Websites wide open to attack

Seven out of every 10 websites contains a security vulnerability that could allow attackers to steal confidential information or cripple the website, according to a study by security vendor Acunetix.

"The results show clearly that the problem of unsafe web applications is being ignored completely," said Kevin Vella, a vice president with Acunetix.

The firm scanned 3,200 websites over the past year belonging to businesses or non-commercial organisations that had volunteered for a security scan.

It detected 210,000 vulnerabilities, making for an average 66 security holes per online application.

Half of all the detected vulnerabilities were so-called SQL injection flaws. Another 42 per cent was made up of Cross Site Scripting (XSS) vulnerabilities.

Attackers in a SQL injection attack use web forms to send instructions in the SQL database access language.

They could use these commands to obtain an overview of past orders including credit card information, or get an overview of the log-in names and passwords for all users, including any administrators.

In an XSS attack, hackers submit JavaScript or other code to a website such as Gmail, MySpace or Digg. The code is then executed on the computer of each individual who visits the site.

This could potentially compromise log-in and password information stored in cookies or lead to other unwanted disclosures of confidential information.

The security of online applications is a hot topic in the security industry. The rise of hosted software is exposing new services to online attack.

Acunetix's findings back up claims by other vendors of code scanning tools. Spi Dynamics claimed last week that it has a 99 per cent success rate in breaching the security of its clients' online applications.