Web security experts have been warning organizations for years to lock down their websites. These warnings are starting to be heeded, according to a report from WhiteHat Security. However, the same report also found that new attack vectors are on the rise even as familiar vulnerabilities are being corrected.
This quarter's "WhiteHat Website Security Statistics Report" determined that 82% of websites are home to at least one security vulnerability. Cross-site scripting (XSS) flaws continue to dominate, affecting 67% of sites. However, researchers found a vulnerability that may eventually take the place of XSS.
CSRF vulnerabilities proliferating
Cross-site request forgery (CSRF or XSRF) is not a new vulnerability, but this is its first appearance on WhiteHat's top 10 list of exploits. In 2006, Jeremiah Grossman, founder and chief technology officer of WhiteHat, referred to this attack as a "sleeping giant" and wrote an expert response detailing how CSRF works. He was not surprised to see CSRF make the list.
"The fact that it's old makes it so prevalent," he said, estimating that CSRF has been known, under different names, since 1998. "This is kind of how the Web works. Until recently, no one gave it a thought."
It may take a catastrophic attack for website owners to take CSRF prevention seriously. And CSRF could certainly take on devastating proportions. An attack "could force your browser to do anything it wanted," Grossman said. He expects the number of CSRF exploits to rise "drastically." The report found that 8% of sites are vulnerable to CSRF, but Grossman contends that this number only represents a "best case scenario." In his opinion, the vulnerability actually afflicts 70 to 80% of websites.
Familiar vulnerabilities being addressed
Grossman was pleasantly surprised to see efforts made to correct known vulnerabilities begin to pay off. Between July 31, 2007, and July 31, 2008, researchers noted that the majority of found flaws were corrected.
"As the result of assessments we were doing, 66% of vulnerabilities have been fixed," Grossman said.
The flaws most likely to be addressed -- XSS, SQL injection and others -- are the ones that have been famously and disastrously exploited, Grossman pointed out. "Usually awareness is driven by compliance or the bad guys hacking stuff," he said.
Compliance may be a motivator, but the majority of the websites examined are still too insecure to meet the relatively lax conditions of the Payment Card Industry Data Security Standard (PCI DSS). Basing their assessments on the PCI DSS scale, researchers determined that 61% of the websites examined house vulnerabilities of high, critical, or urgent severity -- rendering them all noncompliant with the PCI DSS. Even compliant sites are vulnerable. "Compliance does not equal security," said Grossman.
A new wave of attacks
"The plain vanilla XSS and SQL injections attacks are getting prevented," Grossman said. However, he warns that encoded attacks are increasing. These sophisticated exploits require serious preventative measures. Input validation, Web application firewalls, and intrusion detection systems won't necessarily keep the bad guys out.
Business logic flaws remain a serious concern as well. Attacks on the business logic of a website don't even need to be particularly sophisticated to be very damaging. For these flaws, Grossman recommends vigilance.
"If you think that scanning alone will keep out the bad guys, you're wrong," he said.