Study: As many as 90% of websites vulnerable to attack

According to DOSarrest Internet Security, findings by its Vulnerability Testing and Optimisation service (VTO) of deep website scans show that a whole 90 per cent of websites are vulnerable to attack.

Further findings include that 95 per cent of the flaws could cause information leakage due to outdated software versions and installed modules, while 71 per cent could allow sensitive information disclosure. More cross-site request forgery (CSRF) flaws (67 per cent) were found in scans of websites than cross-site scripting (28 per cent) and SQL Injection vulnerabilities (22 per cent).

"SQLi and XSS tend to grab most of the headlines as they are more well known and are potentially dangerous, but CSRF is a type of online identity theft where you have a user session that is manipulated by an attacker using that vulnerability, meaning that it is potentially more dangerous to the end customer," said Sean Power, security operation centre manager at DOSarrest.

Looking at the recent report for the number of new vulnerabilities reported to the National Institute of Standards and Technology (NIST) in August, Power also commented that the rise to 394 vulnerabilities being reported, including 140 rated as high severity and 83 as cross-site scripting (XSS) flaws, was a higher number than usual, especially when the usual number was around 100 rated as high severity.

"It is not the case that 90 per cent of the websites are vulnerable to a severe flaw, but it is more likely to be an information protection or session management flaw," Power added.

"We put the mark at quite a high standard and there were only one or two instances where we couldn't make any recommendations to the website. However, findings did show that 95 per cent of the sites scanned found flaws that could cause sensitive information to be leaked, so they are not to be taken lightly."