Web apps still full of security holes
Written by Kay Ewbank   
Monday, 26 September 2011

Over two-thirds of Web apps still have either SQL injection or cross-site scripting security holes. Given that Web apps are probed for vulnerabilities every two minutes, it’s a miracle there’s any secure data left anywhere on the Web!

The number of Web application vulnerabilities that are reported differs significantly from the number that actually exists, according to a new report from HP.

 

sqlinject

 

In tests conducted by HP, 69% of the Web applications contained at least one SQLi flaw, while 64% had a cross-site scripting vulnerability.

If you think of this in terms of an earlier finding from Imperva, that Web apps are probed for vulnerabilities every two minutes, it’s a miracle there’s any secure data left anywhere on the Web.

SQLi vulnerabilities mean that attackers can send SQL to a database to gain unexpected access to data in ways not intended by the developers, so the underlying data could be extracted or modified.

Cross-site scripting takes advantage of a lack of input validation, and embeds malicious client-side code into a Web page that is viewed by a victim’s Web browser.

Other vulnerabilities found by HP include hardcoded passwords embedded in 30% of the applications tested, which could mean the code could be manipulated to behave differently; and path manipulation vulnerability in 63% of the apps. By changing the filenames or paths, attackers could gain access to unexpected areas on user’s systems. Command injection vulnerability, which could be used by attackers to run operating system commands on a target computer. was also found in 35% of the applications tested.

HP found that, when analyzed per application and per lines of code, 410 vulnerabilities were found on average for each of the 236 applications evaluated, equating to 4.6 vulnerabilities per 1000 lines of code. Of the three languages counted, PHP was the most vulnerable programming language, with 13.1 vulnerabilities per 1000 lines, followed by .Net at 7.7. Java was the most secure, at 4.1.

More information:

HP's 2011 Mid-Year Top Cyber Security Risks Report

Web Applications Under Attack Every Two Minutes, Imperva Finds

 

sqlinject

 

 

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Twitter or Facebook or sign up for our weekly newsletter.

 

Banner


Imagine Cup Winners 2014
09/08/2014

The finals of the Imagine Cup were recently held in Seattle attended by 34 teams, 125 students in all, representing 34 countries. Winners of the Imagine Cup, Team Eyenaemia will be meeting with Bill G [ ... ]



RoboCup 2014 - Are Soccer Robots Making Progress?
03/08/2014

The original goal of the annual RoboCup contest was that by 2050 a team of soccer robots should be able to beat the human world champions. Each year we have a chance to gage progress and this year we  [ ... ]


More News

Last Updated ( Tuesday, 27 September 2011 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.