Cenzic Study Finds Continued Alarming Rise in Web Application Vulnerabilities

July 31, 2007; 06:07 AM
Cenzic Inc., the innovative leader of application vulnerability assessment and risk management solutions, today released its Application Security Trends Report -- Q2 2007, proving once again that organizations are failing to optimize their Web application security methods.While this report highlights the Top 10 vulnerabilities from published reports in Q2 2007, Cenzic estimates there are thousands of vulnerabilities that remain unpublished due to the lack of reports and the vast amounts of home grown applications. It is estimated that there are more than 100 million Web applications that facilitate transactions and collection information, yet less than five percent of applications are tested for vulnerabilities. The report provides a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings.

"We are at a critical stage when it comes to securing Web applications. With less than one percent of applications tested, millions of applications are vulnerable and ripe for hackers," said Mandeep Khera, VP of marketing for Cenzic. "Even the organizations that do test are still focused on testing only the applications in the development or Quality Assurance stage. With 99 percent of the applications in the production stage at any given point, these corporations are extremely exposed and vulnerable. They will get hacked. It's not a question of if but when."

"Our analysis for Q2 illustrates a very high percentage of published vulnerabilities in Web technologies, similar to the Q1 findings. This is a clear indication that network security is maturing, while application security is in its early stages," said Tom Stracener, senior security analyst at Cenzic. "While our analysis shows top vulnerabilities in Java, Apache, Apple and PHP applications, these reflect only the published vulnerabilities. There still remain thousands of vulnerabilities that are not published or reported."

In this study, Cenzic identified 1,484 unique published vulnerabilities in the second quarter of 2007, consisting of some of the most common threats as file inclusion, SQL injection and cross-site scripting. Of the vulnerabilities published, 72 percent were related to Web technologies, a seven percent increase from the Q1 findings, with attacks at the application layer continuing to dominate. The majority of vulnerabilities affected Web technologies, such as Web applications, Web servers and Web browsers, with Cenzic classifying the bulk as easily exploitable. To download the Cenzic Applications Security Trends Report, visit http://www.cenzic.com.

Top Ten Vulnerabilities in Commercial and Open Source Web Applications from Q2 2007:

--  Java Web Start Applet - A vulnerability in Sun JRE 5.0 and Sun Java
    Web start allows an attacker to create an applet that can execute arbitrary
    code on any system running an affected version of the JDK/JRE software.
    
--  Apache HTTPD Mod_Cache - If caching is enabled, an attacker can crash
    the Apache HTTP Server.
    
--  Tomcat Input Validation Holes - Insecure example files included with
    the Tomcat server and improper filtering of user-supplied input in the
    Tomcat Manager and Host manager allow for cross-site scripting attacks.
    
--  Apache Mod_Status Input Validation Holes - Apache server is vulnerable
    to cross-site scripting when running mod-status with ExtendedStatus and a
    publicly available status page.
    
--  Apple QuickTime Java Remote Code Execution - A remote attacker can
    create a specially crafted HTML page that when loaded will execute
    arbitrary code via the toQTPointer() function.
    
--  Apple QuickTime Integer and Heap Overflows - Multiple code execution
    vulnerabilities were found in Apple QuickTime.
    
--  PHP mail() Function - Versions of PHP 4 and PHP 5 allow a remote
    attacker to inject email headers in the "To" and "Subject" parameters.
    
--  PHP Libxmlrpc Buffer Overflow - A buffer overflows in versions of PHP
    4 and PHP 5 allows a remote attacker to execute arbitrary code via a Heap
    overflow in the XMLRPC extension.
    
--  PHP Buffer Overflow - A buffer overflow in versions of PHP 5 allows a
    remote attacker to execute arbitrary code via a remote redirect request.
    
--  PHP CRLF Injection Bug - Input validation vulnerability in versions of
    PHP 4 and PHP 5 allows a remote attacker to execute arbitrary FTP commands
    and gain unauthorized access to the server.
    

As part of the study, Cenzic incorporated findings from Cenzic ClickToSecure®, their leading-edge security assessment and penetration testing service (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings from include:

--  More than seven of 10 analyzed Web applications engaged in insecure
    communication practices that could potentially lead to the exposure of
    sensitive or confidential user information during transactions.
    
--  Architectural flaws, design flaws and insecure application
    configurations are still common culprits in the exposure of sensitive user
    information.
    
--  Cross-site scripting was the most common injection flaw, with six out
    of 10 Web applications vulnerable to this type of attack.
    
--  Roughly two in every 10 applications were found to be vulnerable to
    SQL injection attacks.
    
--  Approximately 50 percent of all applications failed to properly
    implement structured exception handling.
    
--  The most prevalent of vulnerabilities, more than 60 percent of all Web
    forms analyzed were vulnerable to cross-site scripting attacks, followed by
    information leaks at 46 percent and authorization and authentication flaws
    at 45 percent.
    

About Cenzic Inc.


Cenzic is the innovative leader of next-generation application security assessment and risk management solutions that quickly and accurately find more "real" application vulnerabilities in both legacy Web 1.0 and Web 2.0 applications. The Cenzic suite of application security solutions fit any companies' needs from remote, Software as Service (ClickToSecure®), for testing one or more applications, to a full enterprise-wide solution (Cenzic Hailstorm®) Enterprise ARC for effectively managing application security risks across an enterprise. Cenzic's latest ARC release provides a superset of all other application security solutions including Spi Dynamics, Watchfire, Fortify, Ounce Labs, and manual pen testing solutions. Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive, and extensible in the industry empowering organizations to stay on top of unrelenting application security threats.