Welcome,
Guest
.
Please
login
or
register
.
Did you miss your
activation email
?
News:
Bug reports and fixes
.
Home
Help
Login
Register
Elxis CMS Forum
»
Support
»
Security
»
Hackers Exploit Poor Website Code
« previous
next »
Print
Pages: [
1
]
Author
Topic: Hackers Exploit Poor Website Code (Read 8767 times)
CREATIVE Options
Authorized Elxis Professional
Elxis Community
Hero Member
Posts: 2334
Professional services for Elxis CMS
Hackers Exploit Poor Website Code
«
on:
April 14, 2008, 18:22:54 »
Web designers making very old mistakes are letting malicious hackers hijack visitors to their sites, say experts.
Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.
The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.
According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.
Wholly vulnerable
Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.
"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," he said.
The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).
Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.
An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.
Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.
By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.
In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.
Symantec said there were likely many more that had not reported vulnerabilities.
Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.
Website administrators had a poor record of closing loopholes, it said.
"Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.
"There are a lot more websites out there that are prone to this," said Mr Hogan. "It's a much bigger proposition to make a safe website than it is to patch a browser."
Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.
"I do not see trends slowing this down," he said.
XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.
Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.
"The problem was identified eight years ago or so," he said. "Over time attackers have figured out better and more interesting things to do with cross-site scripting."
He added: "It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities."
Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.
"The awareness is not there that if you write code you need to test it before you put it out there," he said.
Source: news.bbc.co.uk
Logged
Warlock768
Newbie
Posts: 1
Re: Hackers Exploit Poor Website Code
«
Reply #1 on:
May 03, 2009, 08:11:05 »
is it only Web designers you got mistakes? If it is what is your proof?
_________________
Indianapolis SEO
Logged
xmanhattan
Hero Member
Posts: 1235
If I'm still breathing, I'm doing something!
Re: Hackers Exploit Poor Website Code
«
Reply #2 on:
May 03, 2009, 12:10:04 »
Regarding Elxis security, I thought that you might like to look at these two listings.
The first lists everything for Elxis, the second for Joomla.
http://www.vupen.com/english/searchengine.php
http://www.vupen.com/english/searchengine.php
Logged
Bournias.net
Print
Pages: [
1
]
« previous
next »
Elxis CMS Forum
»
Support
»
Security
»
Hackers Exploit Poor Website Code