One in four web applications susceptible to high risk security flaws
NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue. 27% of all applications tested by NTA contained at least one high risk issue compared to 17% in the previous year. This represents a significant increase in the security exposure of the 'average' web application.
These findings form part of NTA's 2009 Annual Web Application Security Report, which analysed data gathered from web application security tests performed for a wide range of industry sectors across a 12-month period.
When looking at specific sectors, the most dramatic change was seen within NTA's charity and not-for-profit clients, where the average number of vulnerabilities more than tripled from 2008 to 2009. Those clients in the services sector, despite seeing a decrease in the average number of threats, from 2008 to 2009, had the highest number of high risks per test compared to all other sectors.
The utilities and legal sectors had the best performance against the average, as no high-risk vulnerabilities were found, compared to an average of one per test across all sectors.
The presence of any high level vulnerability can allow unauthourised external users to obtain system access and these flaws are often widely known and exploited by attackers.
NTA found the three most common high risks to be:
- A SQL injection attack, which enables attackers to modify the database queries initiated from an application.
- A cross-site scripting attack, which enables a hostile website to cause potentially malicious code to be executed in a users browser.
- A cross-request forgery attack, which enables a hostile Web site to make arbitrary HTTP requests to applications.
The SQL injection attack is the only risk to also appear in the top three high risks of the 2008 report. Roy Hills, Technical Director at NTA Monitor, says: "All user-supplied data should be properly sanitised before returning it to the browser or storing it in a database. This reduces the threat of SQL injection, which is a consistently prevalent high risk throughout 2008 and 2009. SQL injection enables attackers to modify the database queries initiated from an application so users can delete, create or update database records."
Due to the findings in this report NTA recommends three key procedures that organisations can follow to reduce their risk:
- Make sure all user-supplied data is properly sanitised before returning it to the browser or storing it in a database.
- Organisations should switch from a persistent authentication method to a transient authentication method to help prevent cross-request forgery attacks.
- An account lockout mechanism should be in place, to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts.
The full report contains further recommendations and not only looks at the different types of vulnerabilities found in organisations, but also examines how all sectors fair against the average findings. It is available from NTA by emailing marketing@nta-monitor.com
This article was first released on: 7th September 2009