Report: Websites Getting Safer, Yet XSS Bugs Persist

The number of vulnerabilities in the average Web site is actually decreasing, one of the more surprising findings in an annual study done by WhiteHat Security.

The number of vulnerabilities in the average Web site is actually decreasing, one of the more surprising findings in an annual study done by WhiteHat Security.

The 30-page report is the culmination of a project in which the firm combed through approximately 7,000 websites and discovered 79 serious vulnerabilities per site on average over the last year. The statistic is a significant drop from 230 in 2010 and 1,111 in 2007, according to the firm’s 12th Website Security Statistics Report (.PDF), issued Wednesday.

Despite an influx in scams centered on banks and their websites, WhiteHat found banking sites contained the fewest number of annual average vulnerabilities: 17. Retail sites carried the highest number of vulnerabilities, 121, while insurance sites contained the second highest, 92.

WhiteHat’s findings also show that cross-site scripting (XSS) bugs reclaimed the title of the most prevalent website vulnerability. The firm’s studies showed there’s a 55 percent chance at least one XSS vulnerability will appear on any given website looked at in the study.

In 2010, information leakage vulnerabilities were the most prevalent, yet came in a close second this year. There’s a 53 percent chance an information leakage vulnerability could appear on a site, while there was a 64 percent chance in 2011. The term information leakage is a catch-all the company uses to define vulnerabilities like improper application and server configurations or spotty HTML/Javascript commenting modules.

The report, published annually by the Santa Clara-based company, relies on a collection of information culled from 7,000 websites across 500 organizations, all monitored by its Sentinel security service.

For the full rundown from WhiteHat, their report can be accessed in PDF format here.

Suggested articles