Vulnerabilities Found in Many Fortune 500 Websites

Tuesday, January 11, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

IBM researchers have found Document Object Model (DOM) vulnerabilities in the websites of some of the biggest corporations in the world.

In a survey of the websites belonging to all Fortune 500 listed companies and an additional selection of 175 other businesses, researchers found that nearly fifteen percent contained serious security flaws.

The vulnerabilities leave the sites open to cross-site scripting (XSS) and open redirect exploitations, both favorites of criminal hacking networks.

The researchers applied a JavaScript Security Analyzer (JSA) to randomly selected webpages from the surveyed websites in a controlled environment to determine the presence of the vulnerabilities.

DOM-based XSS is considered difficult to detect, as it relies on JavaScript code weaknesses, as opposed to the more common XSS that uses form parsing scripts.

More than one third of the vulnerabilities were due to the presence of third-party code, such as is used with JavaScript libraries.

The researchers concluded that, "based on the dataset that we analyzed, we may extrapolate that the likelihood that a random page on the internet contains a client-side JavaScript vulnerability is approximately one in 55."

The vulnerabilities leave visitors to the websites open to session hijacking, social engineering attempts, and drive-by malware exposure.

Source:  http://news.softpedia.com/news/Serious-DOM-Vulnerabilities-Found-in-Many-Well-Funded-Websites-177178.shtml

Possibly Related Articles:
8671
Vulnerabilities
XSS malware Javascript Vulnerabilities Web Application Security Headlines websites report IBM Fortune 500
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.