Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:57 AM
Connect Directly

Where the Bugs Are

New data from White Hat reveals vulnerabilities in major Web-based applications

With all the attention cross-site scripting (XSS) has attracted lately, it should come as no surprise that seven out of 10 major e-commerce, financial, healthcare, and technology Websites carry XSS vulnerabilities in their custom Web applications. But it may be a bit of a shock that another prevalent bug, buffer overflow, is actually rare among these sites, according to new data that will be released tomorrow by White Hat Security. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

White Hat's "Web Application Security Risk Report" reveals just what holes real, live major Websites harbor. The company, which provides Web application security services, gathered a snapshot of data from January through June of this year on vulnerabilities in its e-commerce, financial services, healthcare, and technology clients' custom Web apps. This is a different approach than Mitre uses to track vulnerabilities in third-party Web applications such as Microsoft's Internet Information Server for the Common Vulnerability and Exposures (CVE).

"The vulnerabilities we're counting are completely different than the CVE. We're purely focused on custom applications that go atop a Web server, such as an e-commerce store," says Jeremiah Grossman, CTO for White Hat, who will conduct a Webinar on the report tomorrow, and plans to release a more detailed report in the first quarter of 2007. "These are custom Web apps that are unique to an enterprise."

It's not often you get a peek at where the real vulnerabilities lie in live Websites -- most vulnerability or bug reports are all about the threat itself. "These are not test Websites, but actual, live production ones," Grossman says. And eight out of every 10 Websites have serious vulnerabilities, he says.

Web apps are the big bull's eye for hackers these days, both for their ease of exploitation and the fact that they are often the threshold to sensitive data. "Attackers are going to want to pick on a Web application because it's an easy target," says Erik Petersen, vice president of professional services director of phishing takedown services for SecureWorks. "Web apps are very complex and hard to secure, and complexity is the number one enemy of security.

"Having complex Web apps makes them a target themselves," he says.

White Hat calculated the likelihood of specific vulnerabilities within a Website, rather than just a top 10 list because each Website is so different. XSS was found in 71 percent of the sites; information leakage system (a system reveals things like software version numbers, product IDs, etc.), 30 percent; predictable resource location (orphaned pages that are easily guessed by scanners), 28 percent; content spoofing, 26 percent; insufficient authentication, 21 percent; and SQL injection, 20 percent, for instance.

So why were SQL injection bugs -- ranked number two on the CVE -- found in just one in five sites? "In years past, SQL injection would have been a lot higher, but it's been dropping," Grossman says. "A series of fixes went in and the new, modern [development] frameworks are helping."

But SQL injection ranked as the most severe of the vulnerabilities found by White Hat because it can be used to get direct access to a back-end database. Nearly 40 percent of the Websites have at least one "high severity" vulnerability, which means if the bugs on the site were exploited, they could do major damage.

Buffer overflow, which ranks number four on the CVE's Web app vulnerability list, didn't even register on White Hat's radar. Grossman says that's because the applications that run atop Web servers aren't prone to buffer overflows, contrary to popular belief. "The language involved in Web programming is not susceptible to buffer overflows."

Ha.ckers.org founder RSnake, who has had a hand in finding plenty of XSS bugs in major Websites during the past few months, says the number of sites with XSS flaws is closer to 80 percent. "I think people should come to realize that their firewalls aren't doing them much good anymore. The attacks have realized the new barrier and are completely circumventing them," RSnake says. "If an administrator is worried enough to put up a firewall they should be worried enough to start checking for these holes." (See Hackers Reveal Vulnerable Websites.)

So what's the real risk of falling victim to an attack using these vulnerabilities?

Grossman says White Hat doesn't measure actual attacks, but that XSS and SQL injection appear to be popular among real attackers. It's tough to get a handle on real Web app attack data: In an informal survey Grossman conducted on his blog, 65 percent of the around 50 penetration testers he surveyed say they are privy to undisclosed attacks against Websites. "So there are lots of Web attacks out there, but they are not all getting reported."

And you can't just rely on CVE reports to secure your Website, security experts say. "It's important to remember that these [CVE] are vulnerabilities in 'canned' Web applications; you can't rely on an external vulnerability notification to notify you of vulnerabilities in your own custom Web application," says Matt Fisher, a security engineer at SPI Dynamics. "Even 'canned' applications are often modified when implemented in a particular environment and could be vulnerable to attack. You have to assess applications early, and often, and you have to assess them with the right tools and people."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • SPI Dynamics
  • WhiteHat Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-22
    The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
    PUBLISHED: 2020-02-22
    SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
    PUBLISHED: 2020-02-22
    SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
    PUBLISHED: 2020-02-22
    fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
    PUBLISHED: 2020-02-22
    CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.