Information Security Bulletin

Research: 70 Per Cent of Websites Vulnerable

14 Feb 05:57

Acunetix, a vendor of web application security solutions, has found that 70 per cent of web sites are at serious and immediate risk of being hacked. Businesses and non-commercial entities have much to consider when it comes to securing their web applications and the data they keep on customers and patrons.

Since January 2006, Acunetix has been offering a free automated web scan for qualifying websites. Out of a total of 10,000 applications, Acunetix has scanned 3,200 sites belonging to either businesses or non-commercial entities.

Seventy per cent of the websites scanned were found to contain high or medium vulnerabilities. There is an extremely high probability of these vulnerabilities being discovered and manipulated by hackers to steal the sensitive data these organizations store.

On average, 91 per cent of these websites, contained some form of website vulnerability, ranging from the more serious such as SQL Injection and Cross Site Scripting to more minor ones such as local path disclosure or directory listing. Approximately 66 vulnerabilities per website were found for a total of 210,000 vulnerabilities over the scanned population.

Fifty per cent of the websites with instances of high vulnerabilities were susceptible to SQL Injection while 42 per cent of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.

[These results are completely unsurprising to security specialists. They should send shivers down the spines of CEOs. The report unfortunately doesn't say anything about the size of the companies involved but it appears reasonable to assume that companies requesting free web site scans are small. Directors in small companies have neither the time nor the expertise to implement security architectures, including in-depth risk analyses, and they can not be expected to have staff with security expertise. This is a really vicious circle - the IT guy doesn't tell the boss that he can't do the job, and the boss has no idea which questions to ask --Ed].

Related links: (Open in a new window.)
www.acunetix.com
www.acunetix.de

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe?

Download a free sample copy!

Download the much quoted October 2005 Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Legal Issues
Of Trojans, Cheerleaders and Cuckoos…
Jon Colombo

Web Security
Web 2.0 vs. Web 1.0 – Security Standpoints and Challenges
Shreeraj Shah

Computer Forensics
Trends In Disk Drives and Data Transfer Speed
Steven Branigan