The top two vulnerabilities identified by Whitehat during 2012 by prevalence were Information Leakage at 55 percent and Cross Site Scripting at 53 percent. Content Spoofing came in third at 33 percent, Cross Site Request Forgery in fourth at 26 percent tied with Brute Force.
Whitehat’s Brute Force vulnerability class is not quite the same as a classic Brute Force definition where an attacker tries repeatedly to get access with different username/password combinations. Typically many sites today use an email address as the username.
“When you log into a website you do it with a username/password and some of these sites will tell you which part you got wrong,” Jeremiah Grossman, founder of Whitehat explained. “So the bad guys will use the login with the password recovery systems to mine for valid email addresses on a given system to phish and spam you.”
From a remediation perspective, whatever the attack vector, Grossman said that accountability within an organization is critical.
“It is only when you have people that are accountable and empowered that you are able to affect real change in security and improve,” Grossman said.