The Internet Vacuum Cleaners
Thursday, March 23rd, 2006If you took a look at the statistics page, you probably saw that in 2005 the number of reported incidents grew rapidly. This is probably at least partially because we started collecting information in 2005. But I believe that there is an additional reason: many more people are concerned with web application security and are inspecting online services searching for vulnerabilities.
When analyzing the 2005 incidents we can see that the bulk of incidents are disclosure incidents, and in many cases they have two common attributes: they where discovered in major sites such as Google and Yahoo and a large part of them are XSS vulnerabilities. The reason for that is simple: researches naturally focus on larger sites, and XSS is the easiest vulnerability to find since the vulnerable code is on the client machine and available to the researcher.
These findings highlights two phenomena: first, the ever increasing interest and knowledge of more and more people in web application security. To understand how strong is this phenomenon one has to inspect the work of Aliaksandr Hartsuyeu from eVuln.com, who has made a point of inspecting every open source application under the sun, releasing a new vulnerability report daily. He started his endeavor around Christmas and already released more than 120 advisories.
The second phenomenon is the iceberg phenomenon. The number of vulnerabilities found in major sites that invest in security provides an indication as to the much larger amount of vulnerabilities yet to be discovered in less popular or less exposed sites. The large number of XSS vulnerabilities indicated that vulnerabilities that are more difficult to find in a black box inspection such as SQL injection are just as common, as SQL injection vulnerabilities are usually found more than XSS vulnerabilities in source code inspections.