Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

WhiteHat: 90% of Sites Still Vulnerable

Most sites open to hacks via cross-site scripting, CSRF, report says

After years of fighting the hacker wars, today's Websites are still a long way from being secure, according to a new research report.

According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied.

"While the security posture of some industries is better than others, the difference is largely insignificant when it comes to preventing a Website from becoming compromised –- attackers only need to exploit a single vulnerability," the report says.

Cross-site scripting (XSS) is still the top category of vulnerabilities, appearing in approximately 70 percent of Websites, WhiteHat says. But the researchers are predicting that cross-site request forgery (CSRF) will eventually take the No. 2 spot behind XSS.

"Attackers using CSRF can easily force a user’s Web browser to send unintended HTTP requests, such as fraudulent wire transfers, changes to passwords and download of illegal content," the report says. "Effective automated CSRF detection techniques have eluded all technology scanning vendors in the space, making identification a largely manual process."

Despite high-profile breaches at chains such as TJX and Hannaford, the retail industry is still performing better than other verticals in terms of protecting Websites from attacks, WhiteHat says. The insurance industry tops the list of the most poorly-protected, with 84 percent of Websites having vulnerabilities that fall into the urgent, critical, or high severity ranking.

IT industry Websites were the next-most vulnerable at 72 percent, and health care and financial services were neck-and-neck at 64 percent and 60 percent, respectively, the company says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16772
    PUBLISHED: 2019-12-07
    The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
    CVE-2019-9464
    PUBLISHED: 2019-12-06
    In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
    CVE-2019-2220
    PUBLISHED: 2019-12-06
    In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
    CVE-2019-2221
    PUBLISHED: 2019-12-06
    In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
    CVE-2019-2222
    PUBLISHED: 2019-12-06
    n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...