Nearly two-thirds of Web sites have at least one serious security issue that would allow someone to remotely attack the site, WhiteHat Security said this week, citing a recent survey of its clients.
According to the Web security firm's data, two-thirds of sites had cross-site scripting (XSS) flaws, nearly half had information disclosure issues and 31 percent were vulnerable to content spoofing. The volume of vulnerabilities, however, was dominated by cross-site scripting flaws, which accounted for 63 percent of the total flaws found by WhiteHat.
Vulnerable sites and secured sites had similar technology profiles: It made little different in what language the Web application was written or on what type of server the site ran. The companies' approaches to security mattered the most, said Jeremiah Grossman, CTO of WhiteHat.
"It is extremely interesting to see that all the Web sites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities," Grossman said in a statement. "The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their Web site, reputation and customers."
The average Web site studied by WhiteHat had nearly 250 possible inputs, which the company equated with the relative attack surface of the Web application. The typical Web site failed to fix security issues in a little more than 2 percent of the inputs.
Three out of ten Web sites had an Urgent vulnerability -- WhiteHat Security's most serious classification for security bugs. Another 71 percent had Critical flaws, while 64 percent had vulnerabilities rated High, the lowest of the three severity rankings that WhiteHat included in their report.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos