Web applications wide open to hackers

The vast majority of web applications are wide open to attacks by hackers, a four-year testing programme has revealed.

According to vulnerability assessments conducted by the Application Defense Center of security firm WebCohort, at least 92 per cent of web applications are vulnerable to some form of hacker attack.

The testing examined more than 250 web applications running on e-commerce, online banking, enterprise collaboration and supply chain management websites.

The most common vulnerabilities were found to be cross-site scripting (80 per cent), SQL injection (62 per cent) and parameter tampering (60 per cent).

Despite the fact that these types of hacking attacks are common and well documented, the study revealed that most enterprises have not adequately secured their websites, applications and servers against them.

Although firewalls and intrusion detection or prevention systems were widely deployed, they were found to offer limited defence.

Hackers could still access valuable proprietary and customer data, shut down websites and servers and introduce serious legal liability without being stopped or, in many cases, even detected, WebCohort warned.

WebCohort chief executive Shlomo Kramer said in a statement: "More robust network security has driven hackers to view web applications as easier targets. Four years of our Application Defense Center's experience have proven this is an accurate assessment.

"We are only beginning to see the risks to businesses and consumers these vulnerabilities introduce."

The most common vulnerabilities as compiled by WebCohort's Application Defense Centre are as follows:

Type of attack and vulnerability

Cross-site scripting (80 per cent)
SQL injection (62 per cent)
Parameter tampering (60 per cent)
Cookie poisoning (37 per cent)
Database server (33 per cent)
Web server (23 per cent)
Buffer overflow (19 per cent)