March 25, 2008
After years of fighting the hacker wars, today's Websites are still a long way from being secure, according to a new research report.
According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied.
"While the security posture of some industries is better than others, the difference is largely insignificant when it comes to preventing a Website from becoming compromised –- attackers only need to exploit a single vulnerability," the report says.
Cross-site scripting (XSS) is still the top category of vulnerabilities, appearing in approximately 70 percent of Websites, WhiteHat says. But the researchers are predicting that cross-site request forgery (CSRF) will eventually take the No. 2 spot behind XSS.
"Attackers using CSRF can easily force a user’s Web browser to send unintended HTTP requests, such as fraudulent wire transfers, changes to passwords and download of illegal content," the report says. "Effective automated CSRF detection techniques have eluded all technology scanning vendors in the space, making identification a largely manual process."
Despite high-profile breaches at chains such as TJX and Hannaford, the retail industry is still performing better than other verticals in terms of protecting Websites from attacks, WhiteHat says. The insurance industry tops the list of the most poorly-protected, with 84 percent of Websites having vulnerabilities that fall into the urgent, critical, or high severity ranking.
IT industry Websites were the next-most vulnerable at 72 percent, and health care and financial services were neck-and-neck at 64 percent and 60 percent, respectively, the company says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023