Apparently 8/10 High Traffic or ‘Big’ Websites are Vulnerable

Outsmart Malicious Hackers


It seems after a brief scan that about 80% of sites contain common flaws that allows them to be compromised in some way, most often to create phishing sites, steal data and hijack info about clients.

An amazing 30% contain a serious vulnerability.

Eight out of ten Web sites contain common flaws that can allow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today.

WhiteHat Security regularly scans hundreds of “very popular, very high-traffic sites” for its online business customers, says Jeremiah Grossman, the company’s founder. “More than likely, you have shopped there, or bank there,” he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says.

Two out of three scanned sites have one or more cross-site scripting (XSS) flaws, which take advantage of problems with sites’ programming and are increasingly used in phishing attacks. A recent eBay scam used a now-fixed XSS hole on the auction site to direct anyone who clicked on a phony car auction to a phishing site.

I guess this should be a stern lesson for anyone shopping online or using online facilities from any companies/banks or financial institutions.

About a third of scanned sites are at risk for some sort of information leakage, which often means the providing of programming data about the site that can facilitate an attack. And about one out of four sites allows content spoofing, another potential phishing risk, according to WhiteHat’s vulnerability report.

A type of database vulnerability that allows SQL injection attacks — “one of the nastier issues out there” — is becoming less common, Grossman says. Fewer than one out of five sites contain this type of vulnerability, but a successful incident can give a sophisticated attacker access to everything in a company’s database, he says.

The irony is those geeky sites which hold the least important information about people are usually the most secure, where as the big sites built by important companies often have the most vulnerabilities and are leaking the most important data.

Source: Computer World

Posted in: Exploits/Vulnerabilities, Web Hacking

, ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


5 Responses to Apparently 8/10 High Traffic or ‘Big’ Websites are Vulnerable

  1. Bogwitch July 6, 2007 at 5:32 pm #

    It comes as no suprise that a Whitehat Security is reporting such high figure – it is in their interest to.

    “About a third of scanned sites are at risk for some sort of information leakage, which often means the providing of programming data about the site that can facilitate an attack.” – Isn’t that condoning security through obscurity??

    Fewer than one in five of the high traffic websites are vulnerable to SQL injection attacks? That’s still an incredibly high rate.

    Bogwitch.

  2. CK76 July 6, 2007 at 6:30 pm #

    Most information on the internet isn’t secure. SUPRISE!

  3. gyaresu July 7, 2007 at 4:40 am #

    Yeah. It’s like credit card companies paying millions in compensation for scams because the system is essentially flawed and scams still only account for a minor portion of total transactions.
    Where is the incentive to secure your site? I never seem to hear of any repercussions when thousands users data is ‘lost’/stolen etc.

    Just look at the American FBI for how not to spend a stupid amount of money on a computer system.

    There’s really no accountability for high security practices and even then vulnerabilities will always exist.

    It’d be funny if it didn’t potentially effect me.

    /me crosses fingers to avoid identity theft.

  4. Patrick Ogenstad July 7, 2007 at 9:40 am #

    It reminds me of the time when we had all those directory traversal issues in IIS. I once took a phone directory and went through the alphabet for companies offering computer services. Of the companies running IIS more than 80% were vulnerable, of course those were other times. :)

  5. SN July 9, 2007 at 8:01 pm #

    no way … that much traffic.