Browser flaws biggest software security risk

Cross-site scripting flaws are now the most common vulnerabilities according to security experts
Written by Tom Espiner, Contributor

The most common software flaws are now cross-site scripting (XSS) vulnerabilities, according to US Government organisation Mitre.

XSS flaws have accounted for 21.5 percent of the vulnerabilities found in 2006 so far according to Mitre statistics.

XSS vulnerabilities potentially allow attackers to access sensitive data from a web site by bypassing security in browsers using JavaScript.

SQL injection flaws, which can occur in database-backed web applications, accounted for 14 percent of vulnerabilities seen.

PHP remote file vulnerabilities accounted for 9.5 percent of the 20,000 flaws collated by Mitre, said DarkReading.com.

PHP, a web scripting language, can be vulnerable to attack if applications created using it are not carefully written. PHP implementations are often considered notoriously poorly coded, according to security vendor Sophos.

Buffer overflow vulnerabilities slipped from being the most prevalent in 2003 to accounting for 7.9 percent of holes in 2006.

However, Sophos said that it hadn't seen any noticeable shift in terms of attacks on these flaws, including buffer overflow holes. Sophos questioned how the statistics had been collated and the potential severity of the flaws, due to the limited number of people who use smaller web servers.

"There is a danger that these folks are comparing apples with oranges," said Graham Cluley, senior technology consultant with Sophos. "After all, you could find lots and lots of vulnerabilities in Fred's Internet Utility, but that wouldn't be something we would consider to be a bigger problem than just one vulnerability in a widespread technology like [Microsoft's] Internet Information Services."

Cluley said that XSS attacks are very common on less popular web servers and applications, but that the more widely used packages are less likely to have such flaws.

According to Cluley, the Mitre statistics do not indicate a shift in the type of software that attackers are targeting, merely that the proliferation of flawed applications with few users is skewing the statistics.

"The fact is that there are more small .Net, Java and PHP implementations of blogging and webhosting than there are Internet side C-based software platforms," said Cluley.

Editorial standards