Most Common Web Security Attack? Not SQL Injection
A new study from Whitehat finds SQL injection doesn't even make the top 10 of website security attacks.
Jeremiah Grossman, founder and CTO of Whitehat Security, has seen a lot of different types of security attacks in his time. He knows the most common types of attacks aren't necessarily the ones that have the most risk.
In its just-released Annual Website Security Statistics report, Whitehat Security provides insight into the attacks it saw across its diverse customer base in 2012. At a high level, Whitehat reports that 86 percent of all the tested websites had at least one serious vulnerability. On a positive note, the number of serious vulnerabilities per site came in at 56, down from 79 in 2011.
While Grossman expected some of the findings, there were a few surprises. One such surprise was the prevalence of SQL injection attacks.
SQL Injection Surprise
"SQL injection, for all the damage that it causes, is actually not in our top 10 when it comes to strict prevalence. It's number 14 at 7 percent of websites," Grossman told eSecurity Planet.
Grossman's data stands in contrast to multiple studies issues in recent years. The SANS Institute has consistently ranked SQL injection as the most dangerous software error. The IBM X-Force Trend at Risk Report in 2012 did show a decline in SQL injection frequency, however.
Grossman explained that Whitehat looked specifically at public-facing websites. And there is a difference between risk and prevalence of a given vulnerability, he stressed.
"So when you look across the Web across millions of websites, only 7 percent of them are vulnerable to SQL injection as best as we can tell," Grossman said. "It's still enough, though, to give some people a really bad day."
Grossman added that vulnerability prevalence does not directly correlate to exploitation.
"The bad guys get to choose what vulnerabilities they go after," Grossman said. "So if they want data, they will use SQL injection."
Most Common Website Attacks
The two most prevalent vulnerabilities identified by Whitehat during 2012 were information leakage at 55 percent and cross site scripting at 53 percent. Content spoofing came in third at 33 percent, while cross site request forgery and brute force tied for fourth place with 26 percent.
Whitehat's brute force vulnerability class is not quite the same as better known scenarios in which an attacker tries repeatedly to get access using different username/password combinations. Typically many sites today use an email address as the username, and some brute force attacks take advantage of that fact.
"When you log into a website you do it with a username/password, and some of these sites will tell you which part you got wrong," Grossman explained. "So the bad guys will use the login with the password recovery systems to mine for valid email addresses on a given system to phish and spam you."
From a remediation perspective, whatever the attack vector, Grossman said that accountability within an organization is critical.
"It is only when you have people that are accountable and empowered that you are able to affect real change in security and improve," Grossman said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.