Careful Coding Remains the Key to Web App Security


WhiteHat Security this week released its fifth survey of Web site vulnerabilities. While the eWeek report on the study suggests the situation is marginally improved, the reality is that the risk is unchanged since the last report, which was in March.


The firm found that 82 percent of 687 sites it looked at had at least one vulnerability, compared to 90 percent in March -- hence the assessment that some improvement has occurred. WhiteHat said 66 percent of flaws have been remediated and that 72 percent of the flaws are critical. Cross-site scripting (XSS) remains the biggest problem. A new entrant to the top 10 list of vulnerabilities is cross-site request forgery (CSRF), in which a victim's browser is forced to make a request.


Security firm Cenzic also released a study on Web application security. The firm identified 1,200 published vulnerabilities in the second quarter. Among other conclusions, Cenzic found that 70 percent of Web applications used insecure communications practices, that XSS impacted 70 percent of Web applications, and that about 20 percent of Web apps are vulnerable to structured query language (SQL) attacks that could result in a direct compromise.


CSRF could create significant problems. Twitter, for instance, acknowledges that it is a victim of a CSRF attack in which crackers force victims to "follow" them. This posting at ZDNet says the social network service promised a fix within 24 hours. The end of the post is a bit disconcerting, however: Twitter reportedly is fixing a bug that could result in malicious spam. More than one XSS flaw has been found and fixed. The list of site vulnerabilities -- which probably is incomplete -- suggests that the platform is vulnerable and reinforces the idea that applications are sometimes rushed out before security is fully addressed.


IT Jungle describes the dynamics SQL Injection in a manner that non-engineers can understand. The piece says the exploit, which targets Microsoft Active Server Pages and ASP.NET, emerged in late 2005 and resulted in high-profile site defacements. Microsoft's initial response was to lay the blame on poor programming practices. That didn't fly, of course. Microsoft recently released UrlScan 3.0, which filters requests made to Internet Information Services (IIS) version 6 servers in real time to weed out SQL injection attacks. The writer, in the one technical passage in the piece, describes why earlier versions of UrlScan fell short.


MessageLabs says SQL injection attacks increased significantly in July. No smoking gun was found, according to the report at Microsoft Certified Professional Magazine. An observer suggested that the new variations on existing lines of attacks may be responsible. In any case, the best preventative is for developers to use care in writing code. This doesn't always happen, however, because security is often sacrificed in favor of making the software available on schedule.