Cross site scripting, weak authentication and TLS still head up critical threats

Cross Site Scripting, Weak Authentication and TLS (Transport Layer Security) configuration still account for over 60% of high and critical vulnerabilities in web applications, according to new findings by Context Information Security published today.

The research is based on 14,000 vulnerabilities identified and qualified from around 1,300 manually guided penetration tests. Thirteen percent - some 1,700 – of the findings were rated as high or critical impact, likely to result in unauthorised access or a compromise of user data or application functionality that could lead to financial or legal impact.

"These threats have been around for years, but it appears that the message is still not getting through," said Andrew Scott, Assurance Regional Lead - Scotland at Context Information Security. "If an organisation were to focus on educating developers and their supply chain to prevent cross site scripting and authentication problems, while creating robust deployment processes for TLS, a large proportion of these problems could be avoided."

The study also looked at the ratio of critical/high findings to total findings for each category. For example, while over 400 session management problems were identified, only 2% of these led to a direct route to compromise. This compares with cross site scripting, which was found around 300 times, but half of them were critical or high. This shows that interventions around addressing these areas at source can have a greater impact on the risk profile of an application or organisation.

The largest number of high or critical finding were around weak authentication, covering everything from password strength, storage and reset processes through to how cookies are created and handled. Context also fund close to 1,000 issues related to the communication channel, suggesting that use of TLS and its additional security controls are still not well understood or applied.

"TLS issues often need addressing at the infrastructure layer and may not be under the control of developers," said Andrew Scott. "Much like cross site scripting in the application space however, a very formulaic approach can be developed for each environment and can help address these problems."