SOURCE: ScanAlert

February 06, 2007 09:45 ET

Half of Websites Vulnerable to Hackers According to New Study of 27,000 Online Retailers

SQL Injection and Cross Site Scripting Dangers Widespread for Online Retailers

NAPA, CA -- (MARKET WIRE) -- February 6, 2007 -- Half of all websites are likely vulnerable to database attacks according to a new report that paints a gloomy picture of the security of software applications used by online retailers. ScanAlert, an Internet security company well known for its HACKER SAFE website certification service, analyzed vulnerability scans of 27,000 websites to produce The Ecommerce Applications Security Trends report. This is the largest sampling of websites ever conducted, covering all types and sizes of online merchants.

Forty five percent of websites had a serious database vulnerability such as SQL Injection, while fifty percent of websites had Cross Site Scripting vulnerabilities, before the company assisted sites in closing these security holes. Categorized as critical by security experts, SQL Injection is a class of software vulnerability that enables hackers to penetrate databases to steal confidential information needed for fraud and identity theft. Indeed, SQL Injection holes have been the entry point for many of the most devastating website attacks in recent years. They may also have been used in the recent TJ Maxx theft in which millions of credit card numbers were stolen.

"When you apply the results of our research to the millions of websites that sell products and services online, it gets very scary very quickly," said ScanAlert's VP of Security Services Brett Oliphant. "Surprisingly, we've found that these holes are just as likely to exist on sites run by big name retailers as on small 'Mom and Pop Shop' sites."

Sites Running on Microsoft Twice as Vulnerable

Microsoft, whose Internet Explorer web browser is a favorite target for hackers, was again in the crosshairs. The report revealed that websites using Microsoft's IIS web server software were twice as likely to have serious database vulnerabilities as those using the popular Apache open-source web server software.

Cross Site Scripting: A Growing Threat in 2007

Cross Site Scripting vulnerabilities, which are a growing security threat that allows hackers to conduct phishing attacks, are even more prevalent than database vulnerabilities. Sites on Apache were slightly more likely to have Cross Site Scripting vulnerabilities than sites running IIS.

"Hackers can combine Cross Site Scripting holes with email and phishing links to trick unsuspecting people into visiting hacker-owned sites where they will unknowingly provide personal info like credit cards," Oliphant added. "Although we have yet to see Cross Site Scripting vulnerabilities exploited to the same degree as database holes, they do carry risks which will only increase as hackers become more devious at getting consumers to click on links."

PHP Seen as a Popular Hacker Target

Looking at other ecommerce security trends for 2007, the report also expects the wildly popular PHP programming language to continue to provide a bounty of opportunities for hackers. PHP was invented more than a decade ago and has been used to create every type of software program needed to operate an online store, including shopping carts, payment systems, CRM, and newsletter applications. Unfortunately, PHP developers to date have all too frequently emphasized functionality over security. This was clearly demonstrated by ScanAlert's own HACKER SAFE Labs this week when it announced that its security researchers had uncovered critical security flaws in several PHP programs.

Credit Card Industry Ready to Enforce Security

Although ecommerce websites will continue to be a target for hackers in 2007, Visa, MasterCard and American Express may have the greatest role in forcing change. The payment card industry, which introduced a strict security compliance program three years ago, is finally showing that it is serious about enforcing the standard.

The Payment Card Industry Data Security Standard, which applies to almost every merchant that accepts credit card payments, makes it almost impossible for hackers to steal credit card numbers from an online store. With the TJ Maxx theft fresh in the minds of the American consumer, the payment industry will likely turn up the heat on banks to force retailers to become certified to the standard. One of the required steps, for example, is having websites scanned for vulnerabilities by companies like ScanAlert. If retailers fail to implement these types of security practices, the alternative could be a wave of new federal and state legislation.

State and federal lawmakers, tired of waiting for the payment card and online retailing industries to take security seriously enough, have readied dozens of data protection and consumer data breach notification proposals. With the threat of this legislation casting a shadow over online stores, the payment card industry might be the catalyst in 2007 of a greater industry-wide emphasis on security.

Availability of Report

Anyone wishing to read The Ecommerce Applications Security in its entirety can visit

About ScanAlert

Founded in 2001 and headquartered in Napa, CA, ScanAlert secures organizations of all sizes against threats to their network infrastructure and then certifies them to the HACKER SAFE standard -- the world's Internet security benchmark. Offered as a Software as a Service (SaaS) solution, HACKER SAFE certification is used by more than 75,000 organizations, including ESPN, The American Red Cross, Toshiba, Warner Brothers, and well over half of the 500 largest online retailers in the USA. ScanAlert also operates HACKER SAFE Labs, the industry's only research group focused on ecommerce application security. More information is available at

Contact Information

  • ScanAlert Contact:

    Nigel Ravenhill
    Dir of Marketing Communications
    Tel: 707-738-5434
    Email: pr at