According to DOSarrest Internet Security, findings by its Vulnerability Testing and Optimisation service (VTO) of deep website scans, ninety percent of websites are vulnerable to attack.
Further findings include that 95 per cent of the flaws could cause information leakage due to outdated software versions and installed modules, while 71 per cent could allow sensitive information disclosure. More cross-site request forgery (CSRF) flaws (67 per cent) were found in scans of websites than cross-site scripting (28 per cent) and SQL Injection vulnerabilities (22 per cent).
“SQLi and XSS tend to grab most of the headlines as they are more well known and are potentially dangerous, but CSRF is a type of online identity theft where you have a user session that is manipulated by an attacker using that vulnerability, meaning that it is potentially more dangerous to the end customer,” said Sean Power, security operation center manager at DOSarrest.
CSRF is a form of attack which forces a victim to execute unwanted actions on a website where an attacker inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. Meanwhile a SQL Injection attack involves the insertion of a SQL query to allow database access and privileges, while cross-site scripting (XSS) attacks occur when an attacker injects malicious scripts into benign and trusted websites.
A CSRF attack is equally dangerous and significant as it can compromise end-user data and if the targeted end user is the administrator account, this can compromise the entire web application.
Looking at the recent report for the number of new vulnerabilities reported to the National Institute of Standards and Technology (NIST) in August, Power also commented that the rise to 394 vulnerabilities being reported, including 140 rated as high severity and 83 as cross-site scripting (XSS) flaws, was a higher number than usual, especially when the usual number was around 100 rated as high severity.
“This is one of those things that happens where sometimes there are more critical flaws and vulnerabilities and people jump on the bandwagon,” Power said.
“It is not the case that 90 per cent of the websites are vulnerable to a severe flaw, but it is more likely to be an information protection or session management flaw,” said Sean Power, security operation center manager at DOSarrest. “We put the mark at quite a high standard and there were only one or two instances where we couldn’t make any recommendations to the website. However, findings did show that 95% of the sites scanned found flaws that could cause sensitive information to be leaked, so they are not to be taken lightly.”
DOSarrest Internet Security has launched its website Vulnerability Testing and Optimisation service (VTO) that will intelligently crawl a website and find any vulnerabilities in the site’s coding, as well as analyse the structure of the website to see what can be optimised for better performance, all for a safer and better web experience.
DOSarrest only tests websites that have asked to be tested. For these results, 50 websites were tested; further details are available on request. For more information or to request a VTO scan, please visit: http://www.dosarrest.com/solutions/vulnerability-testing