Two-thirds of web apps vulnerable to hackers

More than two-thirds of web apps are vulnerable to hacking exploits, according to new research by HP that reveals web exploit toolkits - ready-made hacking resources that can used to launch attacks against online systems - are the worrying new trend to watch out for in 2011.

HP's 2010 Top Cyber Security Risks Report highlights a dramatic increase in the use of web exploit toolkits. These 'packaged' attack frameworks are traded online, enabling attackers to access enterprise IT systems and steal sensitive data. According to the research, the toolkits are rapidly growing into the weapon of choice for attackers due to ease of use and high success rate.

Although more attacks were recorded in 2010 than during the previous year, the number of discovered vulnerabilities, although high, remained relatively stable. According to the report, the majority of attacks are carried out using known and patched security vulnerabilities - making it doubly important that users keep their security measures up to date by implementing fixes as soon as they're released.

Insecurities in web apps represent half of all security vulnerabilities, with the leading method of attack being cross-site scripting (XSS). XSS vulnerabilities caused embarrassment at security vendor McAfee last week, after ethical hacking group YGN revealed the company's website was prone to this method of attack.

A survey by HP's HP Application Security Center revealed that a whopping 71 per cent of customer web applications suffered from a command execution, SQL injection or XSS vulnerability.

The report identifies third-party plug-ins for content management systems as a leading cause of web application vulnerabilities. Blog-hosting and online discussion forum applications, such as Wordpress, Joomla and Drupal, are among the most frequently attacked systems, the report notes.

"We've discovered that rather than investing resources to uncover new exploits, attackers are focused on current, unpatched vulnerabilities in web applications, social networking sites and Web 2.0 interfaces," said Mike Dausin, manager, Advanced Security Intelligence, HP DVLabs.