Cross-Site Scripting Ranks First in Top Security Risks

September 20, 2006; 05:39 AM
In recent years, buffer overflows topped the list as the most popular vulnerability used by hackers to compromise websites. However, the latest report from Mitre Corp., a US government funded research organization, clearly indicates that hackers are moving away from acts of vandalism to the more lucrative exploits of data theft. In fact, Cross-Site scripting and SQL Injection are now the most preferred hacking techniques used by hackers since these vulnerabilities allow access to such data as credit card details.

The Common Vulnerabilities and Exposures (CVE) project by Mitre, reported that out of the 4375 security issues catalogued in the first nine months of 2006, web-related flaws have captured the top three spots: 21.5 percent of the CVEs were cross-site scripting (XSS) vulnerabilities; 14 percent SQL Injection and 9.5 percent php “includes”. Buffer overflows came fourth, at 7.9 percent.

The increasing popularity of XSS bugs indicates that attackers are concentrating more on programming languages typically used for Web applications, such as Java, .Net and PHP. Buffer overflows, on the other hand, affect executable files written in languages such a C.

Assessing the security of a website

This increase in Web-based flaws stems directly from the simplicity of exploiting such vulnerabilities as XSS, and the enormous number of web applications freely available. In general, websites with such web applications as shopping carts, forms, login pages and dynamic content are always a prime target for attack. This is because, web applications require open and direct access to backend databases to function properly. If improperly coded, these common applications become easy gateways to social security numbers, credit card details and even medical records.

About Acunetix Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. Furthermore, Acunetix protects against the embedding of Javascript malware in a web-page through its JavaScript Analyzer. Such protection secures all AJAX applications. Acunetix WVS also checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist.

Acunetix provides free audit to help companies determine the security of their websites

Enterprises who would like to have their website security checked can register for a free audit by visiting www.acunetix.com/security-audit. Participating enterprises will receive a summary audit report showing whether their website is secure or not. Summary reports will be delivered within five business days of submission.

About Acunetix

Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of development by a team of highly experienced security developers. Acunetix is a privately held company with headquarters based in Europe (Malta), a US office in Seattle, Washington and an office in London, UK.