Some 70 percent of sites suffer from XSS vulnerabilities, while two out of five are leaking sensitive data. Nine out of 10 public Web sites are vulnerable to attack, according to a new report from White Hat Security, a Web site security services vendor in Santa Clara, Calif.
According to the report, released on March 24, nine out of 10 Web sites have serious vulnerabilities, with an average of seven vulnerabilities per Web site. These issues leave Web sites vulnerable to attack, which can result in loss of business, system outages, incident handling costs, brand damage, legal liability, regulatory sanctions and fines.
The report cited the top vulnerability as XSS (Cross-Site Scripting), which appears in about 70 percent of Web sites. XSS occurs when a Web application gathers malicious data from a user, usually via a hyperlink that contains malicious content.
The next most reported vulnerability is information leakage, occurring in two out of five Web sites. Information leakage occurs when a Web site knowingly or unknowingly reveals sensitive information such as developer comments, user information, internal IP addresses, source code, software versions numbers, error messages or error codes, the report explained.
Next is content spoofing, occurring in one in four Web sites. Content spoofing, which is often used in phishing scams, causes an Internet user to unwittingly access spoofed content through e-mail, chat rooms or bulletin boards.
Confused by all the complex terms and acronyms in IT security? Click here for eWEEK's Security Dictionary.
Rounding out the top five are predictable resource allocation—the automated scanning of forgotten Web pages that might contain sensitive information, found on one in six sites—and SQL injection, a method of inserting malicious SQL statements into applications that confuse the back-end SQL database into giving up information and potentially leading to identity theft, among other compromises.
The rest of the top 10 are, in order: insufficient authentication; insufficient authorization; abuse of functionality; HTTP response splitting; and directory indexing.
Bubbling under the top 10 is the fast-rising CSRF (Cross Site Request Forgery), which exploits the trust that a site has for a user. CSRF can force a user's Web browser to send unintended HTTP requests, such as fraudulent wire transfers or requests to change passwords or to download illegal content.
CSRF will break the top 10 soon, predicts WhiteHat Security Chief Technology Officer Jeremiah Grossman. The company expects CSRF eventually to land in the No. 2 spot, right behind XSS.
The report also ranked various verticals in terms of how well they executed Web site security. Retail came out on top, while the worst verticals were insurance, IT, health care and financial services.
With Web site attacks showing no signs of slowing down, White Hat Security recommends taking action as quickly as possible.
That means: finding and prioritizing all Web site properties by designating their importance to the business and a party responsible for their security; finding and fixing Web site vulnerabilities by assessing them for weaknesses with each code change; remediation of vulnerabilities done on a schedule based on severity; implementing a secure software development process using an organizational standard development framework; and implementing an in-depth Web site vulnerability management strategy.
/ 19 
