SOURCE: Cenzic

November 12, 2007 08:10 ET

As Holiday Shopping Season Approaches Online Buyers Beware -- Cenzic Study Estimates Approximately 90 Percent of Web Applications Are Vulnerable

Cenzic's Q3 Trend Report Highlights Continuous Dominance of Web Application Vulnerabilities

SANTA CLARA, CA--(Marketwire - November 12, 2007) - Cenzic Inc., the innovative leader of application vulnerability assessment and risk management solutions, today released their Application Security Trends Report for Q3, 2007. The report highlights the alarming trend among thousands of corporations and government agencies -- the majority of them have yet to initiate any action in protecting their Web applications, as application vulnerabilities continue to run rampant.

The report is a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings, and emphasizes the top 10 vulnerabilities from published reports in Q3 2007. Based on trends, published data, data from its managed services business unit, and various other sources, Cenzic believes that of the estimated 100 to 150 million Web applications, approximately 90 percent are still likely vulnerable.

"With each quarter, new application vulnerabilities are building up and organizations are falling behind in protecting their Web applications," said Mandeep Khera, VP of marketing for Cenzic. "We continue to be surprised by the inaction or insufficient action of thousands of corporations and government agencies toward securing their Web applications. We are not talking about being 100% secure at the application layer. We are simply talking about initiating some action, making it at least somewhat difficult for the cybercriminals to gain access."

Khera further stated, "The holiday season is around the corner and security should be a major concern for consumers and they should definitely take precautions with online holiday shopping."

What can you do as a consumer? Ask your provider specifically what they are doing about securing the Web applications that sit underneath the Web sites. Not just SSL. Not network firewalls. But, Web applications. How secure are they? What are the processes to secure them? What happens if hackers get the information? If nothing else, this will force the companies to start thinking about it. At the very minimum, make sure you do business with well known and reputable companies. In some cases, you can also tell the quality of these companies by their Web site design and the questions they ask. For more tips on online shopping, visit the Privacy Rights Clearing House's online shopping tips at

What can you do as an online provider? Do a thorough test of your Web applications and find the vulnerabilities. There are automated solutions available, both as a software and a Software as a Service (SaaS) that can quickly point to the major security holes. Once you find them, prioritize based on their criticality and help your developers get the right resources to start fixing them as soon as possible. It's never too late to start.

Cenzic Application Security Trend Report - Q3

In the Q3 Trend Report, Cenzic identified 1,471 unique published vulnerabilities in the third quarter of 2007, with cross-site scripting (XSS) and SQL injection as the most frequent vulnerabilities reported. Of the vulnerabilities that were published, 68 percent were related to Web technologies, a slight decrease from Q2 2007 but still forming a significant portion of total vulnerabilities. Once again, 70 percent of these reported vulnerabilities are classified as easily exploitable. Cenzic also evaluated several emerging trends that signal the effects of Web 2.0 programming practices and architectures within the reported vulnerability information. To download the Cenzic Application Security Trends Report Q3 2007, visit

Top 10 Vulnerabilities in Commercial and Open Source Web Applications from Q3 2007:

--  Bugzilla Webservice - A remote user can create a user account in
    Bugzilla using the Web service, even if the account creation has been
    disabled by the administrator, allowing for unauthorized users to gain
    access to data by creating the new account.
--  Sun Java System Access Manager - Sun Java System Access Manager 7.1,
    when installed in a Sun Java System Application Server 9.1 container, does
    not demand authentication after a container restart, allowing remote
    attackers to perform administrative tasks.
--  Rational Clearquest - The login page does not properly validate user-
    supplied input in the username field, allowing a remote user the ability to
    supply specially crafted parameter value to execute SQL commands on the
    underlying database which can be exploited to bypass authentication.
--  Tomcat Host Manager - Cross-site scripting (XXS) vulnerability in the
    Host Manager Servlet for versions of Apache Tomcat allows remote attackers
    to inject arbitrary HTML and Web script via crafted requests.
--  Apache mod-proxy - The date handling code in Apache 2.3.0, when using
    a threaded MPM, allows remote origin servers to cause a denial of service.
--  Java Runtime Environment - A vulnerability found in Java Runtime
    Environment 5.0 Update 9 and prior allows a remote user to cause arbitrary
    code to be executed on a target user's system, allowing remote applets to
    gain elevated privileges.
--  Apache Tomcat - Versions of Apache Tomcat do not properly handle the
    backslash and single quote characters sequence in cookie value, which might
    cause sensitive information such as session IDs to be leaked to remote
    attackers and enable session hijacking attacks.
--  Sun Java Systems Web Server - Versions of Sun Java System Web Servers
    have a CRLF injection vulnerability in the redirect feature, allowing
    remote attackers to inject arbitrary HTTP headers and conduct HTTP response
    splitting attacks.
--  IBM WebSphere Application Server - Multiple unspecified
    vulnerabilities in versions of IBM WebSphere Application Server have
    unknown impact and attack vectors.
--  Java Web Start JNLP - A Remote user can create a specially crafted
    JNLP file that, when loaded by the target user, will trigger a stack
    overflow and execute arbitrary code on the target system, which can be
    exploited automatically via a maliciously crafted Web page.

As part of the study, Cenzic incorporated findings from Cenzic ClickToSecure, their leading-edge security assessment and penetration testing service (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings include:

--  Seven of 10 analyzed Web applications engaged in insecure
    communication practices that could potentially lead to the exposure of
    sensitive or confidential user information during transactions.
--  Cross-site scripting continued to be the most common injection flaw
    type, affecting six out of 10 Web applications.
--  Two out of 10 Web applications were found to be vulnerable to types of
    SQL injection attacks that could result in a direct compromise of the
    application's back-end user by an attacker.
--  Four in 10 applications failed to properly implement structured
    exception handling, allowing an attacker to generate SQL error messages or
    application errors that revealed information useful in planning further
    attacks against the application.
--  Information leaks and exposures, cross-site scripting and
    authorization and authentication flaws were among the most prevalent

About Cenzic

Cenzic is the innovative leader of next-generation application security assessment and risk management solutions that quickly and accurately find more "real" application vulnerabilities in both legacy Web 1.0 and Web 2.0 applications. The Cenzic suite of application security solutions fit any companies' needs from remote, Software as Service (ClickToSecure®), for testing one or more applications, to a full enterprise-wide solution (Cenzic Hailstorm® Enterprise ARC) for effectively managing application security risks across an enterprise. Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive and extensible in the industry empowering organizations to stay on top of unrelenting application security threats.

Contact Information

  • Contact:
    Tami Casey
    Kulesa PR for Cenzic
    (650) 340-1984
    Email Contact