Nine out of ten websites have serious vulnerabilities

The third WhiteHat Website Security Statistics Report highlights the top 10 vulnerabilities currently affecting organizations. Attacks on websites are on the rise, placing intellectual property, customer data, and brand integrity at risk.

Based on more than a year of data, this is the industry’s only report focused solely on previously unknown vulnerabilities on publicly facing websites.

The report shows that nine out of ten websites have serious vulnerabilities that make them targets for malicious online attacks. Cross-site Scripting (XSS) remains the top vulnerability class, appearing in approximately three quarters of websites, while Information Leakage is the top vulnerability class of the overall population. New attack techniques such as XSS-phishing, Intranet hacking and Web worms may force enterprises to re-evaluate the criticality of XSS on a case-by-case basis.

The report statistics were gathered through an outsourced service providing website vulnerability assessments on an ongoing basis. With more than six hundred sites under management, including many of the Fortune 500, WhiteHat has access to an unparalleled amount of security data, which allows them to accurately identify which issues are the most prevalent.

Since the last report in April 2007, there has been a noticeable increase in several technical vulnerabilities including XSS, Information Leakage, SQL Injection and HTTP Response Splitting, which can be directly attributed to the discovery of new attack techniques and the improvement in vulnerability identification technology. The report revealed that HTTP Response Splitting has proven to be a hugely misunderstood and underestimated issue, evading most scanning technology since its discovery several years ago. The overall results are startling both in the prevalence and potential consequences of HTTP Response Splitting exploits.

WhiteHat Security also examined the ways in which website vulnerabilities are plaguing various vertical markets, finding that while website security remains generally weak, the retail sector has been performing better than other markets. XSS tops the list of vulnerability classes by vertical, followed closely by Information Leakage. WhiteHat found that while the security posture of some industries is stronger than others, the difference is insignificant when it comes to a website being compromised since hackers only need to exploit a single vulnerability to cause damage.

WhiteHat plans to issue continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers.