Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/28/2006
06:57 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Where the Bugs Are

New data from White Hat reveals vulnerabilities in major Web-based applications

With all the attention cross-site scripting (XSS) has attracted lately, it should come as no surprise that seven out of 10 major e-commerce, financial, healthcare, and technology Websites carry XSS vulnerabilities in their custom Web applications. But it may be a bit of a shock that another prevalent bug, buffer overflow, is actually rare among these sites, according to new data that will be released tomorrow by White Hat Security. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

White Hat's "Web Application Security Risk Report" reveals just what holes real, live major Websites harbor. The company, which provides Web application security services, gathered a snapshot of data from January through June of this year on vulnerabilities in its e-commerce, financial services, healthcare, and technology clients' custom Web apps. This is a different approach than Mitre uses to track vulnerabilities in third-party Web applications such as Microsoft's Internet Information Server for the Common Vulnerability and Exposures (CVE).

"The vulnerabilities we're counting are completely different than the CVE. We're purely focused on custom applications that go atop a Web server, such as an e-commerce store," says Jeremiah Grossman, CTO for White Hat, who will conduct a Webinar on the report tomorrow, and plans to release a more detailed report in the first quarter of 2007. "These are custom Web apps that are unique to an enterprise."

It's not often you get a peek at where the real vulnerabilities lie in live Websites -- most vulnerability or bug reports are all about the threat itself. "These are not test Websites, but actual, live production ones," Grossman says. And eight out of every 10 Websites have serious vulnerabilities, he says.

Web apps are the big bull's eye for hackers these days, both for their ease of exploitation and the fact that they are often the threshold to sensitive data. "Attackers are going to want to pick on a Web application because it's an easy target," says Erik Petersen, vice president of professional services director of phishing takedown services for SecureWorks. "Web apps are very complex and hard to secure, and complexity is the number one enemy of security.

"Having complex Web apps makes them a target themselves," he says.

White Hat calculated the likelihood of specific vulnerabilities within a Website, rather than just a top 10 list because each Website is so different. XSS was found in 71 percent of the sites; information leakage system (a system reveals things like software version numbers, product IDs, etc.), 30 percent; predictable resource location (orphaned pages that are easily guessed by scanners), 28 percent; content spoofing, 26 percent; insufficient authentication, 21 percent; and SQL injection, 20 percent, for instance.

So why were SQL injection bugs -- ranked number two on the CVE -- found in just one in five sites? "In years past, SQL injection would have been a lot higher, but it's been dropping," Grossman says. "A series of fixes went in and the new, modern [development] frameworks are helping."

But SQL injection ranked as the most severe of the vulnerabilities found by White Hat because it can be used to get direct access to a back-end database. Nearly 40 percent of the Websites have at least one "high severity" vulnerability, which means if the bugs on the site were exploited, they could do major damage.

Buffer overflow, which ranks number four on the CVE's Web app vulnerability list, didn't even register on White Hat's radar. Grossman says that's because the applications that run atop Web servers aren't prone to buffer overflows, contrary to popular belief. "The language involved in Web programming is not susceptible to buffer overflows."

Ha.ckers.org founder RSnake, who has had a hand in finding plenty of XSS bugs in major Websites during the past few months, says the number of sites with XSS flaws is closer to 80 percent. "I think people should come to realize that their firewalls aren't doing them much good anymore. The attacks have realized the new barrier and are completely circumventing them," RSnake says. "If an administrator is worried enough to put up a firewall they should be worried enough to start checking for these holes." (See Hackers Reveal Vulnerable Websites.)

So what's the real risk of falling victim to an attack using these vulnerabilities?

Grossman says White Hat doesn't measure actual attacks, but that XSS and SQL injection appear to be popular among real attackers. It's tough to get a handle on real Web app attack data: In an informal survey Grossman conducted on his blog, 65 percent of the around 50 penetration testers he surveyed say they are privy to undisclosed attacks against Websites. "So there are lots of Web attacks out there, but they are not all getting reported."

And you can't just rely on CVE reports to secure your Website, security experts say. "It's important to remember that these [CVE] are vulnerabilities in 'canned' Web applications; you can't rely on an external vulnerability notification to notify you of vulnerabilities in your own custom Web application," says Matt Fisher, a security engineer at SPI Dynamics. "Even 'canned' applications are often modified when implemented in a particular environment and could be vulnerable to attack. You have to assess applications early, and often, and you have to assess them with the right tools and people."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • SPI Dynamics
  • WhiteHat Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-13545
    PUBLISHED: 2019-10-18
    In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
    CVE-2019-13541
    PUBLISHED: 2019-10-18
    In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
    CVE-2019-17367
    PUBLISHED: 2019-10-18
    OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
    CVE-2019-17393
    PUBLISHED: 2019-10-18
    The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
    CVE-2019-17526
    PUBLISHED: 2019-10-18
    ** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...