Cross-site scripting (XSS) variants dominated the top 10 vulnerabilities in commercial and open source Web applications, according to Cenzic Inc.'s Application Security Trends Report for the first quarter of 2007.
"Cross-site scripting is huge, and continues to be very prevalent," said Mandeep Khera, vice president of marketing at Santa Clara, Calif.-based Cenzic.
There are several reasons why XSS remains a problem despite the heightened awareness over the past year or so, he said. "I think it's easier to ignore it for a lot of developers. For SQL injection, a lot of people are now thinking about input validation, so that's somewhat being taking care of. But they still aren't fixing cross-site scripting."
That's due to pressure to releases products on time and because developers don't understand XSS. Add to that the fact that many companies still don't test Web applications for security, and it's understandable how XSS remains a big problem.
In Cenzic's study, the company identified 1,561 unique vulnerabilities during the first quarter of 2007. File inclusion, SQL injection, XSS and directory traversal were the most prevalent, totaling 63%. The majority of vulnerabilities affected Web servers, Web applications and Web browsers.
Cenzic drew upon several sources to identify the vulnerabilities with the most potential to impact organizations if not addressed. Those sources include Cenzic's Intelligent Analysis Lab, Cenzic's ClickToSecure Service, Mitre Corp., NTA Monitor, OWASP, SANS, Secunia, Security Tracker, Symantec, and US-CERT. Cenzic's Hailstorm Application Risk Metric (HARM) was used as a key factor in the selection of these top 10 vulnerability flaws.
This categorization was time-sensitive, and the vulnerabilities were ranked according to their relative severity to others released during the same time period. According to Khera, software patches and upgrades have addressed the identified vulnerabilities, but organizations need to make sure they're up-to-date.
Cenzic's Top 10 for the quarter:
- Adobe Acrobat Reader -- XSS and code execution
- Google Desktop -- XSS
- IBM WebSphere -- HTTP response splitting
- Lotus Domino Web Access -- XSS
- PHP -- Nested srray, denial of service
- PHP -- Multiple buffer overflows and denial of service
- IBM Rational ClearQuest -- XSS
- Sun Java Access Manager -- Multiple vulnerabilities
- Apache Tomcat -- Buffer overflow
- BEA WebLogic -- Buffer overflow and multiple vulnerabilities
Cenzic also derived some statistics from its ClickToSecure customer base:
- More than 70% of analyzed Web applications engaged in insecure communication practices.
- Approximately 50% of all applications failed to properly implement structured exception handling.
- More than 70% of all Web forms analyzed were vulnerable to cross-fame scripting attacks.
Khera said the findings did not surprise him. "Nothing surprises me when it comes to app security. What's more surprising is people are not taking action quick enough. The scary part is we know the hackers are extremely active, so it's just a matter of time. The other scary part is most companies don't know they're being attacked."