile Linking.

WhiteHat researchers said that attackers using CSRF exploits can "easily" manipulate today's Web browsers to send unintended HTTP requests such as fraudulent wire transfers, change passwords and download illegal content.

And based on its research, the company said that CSRF attacks will eventually move into the number two spot behind XSS exploits in terms of its frequency among the leading site hacking techniques.

The report also tracks site vulnerabilities present on the URLs of companies in specific vertical markets. In those results, the retail sector is performing better than other segments in terms of protecting its sites from attack, according to the study.

Other vertical markets not faring as well included insurance, which headed the list with 84 percent of sites having vulnerabilities that fall into the urgent, critical or high severity status, followed by IT companies at 72 percent, healthcare at 64 percent, and financial services at 60 percent.

However, WhiteHat researchers point out that while the security standing of some industries is better than others, that the difference is "largely insignificant" when it comes to stopping a site from becoming exploited, as attackers only need a single vulnerability to get their hooks in.

In addition to malicious attacks, many companies' lack of site security will also open them up to potential compliance violations, the experts said.

"With the amount of transactions and activities conducted online and upcoming compliance deadlines such as PCI DSS 6.6, organizations need to be more proactive than ever in protecting sensitive data," Jeremiah Grossman, founder and chief technology officer at WhiteHat, said in a report summary.

WhiteHat will be hosting a webinar to reveal more of the report findings on Wednesday, March 26, 2008 at 11:00 a.m. PT / 2:00 p.m. ET.

Posted by Matt Hines on March 24, 2008 04:11 PM

RATE THIS ARTICLE: