Eight in ten major Web sites highly vulnerable to attack
Which ones? "More than likely, you've shopped there," say researchers
PC World - Eight out of ten Web sites contain common flaws that can allow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today.
WhiteHat Security regularly scans hundreds of "very popular, very high-traffic sites" for its online business customers, says Jeremiah Grossman, the company's founder. "More than likely, you have shopped there, or bank there," he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says.
Two out of three scanned sites have one or more cross-site scripting (XSS) flaws, which take advantage of problems with sites' programming and are increasingly used in phishing attacks. A recent eBay scam used a now-fixed XSS hole on the auction site to direct anyone who clicked on a phony car auction to a phishing site.
About a third of scanned sites are at risk for some sort of information leakage, which often means the providing of programming data about the site that can facilitate an attack. And about one out of four sites allows content spoofing, another potential phishing risk, according to WhiteHat's vulnerability report.
A type of database vulnerability that allows SQL injection attacks -- "one of the nastier issues out there" -- is becoming less common, Grossman says. Fewer than one out of five sites contain this type of vulnerability, but a successful incident can give a sophisticated attacker access to everything in a company's database, he says.
WhiteHat's report echoes an increasingly common theme, says Ken Dunham, director of VeriSign's iDefense rapid response team. "Web-based attacks are some of the most prevalent attacks in the last two years," he says.
Web 2.0 more vulnerable
Like any type of software, as Web programming grows more sophisticated and complex, allowing for desktop-like Web 2.0 applications, it also becomes more vulnerable. With Ajax, a common Web 2.0 type of programming, "you can have CSS taking place on a more invisible layer, behind the scenes," Dunham says.
The good news is that site vulnerabilities can be fixed in one central spot, in contrast to desktop software flaws, which persist until every user of the affected software updates it with a fix. And companies are becoming more nimble at identifying and closing risks that can cost them customers, Grossman says.
WhiteHat's report, which is available for download (with site registration), is based on scans performed between January 1, 2006, and March 31, 2007. The company scans those areas of Web sites reached after a customer logs in.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!