Of 50 websites scanned by DOSarrest’s vulnerability testing service, nine out of ten would fail this test.
Sean Power, security operation center manager at DOSarrest said that 90 per cent of the websites it had tested on its vulnerability testing and optimisation (VTO) service would fail an initial test. He said: “It is not the case that 90 per cent of the websites are vulnerable to a severe flaw, but it is more likely to be a remote code execution or database flaw.
“We put the mark at quite a high standard and there were only one or two instances where we couldn’t make any recommendations to the website. However, findings did show that 95 per cent of the sites scanned found flaws that could cause sensitive information to be leaked, so they are not to be taken lightly.”
DOSarrest, who
launched the VTO last month, released the analysis data from the first 50 sites it has scanned. “This is one of those things that happens where sometimes there are more critical flaws and vulnerabilities and people jump on the bandwagon,” Power said.
Of the vulnerabilities it found, the most were cross-site request forgery (CSRF) flaws (67 per cent), while 28 per cent were XSS and 22 per cent SQL Injection vulnerabilities. The VTO findings were that 95 per cent of the flaws could cause information leakage due to outdated software versions and installed modules, while 71 per cent could allow sensitive information disclosure.
“SQLi and XSS are bigger news and well known and are potentially dangerous, but CSRF would be a type of online identity theft where you have a user session that is manipulated by an attacker using that vulnerability,” he said.
Looking at the recent report for the number of new vulnerabilities reported to the National Institute of Standards and Technology (NIST) in August, Power commented that the rise to 394 being reported, including 140 rated as high severity and 83 as cross-site scripting (XSS) flaws, was higher number than usual, especially when the usual number was around 100 rated as high severity.
“This is one of those things that happens and sometimes there are more critical flaws and vulnerabilities and people jump on the bandwagon,” Power said.