Monday, February 19, 2007

One Fun Bit on Acunetix vs NetworkWorld

One thing that nobody picked on the whole Acunetix vs NetworkWorld web hacking statistic is: the security world seems split into two camps which hardly talk to each other.

1. 70% of exploitable web sites is waaaay to low. All but a very few are in fact "hackable"


2. The number is waay too high. Maybe that many are vulnerable, but surely not exploitable.

So, what's your take on this split?


Anonymous said...

80 percent seems reasonable overall. I think RSnake would agree

Check out this comparison:

However, his analysis is a bit off on the Java side, IMO.

I would say if they run the latest and greatest of Anti-XSS and are really good coders in .NET - 10% chance. Otherwise - average of 40%. I hate doing VA work on .NET

Java - 50-70% (not 20% like he claims). However - my friends that code with Java: 10% - so maybe it evens out because there are a lot of good J2EE programmers vs. .NET

PHP out-of-the-box or specialchar - 100%, PHP with htmlentities or better - 90%, PHP6 - I have no idea, ColdFusion - 100%, Perl without Apache::TaintRequest - 90%, Perl with Apache::TaintRequest - 70%, RoR - 90%, Python - 70%, Python with CherryPy - still 70%, Python with Django - 60%

If you have a WAF, subtract 1-20% at most, but it may do nothing. If you allow someone to upload anything to your website, make it 100% even with the WAF.

If you have really good programmers who have gone through a few assessments with external third-parties drop it down to at least 10%

Rory McCune said...

The short answer is that it depends very much on what you count as exploitable. They're probably actually both right

Acunetix (and Rsnake and Jeremiah Grossman) sem to be including items like XSS and allowing for vectors like mailing users of the site with a link which exploits the site (via XSS or XSRF) then yeah I'd go for 70+% (If only 'cause Rsnake and Jeremiah Grossman really know what they're talking about and they say so!)

I think that the Network World people are thinking of "old-school" hacking along the lines of exploiting web servers or sql injection. Now on their terms I'd probably agree that 70%'s too high...

Anonymous said...

Matasano Chargen and Jeremiah Grossman picked up on this last week.

PaulM said...

I think if you read the stuff that Joel Snyder wrote both in Paul McNamara's column and later on Slashdot, it is clear that he doesn't have a deep understanding of web app vulns. Nonetheless, his point that scanner results don't translate to personal data disclosure at a 1:1 ratio is valid.

The statistic of 70% that Acunetix published is flawed because of the data it is based on, not because it's an unbelievable number. So this is really much ado about a piece of marketing material from Acunetix. The fact that we're all still talking about it a week later only proves to Acunetix that they were right to publish it.

Either way, the disconnect this highlights is an old one in the infosec biz. How to define a vulnerability is complicated, and how to determine the potential impact of that vulnerability is even more complicated. It's no surprise there's little agreement here.

Dr Anton Chuvakin