Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:49 PM
Connect Directly

Report: Cross-Site Scripting Still Most Common Web Vulnerability

New WhiteHat Security data shows vulnerability-free Websites start with half, but similar, bugs as sites riddled with bugs

WhiteHat Security's new Website security statistics released today came with a mostly unchanged list of the top 10 vulnerabilities -- cross-site scripting (XSS) is still king -- but also a peek at some characteristics of Websites that are free of vulnerabilities.

Among the 1,364 Websites scanned by WhiteHat and included in the report, 36 percent had no vulnerabilities at all, and 17 percent had never had a serious one. WhiteHat counted 1,800 vulnerabilities. But Jeremiah Grossman, founder and CTO of WhiteHat, says the real tidbit here is what types of bugs the clean sites had eradicated.

"What was striking was not the volume of zero-vulnerability Websites, but that this shows that those that have had vulns [in the past] were characteristically identical to those Websites that do have vulns today," Grossman says. The vulnerability-free sites had experienced the same issues as the bug-ridden ones, he says, demonstrating it is possible to sweep a site clean of vulnerabilities.

"They have the same set of issues," he says. There's nothing "magical" about their approach, Grossman adds, except they had made an effort to clean their sites, and that most had started with about half as many bugs as the ones that are still carrying vulnerabilities. The finding that the bugs were common across the board demonstrates how any Website has the risk of being compromised, according to the report.

Grossman says the data shows those who care about their Web application's security tend to have fewer bugs when they go into production. "This shows that it's then easier to get to zero over time," he says.

WhiteHat found that 83 percent of the Websites have had at least one serious vulnerability -- meaning either high, critical, or urgent as defined by PCI-DSS -- and 64 percent currently harbor at least one serious vulnerability. The average number of serious vulnerabilities per site is 16.7, and there's an average of 6.5 unresolved severe bugs in each Website, according to WhiteHat's findings. Social networking and education markets have the most serious vulnerabilities in their Websites, with 86 percent of social networking sites and 83 percent of education Websites harboring these flaws.

The top 10 vulnerabilities are XSS (66 percent); information leakage (49 percent); content spoofing (31 percent); insufficient authorization (19 percent); SQL injection (18 percent); predictable resource location (14 percent); cross-site request forgery (12 percent); session fixation (12 percent); HTTP response splitting (10 percent); and abuse of functionality (9 percent).

Grossman says SQL injection and CSRF are under-represented in the Top 10. SQL injection flaws can be difficult to detect in scans because developers who disable verbose error messages as a way to protect against SQL injection attack also inadvertently make it difficult to find SQL injection flaws, for instance. And even with this best practice in place, blind SQL injection attacks can still be waged on a Website, according to WhiteHat. CSRF, meanwhile, is notoriously difficult to detect.

On average, it takes 67 days to fix an XSS bug; 62 days for SQL injection; 93 days for CSRF; and 106 for session fixation, for example.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-08-03
Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however...
PUBLISHED: 2021-08-03
An arbitrary file upload vulnerability in /fileupload.php of hdcms 5.7 allows attackers to execute arbitrary code via a crafted file.
PUBLISHED: 2021-08-03
An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information.
PUBLISHED: 2021-08-03
An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.
PUBLISHED: 2021-08-03
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator us...