Cenzic 232 Patent
Paid Advertising
web application security lab

70% of Websites Under Immediate Risk of Being Hacked

The NYT posted an article today posting some results from an Acunetix scan that says that 70% of websites are vulnerable. To quote the article, “On average 91% of these websites, contained some form of website vulnerability, ranging from the more serious such as SQL Injection and Cross Site Scripting to more minor ones such as local path disclosure or directory listing.” Glad to see that XSS is being tossed a bone in the article (it’s the little vulnerability that could!).

But for some reason these numbers seem WAY low to me. Given that Jeremiah has found about 70% of sites to be vulnerable to XSS alone, and I’ve found closer to 80% of them to be vulnerable in the one thousand or so sites I’ve manually looked at. And that’s not all of them either, that’s just what I found! I’d love to get a list of sites they say aren’t vulnerable and re-test a segment of them.

I have a feeling these numbers are understating the real problem. Just because you can’t find the problem doesn’t mean it’s not there. Still 70% is a scary enough number that most people can’t really comprehend anyway. Telling them that 80% or 90% or more is vulnerable wouldn’t change their perception much, I’d imagine. Even worse it could make them give up hope, “Well if everyone else is getting it wrong, what hope do I have?” Scary stuff.

18 Responses to “70% of Websites Under Immediate Risk of Being Hacked”

  1. B10m Says:

    “[…] or directory listing”

    Since when did that change from “feature” to “vulnerability”?

    Please do keep in mind that this “investigation” was done by a company that -hey, what a coincidence!- profits from security audits. It’s like Microsoft telling the world how messed up Open Source is…

  2. RSnake Says:

    Hahah… I’ve seen some reports that list that the SSL key was about to expire. Some of those reports aren’t worth the PDF’s they’re written in.

    Yah, but don’t you think they’d profit more by finding more vulns than less?

  3. B10m Says:

    If the results were released by anyone else, while consulting them, I’d find it more attractive. For now I see it as a classic example of FUD.

  4. Wladimir Palant Says:

    And sure enough, the NYT itself holds a proud place as one of those 70%: http://sla.ckers.org/forum/read.php?3,44,page=39#msg-6805. And yes, there are more XSS vulnerabilities there but it is ironical that the vulnerability is in just that article…

  5. RSnake Says:

    Hahah, very cute, Wladimir!

  6. zeno Says:

    When I wrote the XSS FAQ everybody called me lame for focusing on XSS. Well XSS is lame, but starting to get more interesting! Its nice not being as lame as I used to be though ;p

    Speaking of which expect XSS FAQ v2 to be out in the upcoming month or so.

    - zeno
    http://www.cgisecurity.com/

  7. beNi Says:

    haha, from my experiences about (roughly) 100 percent of the homepages have XSS.
    Believe me or not ;-)

    http://mybeNi.rootzilla.de/mybeNi/xss/

    –beNi

  8. Mephisto Says:

    Based on netcraft’s estimation of 108,810,358 sites, that means roughly 77,000,000 sites have issues…. We have our work cut our for us! I agree if they could provide a random sample of sites they didn’t find issues with those sites could be manually tested and I bet that 70% number would jump to 80% or more.

  9. nEUrOO Says:

    | “[…] or directory listing”
    | Since when did that change from “feature” to “vulnerability”?

    It’s a vulnerability such as path traversal because it allows you to retrieve some information that you shouldn’t have.

  10. Jungsonn Says:

    Slow down your heartbeat, it’s not as bad as it seems. Remember who is making these claims, not the NYT but Acunetix.

  11. nEUrOO Says:

    Of course it’s not as bad as they can say… but still, it is (and btw, these tools should report this as ‘warning’ and not real vulnerabilty…)

  12. Jake Reynolds Says:

    Joel Snyder put up $1000.00 that says they can’t get personal data from 7 or 10 randomly selected sites. Acunetix responded, and even referenced this blog entry.

    http://www.networkworld.com/community/?q=node/11477

  13. John @ NIST.org Says:

    I think Joel Synder misses the point. With XSS the server isn’t at risk, its the people visiting it. So some people might fall for a XSS message or link and some won’t. That doesn’t mean the server isn’t vulnerabile. I think the Acunetix report wasn’t worded really well. It tended to indicate that the server’s file store was at risk from these vulnerabilities. Yet it lumped XSS in to that 70% figure.

    As far as the number belng low wasn’t Acunetix one of the sites that was reported on Sla.ckers.org as having a XSS vulnerability? I can see why the number would be low :-)

  14. Nick Says:

    These results aren’t surprising. A Lot of sites have issues with security if you define security as any non-intended function. Now actual flaws that could compromise servers or personal data, I’d have to agree with Joel Snyder. Prove it! Pointing a vulnerability scanner at a website and getting a hit doesn’t mean the site is even vulnerable. False positives are common and a vulnerability in a sandbox is a waste of time (from the hackers point of view) so also not notable. It’s like taking Yahoo who uses PHP and you may find vulnerabilities but yahoo runs the PHP in a sandbox, so you may break a couple dynamic pages on your browser but you’re wasting time. You cant have a company that profits from auditing claim 70% of websites are vulnerable. Sounds like more of a sales pitch than an actual report.

  15. RSnake Says:

    Nick, do you have $1000 to pony up? I’ll happily prove it. :) Who else wants to bet I can’t steal information from people on 30% of sites?

    What we are talking about isn’t necessarily server penetration, what we are talking about is malicious misuse of the website for the purpose of gaining unauthorized access to consumer information (which could be something as simple as phishing or as complex as completely owning the machine). If you don’t believe that’s possible you probably should go re-read all the old posts on this blog.

  16. MustLive Says:

    Interesting information.

  17. MustLive Says:

    Oh, yes, at last :-).

    It is good, that my comment is come through your filters, RSnake (as I told you, my comments not saving before). It was 2nd time, when it happened. And it is because I changed my ISP some days ago (as I see - it is single explanation).

    The previous post was just a test.

  18. MustLive Says:

    Interesting information ;-). I already wrote about this PR article about Acunetix scan results (http://websecurity.com.ua/701/) a month ago.

    So what about result of 70%? As RSnake and other guys told, it is low value. You all feel that. And as I can tell you from my own statistic of my social security audit (which I do everyday) - there are more vulnerable websites out there than 70%. From my experience there are about 90% of sites which are vulnerable to XSS (and it is my own experience, so it is possible more).

    And I need to tell you that Acunetix web site is among these 70% of vulnerable web sites (if we use their value) ;-). As I wrote at my site http://websecurity.com.ua/549/ - there are many holes at their site: Cross-Site Scripting, Full path disclosure, SQL Injection, File Inclusion, Directory Traversal, Script Source Disclosure and Information Leakage. So you can see that Acunetix is well know security guys and they know how to make different types of holes.