NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA List Master

NRT-0494 Web Designers Make Well-Known Security Mistakes:


Web designers are consistently making well-known mistakes that are leaving trusted web sites open to being co-opted for operations that compromise the computers of users of the sites, according to experts cited in an online press article. Many of the loopholes left in the code created for web sites - particularly via cross-site scripting (XSS) vulnerabilities - have been known about for almost a decade, say researchers. Yet, according to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.

"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," said Kevin Hogan of Symantec. HOgan said more and more attackers were looking for web sites that were vulnerable to these scripting attacks because they required little work to exploit. By contrast, he said, a phishing attack required the creation of tempting emails, fake servers, and dead-drops to gather data.

In its most recent Internet Security Threat Report, Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007, up from 6,961 six months earlier. Of those, Symantec said only 473 had so far been fixed. "Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.

Automated tools are available that can scan custom code and highlight vulnerabilities, but few web designers use them, said Chris Wysopal of Veracode. "The awareness is not there that if you write code you need to test it before you put it out there," he said.

(news.bbc.co.uk 14APR08)


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Saturday, 02-Aug-2008 21:57:05 EDT