Study: The Year's Top-10 Web Application Vulnerabilities

Web applications, by far, dominate the list of application security vulnerabilities facing IT organizations. While 29 percent of vulnerabilities are attributable to network and infrastructure weaknesses, a full 71 percent are attributable to both open source and commercial Web applications, according to a report released recently by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."

On the whole, according to the report, Web application vulnerabilities increased three percent in the fourth quarter of 2007 compared with the third quarter. And actual attacks and probes increased from 1.3 million in October 2007 to 1.7 million in December 2007.

The highest percentage of incidents came in the form of probes, attempted access and scans, accounting for 59 percent of incidents in the fourth quarter. Others included investigation (16 percent), "improper usage" (10.3 percent), unauthorized access (7.6 percent), malicious code (6.9 percent) and denial of service (0.2 percent).

Web 2.0 Issues
In addition to general Web application vulnerabilities, the report highlights several vulnerabilities in technologies used in the development of Web 2.0 applications, adding to a growing list of reports targeting Web 2.0. These technologies and protocols, spotlighted in the report, include:

  • AJAX (Asynchronous JavaScript and XML)
  • XML (eXtensible markup language)
  • SOAP (Service-Oriented Architecture Protocol or Simple Object Access Protocol)
  • REST (Representational State Transfer)
  • JavaScript and Java
  • Adobe Flash and Flex
  • Active X controls
  • Microsoft Silverlight
  • RSS, RDF and Atom

For the second half of 2007, these technologies combined represented some 178 identifiable vulnerabilities, with Active X by far the largest culprit at 111 individual vulnerabilities. (Flash came in second with 23, RSS in third with 14 and AJAX in fourth with 10.)

Said the report, "These technologies are often combined to enable rich-media Internet applications, enhanced user interactivity, and syndication, all core elements of the application design principles that are associated with Web 2.0. The vulnerability count includes vulnerabilities in any application that implements one or more of the listed technologies. Research into the vulnerability types above showed general declines in all areas with the exception of flash technology, which increased from one disclosed vulnerability during the first half of 2007, to more than 20 vulnerabilities disclosed in the second half of 2007."

The numbers, however, are not all-inclusive.

Mandeep Khera, Cenzic's vice president of marketing, told us, "The numbers are low because these are known, reported and published vulnerabilities. There are potentially a lot more in the internal applications using Web 2.0 applications. Also, there are probably a lot more in commercial apps that haven't been found or reported due to limited expertise in skills, tools and knowledge around these technologies."

The Top Open Source and Commercial Application Vulnerabilities
The report did not focus primarily on Web 2.0. Instead, it looked at vulnerabilities across the whole spectrum of commercial and open source applications. Of these, the most severe in the fourth quarter of 2007 included (in order):

  1. Open SSL Off-By-One Overflow
  2. Java Web Start Bugs
  3. Adobe Acrobat URI Handling Bug
  4. IBM Lotus Notes Buffer Overflow
  5. RealPlayer Input Validation Flaw
  6. IBM WebSphere Application Server Input Validation Hole
  7. IBM WebSphere Input Validation Hole
  8. PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs
  9. Apache Input Validation Hole
  10. Adobe Flash Player Bugs

Further information about each of these can be found in the report, available in PDF form here.

Cenzic said of the applications studied, 70 percent "engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions." And 60 percent were affected by the most common injection flaw, cross-site scripting.

There are, of course, implications for home-grown Web applications as well.

"These findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications," the company said. This can be a significant problem for some IT shops, such as those that serve educational institutions, that develop Web applications in-house.

"A vast majority of applications are proprietary and created in-house or outsourced to India, Russia, China, and former [Soviet Bloc] countries," Cenzic's Khera told us. "There are a lot more vulnerabilities in those applications including back-doors that very companies are checking for. The best advice we can give is that corporations and government agencies need to assess all their applications on a continuous basis so they can find these vulnerabilities and either fix them right away or find another way to block hackers. Companies can also start with a remotely managed assessment service if they are not ready to install a software solution in house."

Web Browser Vulnerabilities: IE Safest?
The report also highlighted vulnerabilities in Web browsers themselves. It cited Microsoft Internet Explorer as having the fewest "reported vulnerabilities" during the final quarter of 2007, beating out Safari, Opera and Firefox for the first time. Khera said he believes that Microsoft is "putting the most resources in fixing their vulnerabilities."

The Opera browser was responsible for the highest percentage of reported vulnerabilities by major type, at 38 percent, followed by Firefox at 32 percent. Safari had 15 percent, followed by IE at 10 percent.

Information for the browser vulnerability portion of the study was compiled from information reported by developers, users, researchers and browser vendors themselves.

Further information about the study and a downloadable version of the study itself can be found at Cenzic's Web site.

About the Author

Dave Nagel is the executive editor for 1105 Media's educational technology online publications and electronic newsletters. He can be reached at [email protected].