Two Third Websites Vulnerable to Exploitation
There is inherent security vulnerability in about seven websites out of every ten. These vulnerabilities are susceptible to attackers' exploits that can enable them to access confidential information or disable the website, revealed a study by security vendor, Acunetix on February 13, 2007.
Starting January 2006, Acunetix has been facilitating a free automated web scan for eligible websites. 10,000 websites applied out of which Acunetix has scanned 3,200 sites relating to both business and non-commercial activities.
Out of the total websites that Acunetix scanned, 70% were detected with high or medium flaws. These flaws are at extremely high risk of manipulation by hackers targeting at sensitive data of these entities.
According to company analysts, there is an "extremely high probability" of hackers to find and exploit the vulnerabilities to steal protected data. Acunetix identified 210,000 security flaws accounting for an average of 66 flaws for every online application.
The study also found that of the total Web sites scanned an average of 91% had some form of website hole. Those exploits varied from the more severe such as SQL Injection and Cross Site Scripting (XSS) to lighter ones as in local path disclosure or directory listing.
High vulnerabilities existed in 50% of the websites that were sensitive to SQL Injection. On the other hand 42% of the websites were susceptible to XSS. Other extremely risky vulnerabilities are Blind SQL Injection, CRLF Injection, HTTP response splitting, and script source code disclosure.
Attackers who exploit SQL Injection use web forms to transmit instructions within the SQL 'database access language'. They could give commands to access an overview of earlier orders, credit card details, or obtain the login names and passwords for users, including administrators.
The study results clearly indicate that there is little or no consideration for the issue of unsafe Web applications, said Kevin Vella, a VP at Acunetix through a written statement that Information Week published on February 13, 2007.
Acunetix's findings support claims by other suppliers of code scanning devices. For example, Spi Dynamics claimed in February 2007 that it had 99% success in breaking the security of its customers' online applications.
Related article: THE SPAM MAFIA
» SPAMfighter News - 27-02-2007