Threat Level: green Handler on Duty: Kevin Liston

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

WASC 2008 Statistics

Published: 2009-10-20
Last Updated: 2009-10-20 19:46:38 UTC
by Raul Siles (Version: 1)
0 comment(s)

The Web Application Security Consortium (WASC) released last Friday the 2008 statistics, compiling website vulnerability data from more than 12K sites and detecting near 100K vulnerabilities. As in previous years, Cross-Site Scripting (XSS), information leakage, and SQL injection are at the top of the list, but with a few significant variations:

Compared to 2007, the number of sites with wide spread SQL Injection and Cross-site Scripting vulnerabilities fell by 13% and 20%, respectively, however, the number of sites with different types of Information Leakage rose by 24%. On the other hand, the probability to compromise a host automatically rose from 7 to 13 %.

The statistics are mainly collected through (black & white box) automated testing. Therefore, once again and IMHO, one of the most frequent vulnerabilities, Cross-Site Request Forgery (CSRF or XSRF), is not properly reflected in the report. All the details are available on the WASC Statistics Project website (WASS) both in HTML and PDF format.

Definitely, if you plan to take actions to improve the security of your web-apps (and you should!), start focusing on these four vulnerabilities: XSS, information leakage, SQLi and CSRF!

--
Raul Siles
www.raulsiles.com

0 comment(s)
Diary Archives