Application Security

8/16/2018
03:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Active Third-Party Content the Bane of Web Security

New reports shows many of the world's most popular sites serve up active content from risky sources.

It isn't just seedy websites putting browsers at risk anymore: A new report out today shows how the state of the Web today has been rocked by the increasingly toxic combination of dynamic content and the use of third-party data sources to serve up that active content.

"So many people talk about how risky the Web is today, but it is really important to understand why. What's changed over the last 10 years?" says Kowsik Guruswamy, CTO of Menlo Security. "Back in the day you didn't have JavaScript, you didn't have Flash, there were no complicated ad networks and most of the Web was a purely static place. While that wasn't nearly as exciting from an interactivity perspective, it was much less risky."

Last year Menlo started to get its arms around quantitative numbers to describe that risk and found that 42% of the Alexa Top 100,000 were serving up risky content or were vulnerable to compromise.

Researchers from the firm followed up on that today with their State of the Web First Half 2018 report. In it they examined Web risk based on the top 50 sites for six major countries worldwide. The study offered up statistics to illustrate the key risk factors of how the Web runs today. Top among those is how much active content from third parties like content delivery networks (CDNs) and ad delivery networks are pushed out to the user every time they visit a site. 

"When a user clicks on a Web link to open a website, they are really opening not just a single website, but at least 25 websites at one time," the report explains. "If any of these background sites are themselves risky, they could be used by cyberattackers to compromise the site being visited."

The dynamic nature of most sites today is extremely high. For most countries studied, the average number of scripts executed per website was between 41 and 42. In the US, some top sites used as many as 160 scripts from 40 different background sites. As the report explains, these scripts are usually legitimately used by developers to improve user experience.

But the more scripts used and the more sources they come from, the broader the attack surface. The bad guys love those scripts because they're perfect for delivering attacks like iFrame redirects and malvertising links.

The study showed that as many as 46% of the top sites in France are serving active code from risky background sites, followed by 32% of the top UK sites. In the US, that proportion was a bit lower—18% of the Alexa Top 50 sites contain active code served from risky background sites—but that's still a statistically significant chunk of what most people would consider to be legitimate sites.  

In addition to these risk factors, a number of the top sites worldwide exacerbate things by running their Web properties on vulnerable software. Approximately 8% of US sites, 10% of UK sites, and 20% of France sites were running on outdated platforms. 

"I always hammer on websites running old code because of how prevalent that is on the Internet and how it continues to be a big source of malware risks," Guruswamy says. 

The takeaway for security leaders, he says, is to consider how well categorization-based security or URL filtering is protecting their users online today because they don't cover these threats coming from sites that would otherwise be deemed legitimate and safe. 

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...