Websites Largely Contain SQL Injection Or XSS Vulnerabilities
ScanAlert, provider of web security certification announced the results of its recent report on February 7, 2007. The report relates to security of software programs that hackers use. The report depicts a gloomy scenario of the security of this software. As a result 50% of all websites are potentially vulnerable to database attacks, reveals the report. It estimated, nearly 45% of Web sites contained serious flaws such as SQL Injection, and 50% of the Web sites possessed cross-site scripting (XSS) security flaws.
SQL Injection software vulnerability allows hackers to intrude into databases to steal secret information that they use for fraud and identity theft. In recent years, SQL Injection flaws have provided opportunity for most of the destructive website attacks. It is also possible this security hole has enabled the T.J. Maxx theft in which fraudsters stole millions of credit and debit card numbers.
Further results of the report showed that Web sites running IIS Web server software of Microsoft had double chances of containing serious database vulnerabilities than those applying Open-source Web Servers software of Apache. But Apache sites also had a slightly greater possibility of containing XSS vulnerabilities than sites using IIS. Moreover, the firm predicted that hackers would target more on PHP following security researchers' discovery of critical security holes in normal PHP programs.
According to Brett Oliphant, ScanAlert's VP of online products and services, by applying the firm's research results to innumerable websites selling goods and services online, the impact can get very scary. The research has found that sites with big names are just as likely to have these security gaps as the small 'Mom and Pop Shop' sites.
Another emerging threat is XSS vulnerabilities. Hackers frequently use them in combination with e-mail and phishing links to attack web users. The technique tricks them to visit hacker-owned websites where they unwarily enter sensitive information such as credit card or bank account numbers.
Although exploitation of XSS vulnerabilities are yet to come to the same degree as database holes, they will increase risks as hackers improve their skills to get consumers to open links, Oliphant said.
Related article: Websites – The Latest Weapon in The Hands of Phishers
» SPAMfighter News - 15-02-2007