Netsparker: 2/3 of web applications are flawed

Internal code imperfections have lead to cross-site scripting (XSS) and SQL injections, with 68 percent of web apps surveyed vulnerable according to application security company Netsparker.

A great deal of web apps are vulnerable to SQL injection attacks according to Netsparker
A great deal of web apps are vulnerable to SQL injection attacks according to Netsparker

It is flaws at software code level that give rise to so many security vulnerabilities in online web applications. This is the accusation levied by web-centric application security firm Netsparker as result of its latest state of the web-app nation assessment.

The firm scanned a total of 396 web applications and reported finding 269 security vulnerabilities across 114 web applications, so roughly 68 percent. The majority of the vulnerabilities detected were blamed on cross-site scripting (XSS) and SQL injection (SQLi) flaws. File Inclusion vulnerabilities, including both remote and local file inclusions, were also to blame.

Netsparker describes itself as the only false positive free web application automated security scanner that scans and identifies vulnerabilities in HTML5 web applications.

How do these flaws play out?

Cross-site scripting (XSS) techniques allow hackers to inject client-side (i.e. the user's app side) script into web pages serving web applications to potentially alter their data and behaviour -- SQL injection also relies on code injection techniques where a ‘payload' of malicious SQL statements are fed to a web application's database server.

As Acunetix points out, “since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.”

So is Netsparker scaremongering or providing a wonderful wake up call to users who now more than ever turn to online ‘cloud' web applications? The team says that of the total 269 vulnerabilities discovered, there were multiple zero-day bugs leading Netsparker's team to publish 114 public advisories.

An XSS smörgåsbord

Vulnerabilities here included reflected XSS, stored XSS, DOM-based XSS and XSS via RFI (Remote File Inclusion). Other vulnerabilities identified include Cross-Site Request Forgery (CSRF) flaws, Remote Command Execution (RCE), Command Injection, Open Redirection, HTTP Header Injection and Frame Injection.

So why are online web applications throwing up so many reported vulnerabilities today?

According to Softpedia writer Catalin Cimpanu, “a diversified software development landscape doesn't help web security. This diversification of the software development landscape may also play a role in the high number of security flaws since developers must be fluent and apt to safely code applications in multiple languages and technologies.”

Cimpanu underlines this point by detailing that when breaking down the open source apps per programming language, most of them were coded in PHP (326) and ASP/ASP.NET (31). Another “39 apps were built using a combination of more than 10 different technologies,” he said.

Netsparker itself says that even though these statistics are based on a small sample of the total number of web applications being used on the Internet, it does give us an indication of how vulnerable to malicious hacker attacks many websites are.

“Today's complex web applications are not making the developers' job any easier”, said Robert Abela, security professional, technical writer and IT consultant. “Developers have to understand all the different contexts of the XSS attacks to write code that is not susceptible to XSS vulnerabilities. Unless they do understand it and write or use a library that can protect the application against XSS attacks in all output contexts (HTML, attribute, JavaScript, client-side template etc), we will keep on seeing the same trend; expect less SQL Injection and more cross-site scripting vulnerabilities in web applications.”

Netsparker's guiding takeaway suggestion here is that developers often feel intimidated by the fact that there is so much going on in web application security, hence they feel they can never really write secure code. The firm says that if software professionals focus on addressing the core and basic task at hand (i.e. writing code that is not vulnerable to SQL Injection and cross-site scripting vulnerabilities), then state of web security will improve.

A Netsparker infographic detailing the high points of this story and research is available at this link for viewing.