Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:49 PM
Connect Directly

Report: Cross-Site Scripting Still Most Common Web Vulnerability

New WhiteHat Security data shows vulnerability-free Websites start with half, but similar, bugs as sites riddled with bugs

WhiteHat Security's new Website security statistics released today came with a mostly unchanged list of the top 10 vulnerabilities -- cross-site scripting (XSS) is still king -- but also a peek at some characteristics of Websites that are free of vulnerabilities.

Among the 1,364 Websites scanned by WhiteHat and included in the report, 36 percent had no vulnerabilities at all, and 17 percent had never had a serious one. WhiteHat counted 1,800 vulnerabilities. But Jeremiah Grossman, founder and CTO of WhiteHat, says the real tidbit here is what types of bugs the clean sites had eradicated.

"What was striking was not the volume of zero-vulnerability Websites, but that this shows that those that have had vulns [in the past] were characteristically identical to those Websites that do have vulns today," Grossman says. The vulnerability-free sites had experienced the same issues as the bug-ridden ones, he says, demonstrating it is possible to sweep a site clean of vulnerabilities.

"They have the same set of issues," he says. There's nothing "magical" about their approach, Grossman adds, except they had made an effort to clean their sites, and that most had started with about half as many bugs as the ones that are still carrying vulnerabilities. The finding that the bugs were common across the board demonstrates how any Website has the risk of being compromised, according to the report.

Grossman says the data shows those who care about their Web application's security tend to have fewer bugs when they go into production. "This shows that it's then easier to get to zero over time," he says.

WhiteHat found that 83 percent of the Websites have had at least one serious vulnerability -- meaning either high, critical, or urgent as defined by PCI-DSS -- and 64 percent currently harbor at least one serious vulnerability. The average number of serious vulnerabilities per site is 16.7, and there's an average of 6.5 unresolved severe bugs in each Website, according to WhiteHat's findings. Social networking and education markets have the most serious vulnerabilities in their Websites, with 86 percent of social networking sites and 83 percent of education Websites harboring these flaws.

The top 10 vulnerabilities are XSS (66 percent); information leakage (49 percent); content spoofing (31 percent); insufficient authorization (19 percent); SQL injection (18 percent); predictable resource location (14 percent); cross-site request forgery (12 percent); session fixation (12 percent); HTTP response splitting (10 percent); and abuse of functionality (9 percent).

Grossman says SQL injection and CSRF are under-represented in the Top 10. SQL injection flaws can be difficult to detect in scans because developers who disable verbose error messages as a way to protect against SQL injection attack also inadvertently make it difficult to find SQL injection flaws, for instance. And even with this best practice in place, blind SQL injection attacks can still be waged on a Website, according to WhiteHat. CSRF, meanwhile, is notoriously difficult to detect.

On average, it takes 67 days to fix an XSS bug; 62 days for SQL injection; 93 days for CSRF; and 106 for session fixation, for example.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.