Browser flaws biggest software security risk

Browser flaws biggest software security risk

Summary: Cross-site scripting flaws are now the most common vulnerabilities according to security experts

TOPICS: Security

The most common software flaws are now cross-site scripting (XSS) vulnerabilities, according to US Government organisation Mitre.

XSS flaws have accounted for 21.5 percent of the vulnerabilities found in 2006 so far according to Mitre statistics.

XSS vulnerabilities potentially allow attackers to access sensitive data from a web site by bypassing security in browsers using JavaScript.

SQL injection flaws, which can occur in database-backed web applications, accounted for 14 percent of vulnerabilities seen.

PHP remote file vulnerabilities accounted for 9.5 percent of the 20,000 flaws collated by Mitre, said

PHP, a web scripting language, can be vulnerable to attack if applications created using it are not carefully written. PHP implementations are often considered notoriously poorly coded, according to security vendor Sophos.

Buffer overflow vulnerabilities slipped from being the most prevalent in 2003 to accounting for 7.9 percent of holes in 2006.

However, Sophos said that it hadn't seen any noticeable shift in terms of attacks on these flaws, including buffer overflow holes. Sophos questioned how the statistics had been collated and the potential severity of the flaws, due to the limited number of people who use smaller web servers.

"There is a danger that these folks are comparing apples with oranges," said Graham Cluley, senior technology consultant with Sophos. "After all, you could find lots and lots of vulnerabilities in Fred's Internet Utility, but that wouldn't be something we would consider to be a bigger problem than just one vulnerability in a widespread technology like [Microsoft's] Internet Information Services."

Cluley said that XSS attacks are very common on less popular web servers and applications, but that the more widely used packages are less likely to have such flaws.

According to Cluley, the Mitre statistics do not indicate a shift in the type of software that attackers are targeting, merely that the proliferation of flawed applications with few users is skewing the statistics.

"The fact is that there are more small .Net, Java and PHP implementations of blogging and webhosting than there are Internet side C-based software platforms," said Cluley.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    There ARE many XSS exploits on high profile sites as this article shows. It's just that us good guys are disclosing them. The problem isn't that there are many of them, but that they can be found anywhere regardless of how much network security a server has.
  • Copy and paste the following line into your address bar. If it doesn't work, it may be fixed by then.