Where the Bugs Are

With all the attention cross-site scripting (XSS) has attracted lately, it should come as no surprise that seven out of 10 major e-commerce, financial, healthcare, and technology Websites carry XSS vulnerabilities in their custom Web applications. But it may be a bit of a shock that another prevalent bug, buffer overflow, is actually rare among these sites, according to new data that will be released tomorrow by White Hat Security. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

White Hat's "Web Application Security Risk Report" reveals just what holes real, live major Websites harbor. The company, which provides Web application security services, gathered a snapshot of data from January through June of this year on vulnerabilities in its e-commerce, financial services, healthcare, and technology clients' custom Web apps. This is a different approach than Mitre uses to track vulnerabilities in third-party Web applications such as Microsoft's Internet Information Server for the Common Vulnerability and Exposures (CVE).

"The vulnerabilities we're counting are completely different than the CVE. We're purely focused on custom applications that go atop a Web server, such as an e-commerce store," says Jeremiah Grossman, CTO for White Hat, who will conduct a Webinar on the report tomorrow, and plans to release a more detailed report in the first quarter of 2007. "These are custom Web apps that are unique to an enterprise."

It's not often you get a peek at where the real vulnerabilities lie in live Websites -- most vulnerability or bug reports are all about the threat itself. "These are not test Websites, but actual, live production ones," Grossman says. And eight out of every 10 Websites have serious vulnerabilities, he says.

Web apps are the big bull's eye for hackers these days, both for their ease of exploitation and the fact that they are often the threshold to sensitive data. "Attackers are going to want to pick on a Web application because it's an easy target," says Erik Petersen, vice president of professional services director of phishing takedown services for SecureWorks. "Web apps are very complex and hard to secure, and complexity is the number one enemy of security.

"Having complex Web apps makes them a target themselves," he says.

White Hat calculated the likelihood of specific vulnerabilities within a Website, rather than just a top 10 list because each Website is so different. XSS was found in 71 percent of the sites; information leakage system (a system reveals things like software version numbers, product IDs, etc.), 30 percent; predictable resource location (orphaned pages that are easily guessed by scanners), 28 percent; content spoofing, 26 percent; insufficient authentication, 21 percent; and SQL injection, 20 percent, for instance.

So why were SQL injection bugs -- ranked number two on the CVE -- found in just one in five sites? "In years past, SQL injection would have been a lot higher, but it's been dropping," Grossman says. "A series of fixes went in and the new, modern [development] frameworks are helping."

But SQL injection ranked as the most severe of the vulnerabilities found by White Hat because it can be used to get direct access to a back-end database. Nearly 40 percent of the Websites have at least one "high severity" vulnerability, which means if the bugs on the site were exploited, they could do major damage.

Buffer overflow, which ranks number four on the CVE's Web app vulnerability list, didn't even register on White Hat's radar. Grossman says that's because the applications that run atop Web servers aren't prone to buffer overflows, contrary to popular belief. "The language involved in Web programming is not susceptible to buffer overflows."

Ha.ckers.org founder RSnake, who has had a hand in finding plenty of XSS bugs in major Websites during the past few months, says the number of sites with XSS flaws is closer to 80 percent. "I think people should come to realize that their firewalls aren't doing them much good anymore. The attacks have realized the new barrier and are completely circumventing them," RSnake says. "If an administrator is worried enough to put up a firewall they should be worried enough to start checking for these holes." (See Hackers Reveal Vulnerable Websites.)

So what's the real risk of falling victim to an attack using these vulnerabilities?

Grossman says White Hat doesn't measure actual attacks, but that XSS and SQL injection appear to be popular among real attackers. It's tough to get a handle on real Web app attack data: In an informal survey Grossman conducted on his blog, 65 percent of the around 50 penetration testers he surveyed say they are privy to undisclosed attacks against Websites. "So there are lots of Web attacks out there, but they are not all getting reported."

And you can't just rely on CVE reports to secure your Website, security experts say. "It's important to remember that these [CVE] are vulnerabilities in 'canned' Web applications; you can't rely on an external vulnerability notification to notify you of vulnerabilities in your own custom Web application," says Matt Fisher, a security engineer at SPI Dynamics. "Even 'canned' applications are often modified when implemented in a particular environment and could be vulnerable to attack. You have to assess applications early, and often, and you have to assess them with the right tools and people."

— Kelly Jackson Higgins, Senior Editor, Dark Reading