A new Cenzic report reveals widespread Web application vulnerabilities, with 2,155 discovered – a third of which have both no known solution and an exploit code publicly available.
The report also revealed aggressive campaigns by Web browser makers including Google, Microsoft, and Mozilla to improve the security of their Web navigation products.
Among the published Web vulnerabilities in Commercial Off The Shelf (COTS) software, Cross Site Scripting (XSS) and SQL injection dominated, accounting for 54 percent of the total number of Web vulnerabilities in the second half of 2010.
“With all the publicity, education, and known attacks that have exploited XSS and SQL vulnerabilities, it is astounding that companies still haven’t plugged these threats,” said Mandeep Khera, CMO at Cenzic.
“Cybercriminals are well aware of these weaknesses, and worse still, with the amount of exploit codes publicly available, even a hacker with modicum of talent has ability to cause tremendous damage. With an average security breach costing companies millions of dollars, lack of precaution is a daily risk that must be taken seriously. But, to give credit where it’s due, all browser companies have done a great job in taking proactive steps toward better security. However, companies need to upgrade their Web applications to the latest version to ensure security for their customers,” he added.
Cenzic also analyzed vulnerabilities in various Web browsers, detecting many security vulnerabilities yet aggressive campaigns by manufacturers to improve their safety. Google’s Chrome browser had the most vulnerabilities detected – 89 – due to its aggressive campaign to offer cash rewards for any discovered. In the end, the company fixed 88 of these vulnerabilities quickly and efficiently.
Similarly, Mozilla Firefox had 65 vulnerabilities detected and fixed 61 in a timely manner. Apple’s Safari fixed 39 of 41, Internet Explorer fixed 26 of 32, and Opera 27 of 29 vulnerabilities.
The second half of 2010 gave rise to many high profile Web application related attacks on corporations, universities, and government agencies as well, including a data breach at Ohio State University which affected 760,000 people, Anonymous Hackers’ Wikileaks Infowar against credit card companies, the Iranian Cyber Army’s web attacks against popular satellite channel Farsil and technology blog Techcrunch, and more.