Study: The Year's Top-10 Web Application Vulnerabilities
Web applications, by far, dominate the list of application security vulnerabilities
facing IT organizations. While 29 percent of vulnerabilities are attributable
to network and infrastructure weaknesses, a full 71 percent are attributable
to both open source and commercial Web applications, according to a report
released recently by security firm Cenzic Inc., "Application Security Trend
Report for Q4 2007."
On the whole, according to the report, Web application vulnerabilities increased
three percent in the fourth quarter of 2007 compared with the third quarter. And
actual attacks and probes increased from 1.3 million in October 2007 to 1.7
million in December 2007.
The highest percentage of incidents came in the form of probes, attempted access
and scans, accounting for 59 percent of incidents in the fourth quarter. Others
included investigation (16 percent), "improper usage" (10.3 percent),
unauthorized access (7.6 percent), malicious code (6.9 percent) and denial of
service (0.2 percent).
Web 2.0 Issues
In addition to general Web application vulnerabilities, the report highlights
several vulnerabilities in technologies used in the development of Web 2.0 applications,
adding to a growing list of reports targeting
Web 2.0. These technologies and protocols, spotlighted in the report, include:
- XML (eXtensible markup language)
- SOAP (Service-Oriented Architecture Protocol or Simple Object Access Protocol)
- REST (Representational State Transfer)
- Adobe Flash and Flex
- Active X controls
- Microsoft Silverlight
- RSS, RDF and Atom
For the second half of 2007, these technologies combined represented some 178
identifiable vulnerabilities, with Active X by far the largest culprit at 111
individual vulnerabilities. (Flash came in second with 23, RSS in third with
14 and AJAX in fourth with 10.)
Said the report, "These technologies are often combined to enable rich-media
Internet applications, enhanced user interactivity, and syndication, all core
elements of the application design principles that are associated with Web 2.0.
The vulnerability count includes vulnerabilities in any application that implements
one or more of the listed technologies. Research into the vulnerability types
above showed general declines in all areas with the exception of flash technology,
which increased from one disclosed vulnerability during the first half of 2007,
to more than 20 vulnerabilities disclosed in the second half of 2007."
The numbers, however, are not all-inclusive.
Mandeep Khera, Cenzic's vice president of marketing, told us, "The numbers
are low because these are known, reported and published vulnerabilities. There
are potentially a lot more in the internal applications using Web 2.0 applications.
Also, there are probably a lot more in commercial apps that haven't been found
or reported due to limited expertise in skills, tools and knowledge around these
The Top Open Source and Commercial Application Vulnerabilities
The report did not focus primarily on Web 2.0. Instead, it looked at vulnerabilities
across the whole spectrum of commercial and open source applications. Of these,
the most severe in the fourth quarter of 2007 included (in order):
- Open SSL Off-By-One Overflow
- Java Web Start Bugs
- Adobe Acrobat URI Handling Bug
- IBM Lotus Notes Buffer Overflow
- RealPlayer Input Validation Flaw
- IBM WebSphere Application Server Input Validation Hole
- IBM WebSphere Input Validation Hole
- PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs
- Apache Input Validation Hole
- Adobe Flash Player Bugs
Further information about each of these can be found in the report, available
in PDF form here.
Cenzic said of the applications studied, 70 percent "engaged in insecure
communication practices that could potentially lead to the exposure of sensitive
or confidential user information during transactions." And 60 percent were
affected by the most common injection flaw, cross-site scripting.
There are, of course, implications for home-grown Web applications as well.
"These findings, do not take into account the thousands of vulnerabilities
that are created while programming in-house or proprietary applications,"
the company said. This can be a significant problem for some IT shops, such
as those that serve educational
institutions, that develop Web applications in-house.
"A vast majority of applications are proprietary and created in-house
or outsourced to India, Russia, China, and former [Soviet Bloc] countries,"
Cenzic's Khera told us. "There are a lot more vulnerabilities in those
applications including back-doors that very companies are checking for. The
best advice we can give is that corporations and government agencies need to
assess all their applications on a continuous basis so they can find these vulnerabilities
and either fix them right away or find another way to block hackers. Companies
can also start with a remotely managed assessment service if they are not ready
to install a software solution in house."
Web Browser Vulnerabilities: IE Safest?
The report also highlighted vulnerabilities in Web browsers themselves. It cited
Microsoft Internet Explorer as having the fewest "reported vulnerabilities"
during the final quarter of 2007, beating out Safari, Opera and Firefox for
the first time. Khera said he believes that Microsoft is "putting the most
resources in fixing their vulnerabilities."
The Opera browser was responsible for the highest percentage of reported vulnerabilities
by major type, at 38 percent, followed by Firefox at 32 percent. Safari had
15 percent, followed by IE at 10 percent.
Information for the browser vulnerability portion of the study was compiled
from information reported by developers, users, researchers and browser vendors
Further information about the study and a downloadable version of the study
itself can be found at Cenzic's