WhiteHat: 90% of Sites Still Vulnerable
Most sites open to hacks via cross-site scripting, CSRF, report says
After years of fighting the hacker wars, today's Websites are still a long way from being secure, according to a new research report.
According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied.
"While the security posture of some industries is better than others, the difference is largely insignificant when it comes to preventing a Website from becoming compromised –- attackers only need to exploit a single vulnerability," the report says.
Cross-site scripting (XSS) is still the top category of vulnerabilities, appearing in approximately 70 percent of Websites, WhiteHat says. But the researchers are predicting that cross-site request forgery (CSRF) will eventually take the No. 2 spot behind XSS.
"Attackers using CSRF can easily force a user’s Web browser to send unintended HTTP requests, such as fraudulent wire transfers, changes to passwords and download of illegal content," the report says. "Effective automated CSRF detection techniques have eluded all technology scanning vendors in the space, making identification a largely manual process."
Despite high-profile breaches at chains such as TJX and Hannaford, the retail industry is still performing better than other verticals in terms of protecting Websites from attacks, WhiteHat says. The insurance industry tops the list of the most poorly-protected, with 84 percent of Websites having vulnerabilities that fall into the urgent, critical, or high severity ranking.
IT industry Websites were the next-most vulnerable at 72 percent, and health care and financial services were neck-and-neck at 64 percent and 60 percent, respectively, the company says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024