March 2008 — News
Print this articleClick here to receive your FREE subscription to T.H.E. Journal
Study: The Year's Top-10 Web Application Vulnerabilities
Said the report, "These technologies are often combined to enable rich-media Internet applications, enhanced user interactivity, and syndication, all core elements of the application design principles that are associated with Web 2.0. The vulnerability count includes vulnerabilities in any application that implements one or more of the listed technologies. Research into the vulnerability types above showed general declines in all areas with the exception of flash technology, which increased from one disclosed vulnerability during the first half of 2007, to more than 20 vulnerabilities disclosed in the second half of 2007."
The numbers, however, are not all-inclusive.
Mandeep Khera, Cenzic's vice president of marketing, told us, "The numbers are low because these are known, reported, and published vulnerabilities. There are potentially a lot more in the internal applications using Web 2.0 applications. Also, there are probably a lot more in commercial apps that haven't been found or reported due to limited expertise in skills, tools, and knowledge around these technologies."
The Top Open Source and Commercial Application Vulnerabilities
The report did not focus primarily on Web 2.0. Instead, it looked at vulnerabilities across the whole spectrum of commercial and open source applications. Of these, the most severe in the fourth quarter of 2007 included (in order):
- Open SSL Off-By-One Overflow
- Java Web Start Bugs
- Adobe Acrobat URI Handling Bug
- IBM Lotus Notes Buffer Overflow
- RealPlayer Input Validation Flaw
- IBM WebSphere Application Server Input Validation Hole
- IBM WebSphere Input Validation Hole
- PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs
- Apache Input Validation Hole
- Adobe Flash Player Bugs
Further information about each of these can be found in the report, available in PDF form here.
Cenzic said of the applications studied, 70 percent "engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions." And 60 percent were affected by the most common injection flaw, cross-site scripting.
There are, of course, implications for home-grown Web applications as well.
"...These findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications," the company said.
"A vast majority of applications are proprietary and created in-house or outsourced to India, Russia, China, and former [Soviet Bloc] countries," Cenzic's Khera told us. "There are a lot more vulnerabilities in those applications including back-doors that very companies are checking for. The best advice we can give is that corporations and government agencies need to assess all their applications on a continuous basis so they can find these vulnerabilities and either fix them right away or find another way to block hackers. Companies can also start with a remotely managed assessment service if they are not ready to install a software solution in house."
