After determining the most common vulnerabilities, experts decided to test the effectiveness of methods for their detection.
Attacks on the corporate website lead not only to disorganize the work, but they can be the first step for breaking networks of large corporations. According to Positive Technologies, the number of sites with the critical vulnerabilities has been increased significantly.
During the test, the aim of which is to determine the level of information security in 2013 and about 500 sites were tested and 61 was studied deeper. Most of the test sites were banking, because the attacks on the field of finance became very common. Furthermore, a lot of information sites (the media) were tested, because many of them were hacked and used for disinformation. Government websites, companies and television were studied as well.
As it turned out in 2013, 62% of the websites were highly vulnerable, while in 2012 the rate was significantly lower (45%). Media sites were at risk of attacks most of all, their rate was 80%. Speaking about websites that serve banks customers, none of them fully complied with the requirements of safety standard, called PCI DSS.
The Cross Site Scripting is the most popular vulnerability, because it was used on 78% of sites. This gap allows an attacker to influence the content of the page that will be displayed to the user in order to obtain information about the victim. For example, hackers can change the original authorization form into a fake, thereby obtain user‘s data and send them to their server.
Brute Force was the second problem with a score of 69% (poor protection from password guessing), due to lack or poor execution mechanism CAPTCHA. Two more dangerous vulnerabilities were in the top ten, such as "The introduction of operators SQL» (43%) and "Implementation of external entities XML» (20%).
The most unsafe were websites in PHP language: 76% of which had the highest level of exposure to attack. In turn, sites on Java (70%) and ASP.NET (55%) are more secure. One of the most dangerous vulnerabilities, called "Introduction operators SQL» was on sites in PHP language, while in other languages the range was less.
After research black and gray box showed that 60% of the sites had critical vulnerabilities white, white box showed 75%.
According to data from the study the method of white-box gives opportunity to find in 10 times more vulnerabilities than other methods. If one has access to the source code of web-applications, the testing with white-box method will be effective. However the majority of owners use this method very rare, only 13% of the sites were tested in such a way.
110 Reykjavik, Iceland