RealTime IT News

Surprise! Web Vulnerabilities on the Rise

With the Black Hat security conference under way in Las Vegas, the pace and volume of security related news is just warming up. To help get it started, security analysis vendor Cenzic today issued its second-quarter Application Security Trends report claiming that, once again, vulnerabilities are on the rise.

But is Cenzic just fear mongering with its recent report? Mandeep Khera, vice president of marketing at Cenzic, doesn't think so at all.

"In fact, if anything, we believe that companies need to be more scared," Khera said. "Corporations need to wake up and realize that they are being hacked all the time through their Web applications. Growing Web vulnerabilities is just a symptom. We have a long way to go in protecting our infrastructure when it comes to Web applications. We better start right now or we'll never catch up."

The Cenzic study identified 1,484 unique published vulnerabilities in the second quarter of 2007. Seventy-two percent of the vulnerabilities were found in Web technologies, a 7 percent increase from the previous quarter. Perhaps more alarmingly Cenzic has classified the bulk of the web vulnerabilities as being easily exploitable.

Or are they?

Cenzic's studies noted a number of vulnerabilities in both PHP and the Apache HTTP Web Server. But Cenzic didn't discover the vulnerabilities. Instead, Khera admitted, the firm only analyzed the published vulnerabilities.

In the case of the Apache HTTP and PHP issues, patches for the vulnerabilities listed by Cenzic have been issued by their respective developers. Khera noted that the question to ask is how many companies have applied the patch?

However, even if users have patched their software, Khera admitted that Cenzic hasn't tested to see whether the patches work.

The real danger that the Cenzic report highlights is the risk from unpublished vulnerabilities. Cenzic claims that there are thousands of them and that they are usually in homegrown applications, but that's not always the case.

"In the past, we have found vulnerabilities in Oracle and Yahoo but Cenzic believes in following a responsible vulnerability disclosure policy," Khera said. "We inform the vendors and give them up to 45 days to fix the vulnerability and let their customers know before we release to the public."

Not all security researchers are as ethical as Cenzic claims to be. Khera alleged that there are many ethical hackers and even app security vendors who do not follow a responsible disclosure policy. To add further insult to injury Khera alleged that some ethical hackers and app security vendors even attack other sites to prove that they have vulnerabilities on their sites.

"These guys then post messages on various message boards claiming that they found vulnerabilities on those sites," Khera stated. "We believe that this approach is not only amateurish, and irresponsible but also illegal since they are attacking without authorization."

Cenzic expects that attacks on Web applications will continue to grow. With Khera expecting that compliance issues and disclosure policies will force companies to make more attacks public.

The types of attacks that are expected in the future are the same that Cenzic sees today -- namely cross site scripting (XSS), Cross-Site Request Forgery, and Session Management types of vulnerabilities. The Q2 Cenzic report alleges that 60 percent of Web applications are vulnerable to XSS. In contrast Cenzic reported that only 20 percent of Web applications were vulnerable to SQL injection types of attacks.

Khera alleged that because most developers are under time pressure they might not code with XSS in mind.

"On the positive side, we think a lot more companies will start using some kind of solution to test their applications as the awareness is growing rapidly," Khera said.