Article

Website security improved, but more can be done

Jennette Mullaney, Associate Editor

Web security experts have been warning organizations for years to lock down their websites. These warnings are starting to be heeded, according to a report from WhiteHat Security. However, the same report also found that new attack vectors are on the rise even as familiar vulnerabilities are being corrected.

    Requires Free Membership to View

If you think that scanning alone will keep out the bad guys, you're wrong.
Jeremiah Grossman
Founder, CTOWhiteHat Security

This quarter's "WhiteHat Website Security Statistics Report" determined that 82% of websites are home to at least one security vulnerability. Cross-site scripting (XSS) flaws continue to dominate, affecting 67% of sites. However, researchers found a vulnerability that may eventually take the place of XSS.

CSRF vulnerabilities proliferating
Cross-site request forgery (CSRF or XSRF) is not a new vulnerability, but this is its first appearance on WhiteHat's top 10 list of exploits. In 2006, Jeremiah Grossman, founder and chief technology officer of WhiteHat, referred to this attack as a "sleeping giant" and wrote an expert response detailing how CSRF works. He was not surprised to see CSRF make the list.

"The fact that it's old makes it so prevalent," he said, estimating that CSRF has been known, under different names, since 1998. "This is kind of how the Web works. Until recently, no one gave it a thought."

It may take a catastrophic attack for website owners to take CSRF prevention seriously. And CSRF could certainly take on devastating proportions. An attack "could force your browser to do anything it wanted," Grossman said. He expects the number of CSRF exploits to rise "drastically." The report found that 8% of sites are vulnerable to CSRF, but Grossman contends that this number only represents a "best case scenario." In his opinion, the vulnerability actually afflicts 70 to 80% of websites.

Familiar vulnerabilities being addressed
Grossman was pleasantly surprised to see efforts made to correct known vulnerabilities begin to pay off. Between July 31, 2007, and July 31, 2008, researchers noted that the majority of found flaws were corrected.

"As the result of assessments we were doing, 66% of vulnerabilities have been fixed," Grossman said.

The flaws most likely to be addressed -- XSS, SQL injection and others -- are the ones that have been famously and disastrously exploited, Grossman pointed out. "Usually awareness is driven by compliance or the bad guys hacking stuff," he said.

Top security issues in Q2 2008
WhiteHat created a top 10 list of prevalent Web vulnerabilities.

WhiteHat's top 10:
  1. Cross-site scripting (XSS)
  2. Information leakage
  3. Content spoofing
  4. Insufficient authorization
  5. SQL injection
  6. Predictable resource location
  7. Insufficient authentication
  8. HTTP response splitting
  9. Abuse of functionality
  10. Cross-site request forgery

Compliance may be a motivator, but the majority of the websites examined are still too insecure to meet the relatively lax conditions of the Payment Card Industry Data Security Standard (PCI DSS). Basing their assessments on the PCI DSS scale, researchers determined that 61% of the websites examined house vulnerabilities of high, critical, or urgent severity -- rendering them all noncompliant with the PCI DSS. Even compliant sites are vulnerable. "Compliance does not equal security," said Grossman.

A new wave of attacks
"The plain vanilla XSS and SQL injections attacks are getting prevented," Grossman said. However, he warns that encoded attacks are increasing. These sophisticated exploits require serious preventative measures. Input validation, Web application firewalls, and intrusion detection systems won't necessarily keep the bad guys out.

Business logic flaws remain a serious concern as well. Attacks on the business logic of a website don't even need to be particularly sophisticated to be very damaging. For these flaws, Grossman recommends vigilance.

"If you think that scanning alone will keep out the bad guys, you're wrong," he said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: