More than 27% of applications tested contain a web
vulnerability.
NTA Monitor has
reported a 10% increase in the total number of web applications
found to have at least one high-risk security issue in its 2009
Annual Web Application Security Report.
The three most popular forms of hacking were SQL injection,
cross-site scripting and cross-request forgery. A SQL injection
attack enables attackers to modify the database queries initiated
from an application. A cross-site scripting attack enables a
hostile website to cause potentially malicious code to be executed
in a user's browser. In a cross-request forgery attack, a hostile
website can make arbitrary HTTP requests to applications.
Roy Hills, technical director at NTA Monitor, said, "All
user-supplied data should be properly sanitised before returning it
to the browser or storing it in a database."
NTA Monitor urged organisations to switch from a persistent
authentication method to a transient authentication method to help
prevent cross-request forgery attacks.
Hills also recommended that business put in place an account
lockout mechanism to lock out accounts permanently or temporarily,
to help prevent brute force attacks cracking user accounts.