Nearly half (46%) of websites contain a ‘high security’ vulnerability such as XSS or SQL Injection, new research has revealed.
The study was performed on over 1.9 million files across 15,000 websites belonging to 5,500 companies. Eighty-seven percent of the websites were affected by at least a ‘medium security’ vulnerability.
Many of the scans also found that the main superbugs of 2014 had not been patched, especially POODLE.
The research, which saw security vendor Acunetix collect data over a period of one year ending March 2015, shows that the high-profile data breaches reported in the media are not the unlucky few – most companies are leaving themselves vulnerable to attacks.
The company defined ‘high security vulnerability’ as something an attacker can easily exploit to compromise the integrity and availability of the target application, gain access to backend systems and databases, deface the target site and trick users into phishing attacks.
Web apps that have a high security vulnerability would fail at complying with the financial industry’s PCI Data Security Standards.
Hackers continue to concentrate their efforts on web-based applications since they often have direct access to back-end data such as customer databases.
>See also: Britain is paying the price of cybercrime
The nature of cyber-attacks is also diversifying as criminals target not only financial data but personal data for use in identity theft and confidential intelligence to carry out cyber espionage.
When it comes to network vulnerabilities, administrators are performing better, however the stats are still not reassuring.
Ten percent of the servers scanned were found to be vulnerable to high security risks, and 50% had a medium security vulnerability.
Keeping in mind most of these servers are perimeter servers, having a network vulnerability on these internet-facing servers could spell disaster, as this could easily lead to server compromise and access to other servers on the network.
“These are worrying stats, showing businesses are failing in some basic web security areas,” said Nick Galea, CEO at Acunetix. “It’s just like leaving your wallet or unlocked phone lying around in a public place. It’s more a question of how long it takes, rather than if at all, before you are compromised.”