Web Flaws Among the Top Three Common Vulnerabilities
This year, Web flaws have been reported as the top security threats according to CVE (Common Vulnerabilities & Exposures). So far around 4,375 such cases have been found, and the number is fast approaching 4,538 cases. Web flaws have positioned themselves in the top three ranks taking over buffer overflow vulnerabilities in the list of 'top common vulnerabilities'.
Steven Christey of Common Vulnerabilities & Exposure states that while researchers have been paying close attention to Web vulnerabilities, companies also need to pay attention to flaws if they don't want to get caught in them.
Because many websites have loopholes, a large number of web-based applications and, problems pertaining to removal of XSS (cross site scripting) flaws they become easy exploits. The difficulties add on when independent researchers avoid finding flaws on other websites as that could result in violation of 'laws of computer intrusion'. The programming languages used for writing malicious codes are generally simple; therefore people with little or no experience can also develop such codes to exploit existing vulnerabilities.
While the presence of web-friendly languages like PHP lowers the hurdles to create useful application, they even lower the hurdles for anyone to find flaws in that application.
In 2006 so far XSS flaws accounted for 21.5% of total web flaws. XSS flaws are of 'less than hackerly nature, which amateur hackers and phishers use to conduct malicious tasks on personal computers. XSS enables a malicious site to install code by pretending to come from legitimate websites, thereby duping users.
It is hard to write good code to exploit flaws by using "cross site scripting", says Brian Chess, Fortify Software's chief scientist. Although this sounds familiar to buffer overflows but it may change. The impact of the potential of 'cross-site scripting' on security incidents is yet to be explored. In this connection the sort of damage done by "My Space" worm in the hands of miscreants can be imagined.
With technologies as Web 2.0 promising greater inter-connectivity, network administrators may expect just those threats posed by Web flaws in the future. Therefore security experts will have to pay greater attention to subvert such threats.
Related article: Web Browsers Too Have Security Exploits
» SPAMfighter News - 21-09-2006