Vulnerabilities of five thousand sites
Vulnerabilities five hundred sites.
The Agency for Information Security (SHALB) (http://shalb.com), as part of a global study of the safety of Internet resources, analyzed 500 sites. The studied sites are the most popular sites in their subject matter for their region, the sites of large corporations, financial institutions, and government agencies.
In total, 7,683 vulnerabilities of varying degrees of risk were found.
Of these, critical = 2318
')
The studies were conducted by highly qualified web site security experts. To automate data collection, software development of the world's leading companies in this field and their opensource competitors were used. On the basis of the collected data and logical conclusions, other vulnerabilities that were not found in automatic mode were searched for, and possible attack scenarios were built. Each company that ordered a site security audit from us received a detailed report with recommendations on how to fix the vulnerabilities found. As part of testing, only an inventory of the found vulnerabilities was carried out, without attempting to use them for personal purposes or to harm the studied resource. To maintain confidentiality, detailed technical vulnerability information that was obtained during the research has been removed.
Relying on its own research of web applications and research of other companies, as well as WiteHat hackers, SHALB highlights the following position of Internet project security today:
90% of sites are dangerous for users and pose a threat to business.
XSS vulnerabilities have been discovered on so many sites. Taking advantage of which, under favorable circumstances of other circumstances (type XSS, attacking skills, other technical and social nuances), an attacker can execute arbitrary javascript on the client side, upload a virus that will harm the financial state of the user, seize cookies of any user and site administrator. Reaching the administration panel of the attacker ... ... .... The script can be developed to #rm –rf / on the server. Yes, not every XSS guarantees the saddest option, but the probability exists. And it is higher than the sites without XSS. Vulnerability of this type requires the actions of the victim of the attack. As a rule, you need to follow a specially prepared link. Therefore, you should be especially careful with the links sent to you via email, icq, social networks and other means of communication.
43% of sites can not store confidential information in the database.
The introduction of SQL code is one of the most serious vulnerabilities of the site. Using this vulnerability, an attacker could perform an arbitrary query to the site’s database, which could lead to leakage of confidential information, loss of the database, and launching arbitrary code on the server. But again, it all depends on how often programmers recall partial responsibility in the security issue and how much the attacker is interested. Vulnerability is difficult to detect if the output of site code execution errors is suppressed. It is also recommended to use different database accounts for different projects, so that the introduction of SQL code on one does not affect the other. SQL Injection appears due to incorrect processing of incoming data that is used in SQL queries.
80% of Webmasters do not update opensource products on time.
Webmasters not only do not update the versions of forums, blogs, CMS, phpmyadmin, cPanel and all other used third-party developments, many do not even try to hide the versions of these systems. Vulnerabilities of varying degrees of risk are periodically found in such products; they write ready-made exploit for them. Using these vulnerabilities is often easier. And if any part of your project is under threat, then the whole project is under threat.
99.9% of sites that have a vulnerability have a few more vulnerabilities.
It is not strange, but it is a proven fact. And leaving our practice, there are no sites where there is only one vulnerability or only one type of vulnerability.
48% of servers have vulnerabilities at the level of the operating system and applications.
In addition to the site security research, we conducted an automated security audit of 2208 servers of one of the Ukrainian data centers using the blackbox method.
60% of these vulnerabilities can help an attacker to perform a dos attack by overflowing buffers in a given software.
The most popular problems are not updated apache and php, which, depending on the version, have certain vulnerabilities of different degrees of risk.
But there were also databases with open root access without passwords, and ssh with the root password for the root user. Selection of passwords was not carried out as such. A minimum dictionary of 100 standard passwords was used.
Results:
The situation regarding the security of sites is more than critical. First of all, because the question is not put up to the mark in the development process and the life of the project. Very often, safety is the responsibility of everything in their field of activity. Programmers for security code, administrators for the security of systems and environments, IT director in general. But for the reason that the main working hours of the staff are engaged in their direct duties and security incidents occur. The employee who allowed the occurrence of the incident will definitely be identified and may even be punished, only to scratch the bump on his forehead. And where better not to fill it. Most of the Internet companies do not have full-time specialists whose core activities are computer security. In addition, CIOs do not use third-party services to maintain the security of Internet projects.
To date, the most secure sites have payment systems that, in an effort to meet international standards, periodically conduct security audits and fix found vulnerabilities.
The Agency for Information Security (SHALB) (http://shalb.com), as part of a global study of the safety of Internet resources, analyzed 500 sites. The studied sites are the most popular sites in their subject matter for their region, the sites of large corporations, financial institutions, and government agencies.
In total, 7,683 vulnerabilities of varying degrees of risk were found.
Of these, critical = 2318
')
The studies were conducted by highly qualified web site security experts. To automate data collection, software development of the world's leading companies in this field and their opensource competitors were used. On the basis of the collected data and logical conclusions, other vulnerabilities that were not found in automatic mode were searched for, and possible attack scenarios were built. Each company that ordered a site security audit from us received a detailed report with recommendations on how to fix the vulnerabilities found. As part of testing, only an inventory of the found vulnerabilities was carried out, without attempting to use them for personal purposes or to harm the studied resource. To maintain confidentiality, detailed technical vulnerability information that was obtained during the research has been removed.
Relying on its own research of web applications and research of other companies, as well as WiteHat hackers, SHALB highlights the following position of Internet project security today:
90% of sites are dangerous for users and pose a threat to business.
XSS vulnerabilities have been discovered on so many sites. Taking advantage of which, under favorable circumstances of other circumstances (type XSS, attacking skills, other technical and social nuances), an attacker can execute arbitrary javascript on the client side, upload a virus that will harm the financial state of the user, seize cookies of any user and site administrator. Reaching the administration panel of the attacker ... ... .... The script can be developed to #rm –rf / on the server. Yes, not every XSS guarantees the saddest option, but the probability exists. And it is higher than the sites without XSS. Vulnerability of this type requires the actions of the victim of the attack. As a rule, you need to follow a specially prepared link. Therefore, you should be especially careful with the links sent to you via email, icq, social networks and other means of communication.
43% of sites can not store confidential information in the database.
The introduction of SQL code is one of the most serious vulnerabilities of the site. Using this vulnerability, an attacker could perform an arbitrary query to the site’s database, which could lead to leakage of confidential information, loss of the database, and launching arbitrary code on the server. But again, it all depends on how often programmers recall partial responsibility in the security issue and how much the attacker is interested. Vulnerability is difficult to detect if the output of site code execution errors is suppressed. It is also recommended to use different database accounts for different projects, so that the introduction of SQL code on one does not affect the other. SQL Injection appears due to incorrect processing of incoming data that is used in SQL queries.
80% of Webmasters do not update opensource products on time.
Webmasters not only do not update the versions of forums, blogs, CMS, phpmyadmin, cPanel and all other used third-party developments, many do not even try to hide the versions of these systems. Vulnerabilities of varying degrees of risk are periodically found in such products; they write ready-made exploit for them. Using these vulnerabilities is often easier. And if any part of your project is under threat, then the whole project is under threat.
99.9% of sites that have a vulnerability have a few more vulnerabilities.
It is not strange, but it is a proven fact. And leaving our practice, there are no sites where there is only one vulnerability or only one type of vulnerability.
48% of servers have vulnerabilities at the level of the operating system and applications.
In addition to the site security research, we conducted an automated security audit of 2208 servers of one of the Ukrainian data centers using the blackbox method.
60% of these vulnerabilities can help an attacker to perform a dos attack by overflowing buffers in a given software.
The most popular problems are not updated apache and php, which, depending on the version, have certain vulnerabilities of different degrees of risk.
But there were also databases with open root access without passwords, and ssh with the root password for the root user. Selection of passwords was not carried out as such. A minimum dictionary of 100 standard passwords was used.
Results:
The situation regarding the security of sites is more than critical. First of all, because the question is not put up to the mark in the development process and the life of the project. Very often, safety is the responsibility of everything in their field of activity. Programmers for security code, administrators for the security of systems and environments, IT director in general. But for the reason that the main working hours of the staff are engaged in their direct duties and security incidents occur. The employee who allowed the occurrence of the incident will definitely be identified and may even be punished, only to scratch the bump on his forehead. And where better not to fill it. Most of the Internet companies do not have full-time specialists whose core activities are computer security. In addition, CIOs do not use third-party services to maintain the security of Internet projects.
To date, the most secure sites have payment systems that, in an effort to meet international standards, periodically conduct security audits and fix found vulnerabilities.
Source: https://habr.com/ru/post/72172/
All Articles