Page last updated at 10:24 GMT, Monday, 14 April 2008 11:24 UK

Hackers exploit poor website code

Web search for porn, BBC
Visiting some parts of the web can be a risky business

Web designers making very old mistakes are letting malicious hackers hijack visitors to their sites, say experts.

Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.

The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.

According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.

Wholly vulnerable

Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.

"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," he said.

The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).

Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.

An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.

It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities
Chris Wysopal, Veracode

Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.

By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.

In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.

Symantec said there were likely many more that had not reported vulnerabilities.

Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.

Website administrators had a poor record of closing loopholes, it said.

"Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.

"There are a lot more websites out there that are prone to this," said Mr Hogan. "It's a much bigger proposition to make a safe website than it is to patch a browser."

Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.

"I do not see trends slowing this down," he said.

XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.

Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.

"The problem was identified eight years ago or so," he said. "Over time attackers have figured out better and more interesting things to do with cross-site scripting."

He added: "It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities."

Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.

"The awareness is not there that if you write code you need to test it before you put it out there," he said.

Computer viruses hit one million
10 Apr 08 |  Technology
Poisoned websites attack visitors
17 Jan 08 |  Technology
PC stripper helps spam to spread
30 Oct 07 |  Technology
Hi-tech crime: A glossary
05 Oct 06 |  UK
Malicious programs hit new high
08 Feb 08 |  Technology
FBI tries to fight zombie hordes
14 Jun 07 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific