SOURCE: Cenzic

May 22, 2007 08:15 ET

Cenzic Study Finds Seven Out of 10 Web Applications Vulnerable

Application Security Trends Report Highlights Top Web Application Vulnerabilities for Q1 2007

SANTA CLARA, CA -- (MARKET WIRE) -- May 22, 2007 -- Cenzic Inc., the innovative leader of application vulnerability assessment and risk management solutions, today released its Application Security Trends Report - Q1 2007 with some alarming findings. The report provides a thorough analysis of reported vulnerabilities, including the most threatening, Web application probes, attack statistics and key findings. While this report highlights the Top 10 vulnerabilities in commercial and open source applications, Cenzic believes that the problem is much worse if you factor in proprietary home grown applications, as these typically contain a large number of vulnerabilities.

"Application security attacks are increasing at an astounding rate, and unfortunately, prevention efforts among organizations have barely scratched the surface. This is no longer a 'cry wolf' situation," said Mandeep Khera, vice president of marketing at Cenzic. "More often than not, these attacks are successful, not due to negligence, but due to lack of software security education and awareness. It's difficult for organizations to devote time to stay ahead of new vulnerabilities, and establish a continuous testing process in their organizations. Cenzic's Application Security Trends Report is a resource that organizations can use to educate their employees, and create processes to stop cyber attacks against their Web applications."

In this study, Cenzic identified 1,561 unique vulnerabilities during the first quarter of 2007. Of the reported vulnerabilities, file inclusion, SQL injection, cross-site scripting and directory traversal were the most prevalent, totaling 63 percent. The majority of vulnerabilities affected Web servers, Web applications and Web browsers, with Cenzic classifying the bulk as easily exploitable. To download the Cenzic Applications Security Trends Report, visit

Top Ten Vulnerabilities in Commercial and Open Source Web Applications from Q1 2007:

--  Adobe Acrobat Reader Cross-Site Scripting and Code Execution --
    Several vulnerabilities were reported, including the ability for a remote
    user to cause arbitrary code to execute on the target user's system as well
    as conduct cross-site scripting attacks.
--  Google Desktop Cross-Site Scripting -- Multiple vulnerabilities were
    discovered in Google Desktop that permit a remote attacker to conduct cross-
    site scripting attacks, allowing access to data on the user's system.
--  IBM Websphere HTTP Response Splitting -- Versions of IBM Websphere are
    vulnerable to HTTP Response splitting attacks, leaving open the possibility
    of poison Web caches, spoof content or conduct cross-site scripting
--  Lotus Domino Web Access Cross-Site Scripting -- The Active Content
    Filter feature failed to properly filter script code from user-supplied
    input within e-mail messages prior to displaying those messages to the
    user. As a result, a remote attacker could cause arbitrary script code to
    execute in a victim's browser by sending a maliciously crafted e-mail
--  PHP Nested Array Denial of Service -- In PHP processing, a recursion
    bug of deeply nested arrays can allow a remote attacker to conduct a denial
    of service attack against PHP installations, which could lead to a server
--  PHP Multiple Buffer Overflows and Denial of Service -- Multiple
    vulnerabilities included several severe vulnerabilities that could allow a
    remote attacker to execute arbitrary code on affected servers.
--  IBM Rational ClearQuest Cross-Site Scripting -- A cross-site scripting
    vulnerability in IBM Rational ClearQuest Web allows remote
    attackers to inject arbitrary script code via an attachment to defect log
--  Sun Java Access Manager Multiple Vulnerabilities -- Multiple cross-
    site scripting vulnerabilities were reported in the Sun Java Access Manager
    allowing remote hackers the ability to inject HTML as well as other forms
    of script code and perform privilege escalation via session cookie theft as
    well as various content spoofing and other browser-based attacks.
--  Apache Tomcat Buffer Overflow -- A buffer overflow in the Apache
    Tomcat JK Web Server Connector allows a remote attacker to execute code on
    any server running a vulnerable version of Apache Tomcat.
--  BEA WebLogic Buffer Overflow and Multiple Vulnerabilities -- Multiple
    vulnerabilities were discovered, ranging from remote code execution via
    buffer overflows through various denial of service and information
    disclosure attacks.
As part of the study, Cenzic incorporated findings from, Cenzic ClickToSecure®, their leading-edge security assessment and penetration testing service (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings from include:
--  More than seven of 10 analyzed Web applications engaged in insecure
    communication practices that could potentially lead to the exposure of
    sensitive or confidential user information during transactions.
--  Architectural flaws, design flaws and insecure application
    configurations are still common culprits in the exposure of sensitive user
--  Cross-site scripting was the most common injection flaw, with seven
    out of 10 Web applications vulnerable to this type of attack.
--  Roughly two in every 10 applications were found to be vulnerable to
    SQL injection attacks.
--  Approximately 50 percent of all applications failed to properly
    implement structured exception handling.
--  More than 70 percent of all Web forms analyzed were vulnerable to
    cross-fame scripting attacks.
About Cenzic Inc.

Cenzic is the innovative leader of next-generation application security assessment and risk management solutions that quickly and accurately find more "real" application vulnerabilities in both legacy Web 1.0 and Web 2.0 applications. The Cenzic suite of application security solutions fit any companies' needs from remote, Software as Service (ClickToSecure®), for testing one or more applications, to a full enterprise-wide solution (Cenzic Hailstorm® Enterprise ARC) for effectively managing application security risks across an enterprise. Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive, and extensible in the industry empowering organizations to stay on top of unrelenting application security threats.

Contact Information

  • Contact:
    Tami Casey
    Kulesa PR for Cenzic
    (650) 340-1984
    Email Contact