back to article Web security still outstandingly mediocre, experts report

Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests. In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security …

  1. Chris Miller

    Since the main cause of XSS is failure to validate/sanitise input, it's not too surprising that such sites would also have a tendency to more SQL injection vulnerabilities.

  2. Alister

    By contrast there has been no move away from the ageing TLS 1.0 protocol: 96.1 per cent of web servers still support it, compared with 97 per cent in June 2016. Maintaining compliance with the credit card industry’s PCI DSS standard means those who handle credit card data need to drop support for TLS 1.0 from June 2018.

    Very few publicly facing web sites will be prepared to remove TLS 1.0 support whilst a substantial number of visits come from client browsers or operating systems which require it.

    We investigated it last month, as a PCI audit highlighted that we still supported it on some of our servers, but an analysis of the client's site traffic showed that nearly 30% of visitors still used browsers which required TLS 1.0 to connect.

    I can't see any company whose primary income stream is web based cutting off 30% of their customer base just to be PCI compliant.

    1. Nate Amsden

      Which is one reason why the deadline keeps being extended.

      For my org we've been unable to go beyond 1.0 due to a blocking citrix netscaler bug I was working with them for 18 months on(unrelated to TLS, but blocked upgrading). Now they have a fix which is due in early December for public use. Which means immediate deploy to test envs then production hopefully in late January. Assuming no further blocking bugs discovered.

      Not vulnerable to the major TLS attacks according to SSL labs though.(qualys does regular scans to validate we are PCI compliant)

  3. Ian 55

    How do they know?

    "More than 72 per cent of WordPress installs assessed by High-Tech Bridge had default admin panel location and at least one brute-force crackable login/password pair"

    Duh, the number that have it at anywhere other than /wp-admin is very low. If you have one WP site, you probably don't know you can change it, while if you have loads, the tool you use to manage them probably assumes /wp-admin.

    But it'd be very interesting to know how they know about the crackable login-password pair. Are they just saying 'there's at least one login and all passwords are ultimately brute-forceable given enough millennia' or have they actually cracked them?

    1. Nate Amsden

      Re: How do they know?

      I no longer actively blog but tgat is where my WP admin is at too. Someone cracked into it earlier in the year somehow (I've never run the vulnerable plug-ins,maybe compromised one of the admin accounts).

      Ended up locking it down by limiting access to the admin to my private VPN. Also deleted all other accounts(been 3 years since anyone other than me wrote articles), no issues since fortunately.

      1. Ian 55

        Re: How do they know?

        It turns out that the xmlrpc.php unit has the 'feature' of allowing attackers to test many hundreds of username / password combos in a single call. Obviously, there is no legit use for this, but it's been kept because it's part of the spec. I suspect that's how they got into one of mine.

        The only real uses for the unit are the Android/ithing clients and the bloatware that's Automattic's Jetpack plugin. If you need the latter, there's a plugin that only allows access to it only from their IP addresses, otherwise block access to it.

    2. PrivateCitizen

      Re: How do they know?

      But it'd be very interesting to know how they know about the crackable login-password pair.

      Normally it means they have actually cracked them. Generally this is because someone either left the defaults in place or used an easily guessable password (admin, password, pa55w0rd etc). Its unlikely that the theoretical attack would be noted here.

      1. Ian 55

        Re: How do they know?

        "Normally it means they have actually cracked them."

        Very naughty.

  4. William 3 Bronze badge

    Even if their websites are secure

    They only ruin it by using advertisements, tracking, and all the other shit that makes it's insecure for the users of said website.

    This is what happens when you let the unwashed masses onto the Internet.

    Wish they'd all fuckoff back to watching telly and texting their mates about what's happening in Corrie.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like