Quick Analysis of the 2007 Web Application Security Statistics
The Web Application Security Consortium (WASC) has published the WASC Web Application Security Statistics Project 2007. This is one of the main references about Web-based vulnerabilities and attacks, together with the OWASP Top 10 project (I hope OWASP also updates it soon with data from 2007, as it currently covers 2006 although it's called 2007 ;) ).
The main advantage of the WASC statistics is that it focuses on vulnerabilities discovered in custom Web applications, instead of collecting data from the Mitre CVE project and linked to open source and commercial Web applications. At first sight, this year the number of contributtors feeding data to the project has notably increased from previous years.
Looking at the details, on the one hand, I'm surprised as only 7% of the applications analyzed can be automatically compromissed. Based on all the incidents we see associated to automated tools, such as the so many times mentioned automated SQL injection attacks, I'd have said this is a bigger number. On the other hand, after performing manual analysis and testing (including white and black box), almost 97% of the analyzed applications present a high severity vulnerability. This roughly matches the numbers I see on penetrations testing engagements. Overall, this also means to me that although the automated tools have improved a lot over the last few years, a lot of detailed and manual testing is still required.
Once again, Cross Site Scripting (XSS) and SQL injection (the big two players) are in the top of the list, together with information leakage. Looking at the numbers, I thought SQL injection would have a bigger presence in the number of vulnerabilities and vulnerable sites. Although the statistics seem to show the number is decreasing from previous years, do not stop fighting this class of attack, and all types of injection in general!! From a threat classification perspective, client-based attacks and information disclosure (again) are the most prevalent ones.
In my opinion, the missing vulnerability is Cross-Site Request Forgery (CSRF), as most Web sites are vulnerable to it. It does not appear in the diagrams, although reading carefully through the project notes, it says (literaly):
The most prevalent vulnerability Cross-Site Request Forgery in this statistics is not on top because it is difficult to detect in automatically and because a lot of experts take its existence for granted.
I suggest you to read the details, get your own conclusions from the numbers (as they are just numbers), but definitely continue monitoring, auditing, and improving the security of your Web applications!
--
Raul Siles
www.raulsiles.com
Raul teaches the SANS "Web Application Penetration Testing In-Depth" course in London on December!
Comments