Website 'spoofing' still fools users, security study reveals
A close look at vulnerabilities in about 15,000 websites found 86 percent have at least one serious hole that hackers could exploit, and content spoofing is the most prevalent vulnerability, identified in over half of the sites, according to WhiteHat Security's annual study published last week.
Content spoofing is a way to get a website to display content from the attacker, says Jeremiah Grossman, CTO at WhiteHat, an IT security vendor. A criminal might do this to steal sensitive customer information or simply to embarrass the owners of a website. In any event, in content spoofing, the fake content is not actually on the website as it would be in a web defacement, but simply appears to be there, Grossman points out. (A variation is email spoofing, which makes an email message appear to come from a trusted correspondent; it often includes a link that sends the reader to a malicious site.)
The Open Web Application Security Project (OWASP) group says content spoofing is also sometimes referred to as content injection or virtual defacement, and its an attack made possible by an injection vulnerability in a web application that does not properly handle user-supplied data.
Feeds false information
The content spoofing attack can supply content to a web application that is reflected back to the user, who is presented with a modified page under the context of the trusted domain, according to OWASP. It's said to be similar to a cross-site scripting attack, but uses other techniques to modify the page for malicious reasons.
The annual WhiteHat Website Security Statistics Report examined vulnerabilities found during 2012 in the 15,000 websites of 650 companies and government agencies for which it provides web application vulnerability assessments. These range from financial, manufacturing, technology, entertainment, and energy sites to media and government.
The top 15 vulnerability classes for websites are said to be cross-site scripting; information leakage; content spoofing; cross-site request forgery; brute force; insufficient transport layer protection; insufficient authorization; SQL injection; session fixation; fingerprinting; URL redirector abuse; directory indexing; abuse of functionality; predictable resource location; and HTTP response splitting. Grossman says the study revealed a few unexpected findings related to how quickly organizations fixed vulnerabilities when taking into account how much they'd invested in application security training for their programmers.
Emphasis on training was correlated, with 40 percent fewer website vulnerabilities and a 59 percent faster rate of resolving them than in organizations that didn't do training. But the actual remediation rate to close all the holes related to the vulnerabilities was 12 percent less than in organizations without training. Grossman says WhiteHat's analysis indicates that the poorest rates of remediation overall are associated with organizations where their regulatory compliance requirements are the No.1 driver for resolving vulnerabilities. If the vulnerability wasn't tied to compliance, it was ignored.
When organizations website vulnerabilities go unresolved, compliance was cited as the No. 1 reason, closely followed by risk reduction, according to the WhiteHat study. The study also found the best remediation rates occurred when customers or partners demanded it.
Other findings in the website 2012 vulnerability study show:
- 85 percent of organizations use some variety of application security testing in pre-production website environments
- 55 percent have a web application firewall in some state of deployment
- In the event of of a website data or system breach, 79 percent said the Security Department would be accountable.
- 23 percent experienced a data or system breach as a result of an application-layer vulnerability.