Acunetix reveals statistical results based on one year of conducting web application scans
Kirkland, Washington – February 15, 2007 – It has been an interesting 24 hours for anybody keen on web application security. Network World Labs Alliance Security Expert Joel Snyder, played down the danger of web application security and challenged Acunetix to hack a website.
Following Acunetix publishing the results of its free web security survey (http://www.acunetix.com/blog/news/70-percent-websites-immediate-risk-hacked/), Network World Editor Paul Mc Namara and Network World Lab Alliance stalwart (http://www.networkworld.com/alliance/snyder.html) down-played the dangers of online web security, stating that only a minute number of commercial websites are hackable, that most websites do not have any worthwhile data on them anyway (http://www.networkworld.com/community/?q=node/11477), and that cross site scripting and SQL security vulnerabilities are not dangerous (http://www.networkworld.com/community/?q=node/11501 andhttp://it.slashdot.org/comments.pl?sid=222326&cid=18010732).
Snyder mocked the data on which Acunetix based its press release. “First off, we definitely did write the press release in a way that it would catch attention. But hey, what’s the point of a press release if you can’t do that?” exclaims Galea.
“The data on which we based our report was factual and correct. We offered Network World to give a trusted third party access, but they have not responded to this”, he continues “For this, we feel compelled to publish the month by month data upon which this earlier press release was based.”
The initial press release stated the following facts based upon this report:
- Acunetix has scanned 3,200 sites belonging to either businesses or non-commercial entities.
- 70% of the websites scanned were found to contain high or medium vulnerabilities.
- There is an extremely high probability of these vulnerabilities being discovered and manipulated by hackers to steal the sensitive data these organizations store.
- 50% of the websites with instances (or number of times that an alert was triggered by the automated scan) of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.
In the interest of web security, Acunetix is keen to hear feedback on these findings. The company is also ready to have the data (permissions/authorizations obtained) verified by a trusted third party.
The second issue relates to the challenging of Acunetix for $1000 to hack the audited websites and obtain confidential information from at least three of ten sites chosen. Acunetix accepted the challenge, but demanded that the subject of the hack attempt should be the Network World website.
“Clearly the subject of a challenge should be one’s own property, and furthermore the website is commercial and is certainly deemed to contain worthwhile information”, claims Kevin J Vella, VP Sales and Operations, Acunetix. “After side-stepping our counter challenge Network World finally went mute on this topic, and seemingly its employee and associate are backing out of their claims.”
“It is disappointing to see online security taken so lightly but it further confirms our view that the dangers of web attacks are simply not known.” remarks Vella.
In fact, leading web security expert, Jeremiah Grossman, posted an update yesterday on http://jeremiahgrossman.blogspot.com stating people from sla.ckers.org have already found a few XSS issues on the Network World website.
Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of development by a team of highly experienced security developers. Acunetix is a privately held company with headquarters based in Europe (Malta) and an office in London, UK. For more information about Acunetix, visit: http://www.acunetix.com .