Two-thirds of web apps at risk of hacking

Friday, 03 February, 2012

Two-thirds of web applications tested by security consultants at Context Information Security in 2011 were found to be at risk from cross-site scripting, the consultancy firm announced today.

On top of that, nearly one in five web applications risked attacks by experienced SQL injections.

The findings come from penetration tests carried out on almost 600 hundred custom-built web apps. In total, Context discovered around 8,000 vulnerabilities, reflecting an increase in the average number of different security issues affecting each application from 12.5 to 13.5 between 2010 and 2011.

The report places these issues into the categories of server misconfiguration, information leakage, authentication, session management, authorisation weaknesses and encryption, all of which increased from 2010 to 2011.

The only exception to the upward trend was input validation weaknesses. According to the company, this is most likely due to the increased use of frameworks that offer built-in input validation security features.

Michael Jordon, Research and Development Manager at Context, said: “While the number of vulnerabilities identified in applications from 2010 and 2011 has not increased greatly, it does indicate that developers are continuing to make the same mistakes and are still not addressing web app security sufficiently.”

These findings are contained in the company’s new Context Web Application Vulnerability report, which also states that web apps developed for government, financial services and law and insurance sectors had the greatest increase in vulnerabilities.

“While some of the vulnerability categories such as server configuration and information leakage saw bigger rises, more serious cross-scripting and SQL injections present the biggest and potentially most damaging threats to web applications,” Jordon said.

“It is certainly clear that penetration testing before letting a web application go live is more relevant and essential than ever.”

The full report is available at the Context website.

Related News

CrowdStrike to buy Adaptive Shield

CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...

LockBit named nastiest malware of 2024

LockBit, a ransomware malware known to have been used to attack Australian targets, has been...

Extreme Networks launches ZTNA solution

Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd