SQL Injection and Cross-Site Scripting still reign supreme online
by Steve Ragan - Nov 16 2009, 15:00SQL Injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities are still highly visible weaknesses online according to data from the latest WhiteHat Security Stats Report. Joining SQLi and XSS are Information Leakage, Content Spoofing, and Insufficient Authorization, rounding out the top five of the 22,000 vulnerabilities identified.
The data collected from January 1, 2009 until October 1, 2009 included over 1,300 site scans. However, while it wasn’t surprising to see only 36-percent of the sites scanned walk away with a clean bill of health, the actual data shows another important metric, no site is truly immune. This is because the characteristics of websites currently without any serious issues were nearly identical to those with them, with the exception that they had about half as many from the start.
“It is extremely interesting to see that all the websites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities,” said Jeremiah Grossman, founder and chief technology officer, WhiteHat Security.
Taking from the report itself, despite the number of sites vulnerable to attack, the good news is, “…real progress of application security risk reduction can be made by organizations which truly desire to do so.”
“The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their website, reputation, and customers,” added Grossman.
Going off the data, 83-percent of websites scanned for the report have had a high, critical, or urgent issue over their lifetime, and 64-percent of those currently have a high, critical, or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority, over 13,000, have been resolved.
As is the case with the previous seven WhiteHat reports, Cross-Site Scripting and SQL Injection continue to be fixtures in the Top 10 list, along with many other common classes of attack.
When it comes to fixing these issues, the actual fix percentages are mixed. In particular, more organizations are repairing technical issues such as SQLi and XSS in larger volumes, an indication that awareness is building regarding the prevalence of easy exploitations of these specific vulnerabilities.
The reasoning for the mixed reaction and fix time for many of the vulnerabilities discovered include the lack of talent at the organization who can understand and maintain the code itself, enhancements taking priority over security fixes, or the fact that the vulnerable site is being replaced soon, so fixing any issues would be unproductive.
Other reasons, such as an unresponsive third-party vendor who owns the code itself, conflicts in business use cases, and accepted risk, were listed in the report well. On average, it takes about 67 days to fix a XSS issue, 62 days to address SQLi and 93 days to address Cross-Site Request Forgery (CSRF) issues.
In the report, WhiteHat said that CSRF and SQLi are seriously under-represented because of industry practices that limit the information displayed from error messages, which in turn limits the detection abilities of scanning engines. At the same time, the limiting of the error messages does nothing to protect from blind SQLi attacks.
For further reading the full WhiteHat report is online here.
Comment on this Story