Report: 90% of Web Sites Vulnerable to Hackers

We all know that some Web sites suffer from security vulnerabilities — but 90 percent of them?

In a new report, security researcher Whitehat Security said it found a staggering nine out of 10 Web sites have some type of serious vulnerability that a hacker could potentially exploit.

The study, which examined more than 600 sites including those of Fortune 500 firms, found a number of different vulnerabilities common across the Internet, with Cross-Site Scripting (XSS) vulnerabilities dominating the rankings.

In fact, Whitehat claims that 70 percent of the Web sites it surveyed were at risk from some sort of XSS attack. That figure dwarfs the No. 2 culprit in the firm’s survey, SQL injection, which comprised only 4 percent of the firm’s total surveyed vulnerabilities.

XSS flaws have been reported in recent years on a number of big-name sites, including IBM and Google.

To add insult to injury, Whitehat added that it typically takes a site 92 days to fix a reported XSS attack.

Chiefly, the protracted repair effort is because the issue is poorly understood and its severity often under-appreciated, Jeremiah Grossman, founder and CTO of Whitehat, told

In addition, developers who must fix the issue often don’t work for IT security and have a different set of priorities, he said.

Whitehat collected its statistics by way of its Whitehat’s Sentinel Service, which provides software-as-a-service-based Web site vulnerability management. Whitehat claims to have more than 600 sites under management, including a number of the nation’s largest companies.

The study also examined vulnerabilities by industry, with insurance sites topping the list: 84 percent of that sector’s sites contained vulnerabilities, Whitehat said.

Perhaps ironically, IT-related sites weren’t far behind, at 72 percent.

Grossman offered a simple explanation as to why IT firms were near the top of the list:

“Likely because those Web sites are not used or abused as often as the other, more trafficked Web sites,” he said. “The more battlefield-tested a Web site is, the more secure it will become over time.”

While XSS attacks currently hold the top spot in Whitehat’s rankings, a new challenger may soon move into the No. 2. spot: Cross-Site Request Forgery (CSRF) attacks, which Grossman said are growing increasingly common — often in tandem with XSS attacks.

He added that as the attacks are on the rise, effective, automated CSRF-detection techniques have yet to emerge.

Other security firms, including IBM’s Watchfire division and Cenzic have also reported an upswing in CSRF attacks.

While CSRF attacks can be coupled with XSS attacks, the two each work differently. XSS attacks occur when code injection occurs on a Web site without user (or site) authorization. CSRF attacks, on the other hand, work by deceiving users to make third-party requests without realizing they’re doing it.

“They are often combined during exploitation, but reported independently,” Grossman said.

Beyond CSRF, Grossman doesn’t expect much to change in terms of the threat landscape during the coming months, unless there’s a “breakthrough in CSRF detection or entirely new attack classes show up,” Grossman said.

“Things that could change over time are the time to fix,” he added. “Several factors could cause these numbers to grow as well as shrink.”

The Payment Card
Interface (PCI) compliance 6.6 requirements
could also play a role in highlighting widespread security vulnerabilities at sites.

“By our numbers, very few Web sites could meet compliance if testing is done in a comprehensive fashion.”

News Around the Web