Hackers exploit poor website code

April 14, 2008 – 8:59 AM

Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.

The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.

According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.

Wholly vulnerable

Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.

“It overturns the whole notion that if you stay away from gambling and porn sites you are okay,” he said.

The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).

Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.

An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.

Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.

By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.

In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.

Symantec said there were likely many more that had not reported vulnerabilities.

Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.

Website administrators had a poor record of closing loopholes, it said.

“Attackers…, can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all,” said the report.

“There are a lot more websites out there that are prone to this,” said Mr Hogan. “It’s a much bigger proposition to make a safe website than it is to patch a browser.”

Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.

“I do not see trends slowing this down,” he said.

XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.

Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.

“The problem was identified eight years ago or so,” he said. “Over time attackers have figured out better and more interesting things to do with cross-site scripting.”

He added: “It’s such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities.”

Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.

“The awareness is not there that if you write code you need to test it before you put it out there,” he said.

Source: BBC News