There Is an Issue with the Website. Which One? EVERYONE!

It’s been a while since someone has talked about the vulnerability of the sea of websites out there.  Why is that significant?  Well, in short, "content spoofing".  Content Spoofing is where someone presents their content instead of yours using your website, effectively spoofing your pages with theirs.  Using your location and page as validation, they proceed to collect information from your would be patrons, and well, you get the idea.  Wasabi thought then it would be apropos to shine some light on the subject and reveal the findings of WhiteHat’s annual Website Security Statistics Report from the summer of 2012.   Share and Enjoy…

WhiteHat has been publishing the Website Security Statistics Report, which highlights the top vulnerabilities, tracks vertical market trends and identifies new attack techniques, since 2006. The WhiteHat Security report presents a statistical picture of current website vulnerabilities among 7,000 websites, across hundreds of organization, and is accompanied by WhiteHat expert analysis and recommendations.  WhiteHat’s report is the only one that focuses solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites and does so over time.

KEY FINDINGS

1. The average number of serious* vulnerabilities found per website per year was 79, a significant reduction from 230 in 2010 and down from 1,111 in 2007.
2. Cross-Site Scripting reclaimed its title as the most prevalent website vulnerability, identified in 55% of websites.
3. Web Application Firewalls could have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified.
4. There was notable improvement across all verticals, but Banking websites possessed the fewest amount of security
5. Issues of any industry with an average of 17 serious* vulnerabilities identified per website. 5. Serious* vulnerabilities were fixed in an average of 38 days or faster, a vast improvement over the 116 days it took during 2010.
6. The overall percentage of serious* vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked improvement from 2007 when it was just 35%. A rough 7% average improvement per year over each of the last four years.
7. The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%.
8. The average number of days a website was exposed to at least one serious* vulnerability improved slightly to 231 days in 2011, from 233 days in 2010.

EXTENDED HIGHLIGHTS AND INSIGHTS

1. The favorite vulnerability class of malicious hackers, SQL Injection, remained the 8th most prevalent website vulnerability, even though it dropped 3 by points to 11% of websites.
2. 55% of SQL Injection vulnerabilities were fixed (down from 56%) and to do so required an average of 53 days (down from 57 days).
3. 5% of all websites had at least one SQL Injection vulnerability exposed that was exploitable without first needing to login to the website. This could help explain the ongoing problem of website infections and drive-by-downloads.
4. 48% of Cross-Site Scripting vulnerabilities were fixed (down from 50%) and to do so required an average of 65 days (down from 64 days).
5. About a quarter of SQL Injection and Cross-Site Scripting vulnerabilities have been reopened at 26% and 24% respectively.
6. Of the total population of vulnerabilities identified, Cross-Site Scripting, Information Leakage, and Content Spoofing  took the top three spots at 50%, 14%, and 9% of the respectively.
7. Retail websites improved dramatically over the last year, yet remain the industry possessing the most security issues with an average of 121 serious* vulnerabilities identified per website.
8. The industries that fixed their serious* vulnerabilities the fastest were Energy (4 days), Manufacturing (17 days), and Retail (27 days).
9. The industries that fixed their serious* vulnerabilities the slowest were Non-Profit (94 days), Financial Services (80 days), and Telecommunications (50 days) websites.
10. The industries that remediated the largest percentage of their serious* vulnerabilities were Banking (74%), Telecommunications (69%), and Retail (66%) websites.
11. The industries that remediated the fewest percentage of their serious* vulnerabilities were Energy (40%), Education (46%), and Manufacturing (50%) websites.
12. The industry with the fewest days exposed to at least one serious* vulnerability was Banking at 185 days, but was  oddly way up from 74 days during 2012
13. The industry with the most days exposed to at least one serious* vulnerability was Non-Profit websites at 320 days, followed by Education websites at 261 days (up from 164) and Social Networking at 264 days (up from 159).
14. 20% of vulnerabilities identified by WhiteHat Sentinel have been reopened as some point in time, often several times.
15. Vulnerability classes that tend to be exploited by injecting malicious data into URL parameters tend to reopen more often than business logic flaws.
16. OS Command Injection, by comparable vulnerability volume, is statistically non-existent.

WHITEHAT SECURITY TOP TEN

Now that we have an overview of the average total number of serious* vulnerabilities, Time-to-Fix, Remediation Rates, and Window of Exposure across industry verticals we’ll look at the distribution of vulnerability classes. In Figure 3 the most prevalent vulnerabilities classes are calculated based upon their percentage likelihood of at least one instance being found within any given website. This approach minimizes data skewing in websites that are either highly secure or extremely risk-prone.

1. In 2010, 64% of websites had Information Leakage vulnerability, which overtook the notorious Cross Site Scripting (XSS) as the most prevalent issue by just a few tenths of a percent. During 2011, Information Leakage and XSS switched top spots again and both vulnerability classes saw a notable reduction. In 2011, XSS regained its title as the most prevalent website vulnerability being found in 55% of websites. In second place on the WhiteHat Top Ten, Information Leakage, identified in 53% of websites.
2. Information Leakage is a catchall term that describes a vulnerability in which a website reveals sensitive data, such as technical details of the Web application, environment, or user-specific data. Sensitive data may be used by an attacker to exploit the system, its hosting network, or users. Common examples are a failure to scrub out HTML/ JavaScript comments containing sensitive information (database passwords), improper application or server  configurations, or differences in page responses for valid versus invalid data. 
3. Also on a downward trend, but remaining at #3, is Content Spoofing at 36% of websites (43% in 2010). Content Spoofing is a very similar vulnerability to Cross-Site Scripting, only without the “script” (HTML, JavaScript). This vulnerability class is most often used to force a website to display something unauthorized to another user. As such, Content Spoofing useful in performing phishing scams and other malicious brand attacks.
4. Unexpectedly, Cross-Site Request Forgery (CSRF) slid down a spot down to #5 in 2011, overtaken by Insufficient Authorization (21% of websites). CSRF also fell five percentage points to 19% of websites. This is odd because CSRF is widely considered to be the sleeping giant2 of Web security with the industry consensus asserting that nearly every website had at least one vulnerability. Therefore, we predicted the numbers to go up, and for years they did. To reiterate from our last report, this has nothing to do with websites somehow becoming more vulnerable to CSRF: Only a few years back, CSRF was widely disregarded as not a “real vulnerability” and considered an artifact of “the way the Web was designed to work.” Over time malicious hacker activity leveraging CSRF has forcibly changed this perception and more website owners are asking them to be reported so they may be fixed. Instead, a steady improvement in WhiteHat Sentinel identification combined with customer demand to report those accounts for the rise. 
5. Taking fifth as well, CSRF attacks involve forcing a victim’s Web browser, typically while authenticated, to send an HTTP request to a target website without their knowledge to perform an unintended action as the victim. This action could be a bank wire transfer, email spam, add a friend, and so on. Practically speaking, just about every feature on every website has the potential of being vulnerable to CSRF unless very specific safeguards are put in place.
6. Brute Force slipped a spot down to 6th place and dropped only a single percentage point from last year to 16% of websites. The bulk of these Brute Force vulnerabilities occur because a website login field reveals which entry of the username / password combination is incorrect. Due to spammers mining for valid email addresses, which double as usernames on a variety of websites, enterprises have an increased awareness and appreciation for the problem. In these cases we adjust the severity of Brute Force vulnerability accordingly. The best explanation for the reduction in CSRF vulnerabilities is the particular WhiteHat Sentinel Service selected by our customers. There is an increased representation of customer websites in the sample covered by Sentinel  Baseline and Standard Edition, which are either configured/performed in an unauthenticated fashion and/or do not  comprehensively check for CSRF vulnerabilities. With these observations, the reduction in CSRF could have been foreseen. Scanning for CSRF in a purely automated fashion is well-known to be extremely difficult and false-positive prone, which is why we recommend expert testing as provide with Premium Edition to identify the vulnerability3. For these reasons we maintain that CSRF is probably the most prevalent website vulnerability, or a close second, in real terms.
7. Predictable Resource Location (PRL), which are URLs containing sensitive information that may be unlinked but  whose location can be guessed, held firm in 7th place while still managing to be reduced by 2% in 2011.
8. If XSS is the most prevalent website vulnerability, SQL Injection is likely the most exploited. Still, SQL Injection remains fixed in 8th place on the WhiteHat Top Ten and has even dropped 3 points down to 11% of websites — several times less prevalent than XSS. This should be a reminder that vulnerability prevalence does not automatically correlate to vulnerability exploitation.
9. Rounding out the Top Ten are two vulnerability classes that impact website session management, Session Fixation and Insufficient Session Expiration respectively. The former is when a website’s session credential, such as a cookie, can be forcibly pre-set to a value that the bad guy knows, which then becomes valid after the user successfully authenticates. 
10. Insufficient Session Expiration is when a system does not invalidate and/or delete a session credential when a user logs-out of the system and its validity persists. At 10% of websites a piece, both of these are neither rare or strangers to the Top Ten. 

Source(s):

• http://www.itnews.com/security/59570/%E2%80%98content-spoofing%E2%80%99-major-website-vulnerability-study-finds
• https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 21 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 399-6085