Odds Are, You're at Risk

5:35 PM -- Time to freak out about your Website security again.

Despite the growing awareness that most Websites are insecure, one out of every three Websites has an urgent vulnerability problem that could jeopardize its data and corporate image, according to a new reportfrom Web application security services firm WhiteHat Security, which has helped pioneer research in this area. The report covers January 2006 through March 2007.

There were few surprises in the report -- cross-site scripting is still the number one threat, found in 67 percent of sites WhiteHat scanned, and then data leakage (36 percent), content spoofing (26 percent), predictable resource location (22 percent), SQL injection (17 percent), insufficient authentication (16 percent), insufficient authorization (11 percent), and directory indexing (5 percent). There was a newbie detected in nearly 3 percent of sites, though: XPath injection, which let an attacker modify an XML XPath-based query (kind of like what SQL injection does with SQL queries).

XPath injection vulnerabilities came as a surprise to Jeremiah Grossman, CTO of WhiteHat. "I didn't expect that to show up," he says, adding that it's probably because more Web services are getting integrated into public Websites. "If I'm right, then that will mean over time, the likelihood of that vulnerability on a Website will rise."

Grossman's numbers synced with the trends SPI Dynamics has observed. "In my opinion, Web vulns have looked like those categories for years. The only thing that has changed is how many of them" there are, says Caleb Sima, CTO of SPI Dynamics.

And a testament to how frighteningly stealthy cross-site request forgery (CSRF) weaknesses can be, Grossman says he didn't scan for CSRF at all because CSRF can basically affect nearly every feature on every Website. "The challenge comes in because not every feature needs to have CSRF protection, just the 'important' ones," he says. "And computers have a difficult time understanding 'importance.'"

The other problem is that it's difficult to tell whether a CSRF feature works or not when you scan it, he says.

But you can figure at least 65 percent have CSRF bugs. Sites that have XSS also have CSRF vulnerabilities, Sima says.

Keep in mind that WhiteHat's clientèle is mainly Websites that are high-traffic, e-commerce-heavy, and relatively secure. Even so, he says while less-sensitive, smaller sites may be more insecure overall. Their risk value may be much less since they don't have the valuable data of a larger e-commerce site.

— Kelly Jackson Higgins, Senior Editor, Dark Reading