How Programs Can Behave Unexpectedly from Cenzic's SANs Contest Winner!

Dereferencing a Freed Pointer During Linked List Deletion

I've decided to discuss this block of code since deleting nodes from linked lists is a common topic in introductory programming courses and online tutorials. It is a textbook example of how programs can behave unexpectedly when there is a lack of attention to subtle details. Observe the following C code loop:

for(p = head; p != NULL; p = p->next) {

free(p);

}

The problem becomes more apparent when the for loop is converted to its equivalent while syntax. It is easier to see how the value of the pointer identified by the p variable is referenced by the assignment statement in successive loop iterations after being freed.

p = head;

while(p != NULL)

{

free(p);

p = p->next;

}

It is quite possible that no memory corruption will occur during runtime depending on the execution environment. I was able to compile and run the code on Linux and the program exited successfully instead of terminating from receipt of a memory fault signal. This is why these types of errors can go overlooked and undetected.

However, there is no guarantee that the memory will hold the same value after it has been freed. The memory address holding the pointer location could be reallocated or overwritten. At a minimum, this could cause a denial of service condition because the program will crash when it attempts to access an invalid memory address.

Reflexive Cross-Site Scripting in ASP

<html>

<body>

<p>

<b>You are browsing this site with:</b>

<%Response.Write(Request.ServerVariables("http_user_agent"))%>

</p>

<p>

<b>Your IP address is:</b>

<%Response.Write(Request.ServerVariables("remote_addr"))%>

</p>

<p>

<b>The DNS lookup of the IP address is:</b>

<%Response.Write(Request.ServerVariables("remote_host"))%>

</p>

<p>

<b>The method used to call the page:</b>

<%Response.Write(Request.ServerVariables("request_method"))%>

</p>

<p>

<b>The server's domain name:</b>

<%Response.Write(Request.ServerVariables("server_name"))%>

</p>

<p>

<b>The server's port:</b>

<%Response.Write(Request.ServerVariables("server_port"))%>

</p>

<p>

<b>The server's software:</b>

<%Response.Write(Request.ServerVariables("server_software"))%>

</p>

</body>

</html>

It’s pretty obvious that this Active Server Page is returning untrusted input data to the browser that has not been sanitized. The question immediately becomes how do we exploit it? The four server variables that a malicious party would be capable of modifying are request_method, remote_host, remote_addr, and http_user_agent. request_method is out of the question since it would invalidate the HTTP request. Perhaps remote_host or remote_addr could be modified through a spoofing attack such as DNS cache poisoning, but if the user’s network addressing scheme has already been compromised they have bigger problems.

Injecting the payload into the User-Agent HTTP header field looks like the most fruitful approach. This can be accomplished with the setRequestHeader method from the XMLHttpRequest JavaScript API or ActionScript’s addRequestHeader method. Microsoft, Mozilla, Adobe, and Apple have all been updating their client code in an attempt to prevent HTTP header injection. Regardless, attackers will continue to find ways to bypass any client-side restrictions as long as the server side programming is vulnerable--recent HTTP header injection techniques in the aforementioned API’s have involved the insertion of newline characters within header string arguments (see CVE2006-5330 and CVE2007-2401.)

- Derek Callaway, Security Consultant (Cenzic's SANS Contest Winner August 2007)

State of Application Security - Q2 Analysis

Cenzic will be releasing its Q2 Trends report on the state and trends of Web application security for Q2 on July 31st. Here's the executive summary from the report. You can download the full report from www.cenzic.com home page starting July 31st.

Facts around Web application security continue to surprise and alarm us. Fact – according to some estimates there are over 100 million Web applications facilitating transactions and collection information. Fact – less than 5% of applications have been tested for vulnerabilities. Fact – majority of companies who are doing anything about security are testing Web applications only while they are in development or Quality Assurance stage leaving 99% of the applications that are in deployed phase exposed at any given point. Fact – new vulnerabilities at the application layer continue to dominate. Fact – hackers continue to attack at the application layer because that’s where most of the vulnerabilities are. So, in spite of these glaring facts, why aren’t companies taking necessary steps to protect their critical information? We find that lack of awareness continues to be a problem when it comes to application security. Most companies still don’t grasp the concept of securing applications. To these companies, network firewalls, Intrusion Detection Systems (IDS), and anti-virus software should be enough to protect them from hackers. As cyber attacks continue to rise against the applications, many companies are still unaware of the fact that they have been hacked. For every hack that’s been published, there are hundreds of hacks that go unreported – sometimes for months. Hackers are getting smarter and know how to keep secrets.

Similar to our Q1 Trends report, we have noticed that vulnerabilities at the application layer continue to dominate the overall published vulnerabilities. In Q2, we observed that of the 1,484 published unique vulnerabilities, 72% related to Web technologies including Web applications, Web servers, and Web browsers. This reflects over 7% increase from Q1 number of 67%. This comes to about 355 new application related vulnerabilities per month. What’s frightening is that 65% of these vulnerabilities were easily exploitable. In other words, hackers don’t have to be overly sophisticated to take advantage of these vulnerabilities.

In terms of the types of published vulnerabilities, the trend continues to mirror the previous trends with Cross-Site Scripting, SQL Injection, and File Inclusion as the major vulnerabilities. We also observed that there are new vulnerabilities being discovered in the newer technologies like Ajax and Web-services as developers are still trying to come up to speed on how to do secure coding with these new technologies. For browsers, Internet Explorer continues to lead with 33% of the browser vulnerabilities, followed by Firefox with 26% and Opera with 21% of the vulnerabilities.

Additionally, the number of probes and attacks continue their strong pace. Activity in Q2 was influenced by vulnerabilities in IBM Lotus, Adobe, Quicktime, Cisco, Apache Tomcat, and various Microsoft vulnerabilities.

Data from Cenzic’s ClickToSecure managed service that tests thousands of pages of Web applications for customers remotely for vulnerabilities shows that once again Cross-Site Scripting vulnerabilities continue to dominate the most common vulnerabilities. Cross-Site Request Forgery, Information Leaks and Exposures, Session management types of vulnerabilities with session hijacking, authentication bypass, as well as various other Authorization and Authentication types of vulnerabilities also continue to play a major role.

With roughly 400 new application vulnerabilities arising every month just from the published vulnerabilities alone, we believe there are thousands more that are unpublished because no one reported them or because they were found in home grown applications. With a very small percentage of Web applications tested, most Corporations are highly exposed. Even the Corporations, including many large F1000, that have formal security testing in place, are testing a small fraction of their total applications. Most of the regulations around protection of consumers’ privacy information are vague at best and silent at worst when it comes to application security. Regulatory bodies need to start adding specific clauses in the various regulations that require securing of Web applications. Payment Card Industry (PCI) regulatory body has already taken some steps toward this and that’s helping increase the awareness and providing an impetus

for application security. Cenzic is also urging Corporations and Government entities to focus on a model of continuous testing of all applications whether they are in development or already deployed. By using virtualized environments, organizations can start testing all their applications not once a year but once a month and start taking action. Application security is no longer an issue of ad-hoc testing as a check box but more of a risk-management issue. We need to take action and start implementing initiatives which plug in the holes in our applications. Consumer confidence and the future viability of our e-commerce depend on it.

- Mandeep Khera, Cenzic Inc.

What are Google's intentions?

In contrast to most of the news regarding Google, which tends to focus on competition with Microsoft and Yahoo or anti-trust disputes, the company received some attention last week for an internal application security project code named Lemon.  Some details were provided from the Google security team’s blog:

                                 

http://googleonlinesecurity.blogspot.com/2007/07/automating-web-application-security.html.

                  

The internal initiative involves using fault injection techniques to detect cross site scripting vulnerabilities in Google applications.  The security staff discussed the need to have not only the ability to test many permutations of cross site scripting vulnerabilities, but also to reliably assess an application for injection points (spidering or crawling the application).  They noted that they had developed the capability in house because of the nature of the Google application development environment. 

                

Interestingly, one can speculate that this may be part of a broader initiative aimed at providing compliance services for corporate customers.  Google clearly envies the position that Microsoft holds with corporate customers, particularly the franchise in Microsoft Exchange.  Recent acquisitions of Postini and Green Border suggest that the company may be shaping a service aimed at providing a broad range of security compliance services, including application security.

    

Our take is that Google has chosen a viable approach in emulating the scanning, fault injection and assessment technology that we have been delivering for several years.  With a narrow focus on a specific vulnerability such as cross-site scripting and a particular development environment, it is likely that they will have success.   We applaud Google for taking an initiative to beef up security for its internal applications. Google needs to however, enhance this further by adding testing functionality from commercial risk-management solutions or services. Application security is not a trivial task and Google should take advantage of the expertise of the security vendors who do this for a living.  Some of the leading companies who have been fairly successful in securing their key applications have used a combination of internal and external resources. Google should adopt their model and leverage the expertise instead of trying to do everything with its own resources.

                                 

- John Reno

Defcon 15: Hacking the EULA

In preparation for DC15, the following domains have been registered. Thanks Marce!

reversebenchmarking.org

http://reversebenchmarking.com

I have invited two of my friends, Marce Luck and Webpriestess, to co-present with me. It is our goal to found the ORB Project, or the Open Reverse Benchmarking project, a collaborative and open source security consortium focusing on applying reverse benchmarking as a methodology to the research and study of false positives and scanner accuracy. Following Defcon I plan to submit talks on the ORB Project to security conferences around the globe. Beneath is an abstract of our talk. 

Each year thousands of work hours are lost by security practitioners as time is spent sorting through web application security reports and separating out erroneous vulnerability data. Individuals must currently work through this process in a vacuum, as there is no publicly available information that is helpful. Restrictive EULAs (End User License Agreements) prohibit examining a signature code-base for common errors or signature flaws. Due to the latter point, a chilling effect and has discouraged public research into the common types of false positives that existing commercial technologies are prone to exhibit.

Reverse Benchmarking is a new species of reverse engineering that involves running a security solution against an application designed to solicit false positives. Unlike testing scenarios that emphasize gathering valid or accurate data, Reverse Benchmarking involves exposing architectural or logical flaws within a web application scanner by employing techniques to trick simple rule-based mechanisms. Running a scanner against a Reverse Benchmark target quickly reveals faulty rules, flawed testing logic, or poorly written or implemented security testing procedures. Additionally, a Reverse Benchmarking application will expose patterns in the propensity of a scanner to report false results, making it easier to spot false positives when they occur in the future.

Reverse Benchmarking opens up new opportunities for studying and improving existing web application security technology by exposing common faults in testing logic that are often the culprit of massive false positives. In turn this facilitates research into a taxonomy of general false positive types, ideally, a schema for mapping particular security tests to a common, generic language. This can provide a framework around which public discussion, research, and documentation of such flaws can occur without violating EULA agreements. We will also discuss the formation of a open community initiative centered around the use of Reverse Benchmarking to study false positive types.

-tom

How iPhones Should Change Your Thoughts on Web Application Security

I'm sure that many of you saw the recent announcement from Apple. No, not the one about their iPhones finally being available. (I love new toys but I'm holding off on that one for now.) I'm talking instead about Safari now being available on Windows. Having a Mac at home I, of course, had to immediately download and play with it. It works about the same as the Mac version: clean resolution, quick speed, Mac feel. Unfortunately for Apple, it's not enough to pull me away from using Firefox. I won't go into all the details of why Firefox is better. Instead I'll leave that to someone else; check out the side-by-side comparison by Percy Cabello on Mozilla Links (http://mozillalinks.org/wp/2007/06/feature-by-feature-firefox-vs-safari/)

I'm also sure that those of you who saw the Safari announcement also saw the security alerts that came out shortly afterwards. (http://www.networkworld.com/news/2007/061107-safari-for-windows-released-and.html and http://www.securitytracker.com/alerts/2007/Jun/1018282.html to name two) While it is to be expected for beta software, for software from such a public profile company as Apple and for software with the claim of "designed ... to be secure from day one", it shouldn't have happened quite that fast. It goes to show that you're never as secure as you think you are.

Anyway, I digress from where I was originally trying to go. With the introduction of one more serious browser client out there, it becomes that much more apparent that web applications will need that much more work. Whether you're designing in the latest Web 2.0 functionality or simply updating a new module, you now need to be testing against one more browser. You might think that simply following HTML standards would be good enough but consider the different methods of presenting data used by Safari, Firefox, IE, and Opera. Then throw in the different Operating Systems for each. And then consider all the handheld devices which are now accessing web sites: Blackberries, Treos, iPhones. Users now have a ton of different methods to access your web application. And if you aren't prepared for all these choices, then someone is going to be able to use different devices to gather info about your web application and then use that info to find a vulnerability.

To a degree the method of access shouldn't matter. However if you are only testing your web application with IE on Windows, you might want to consider including something else.

- Mike Kazmierczak, Cenzic, Inc.

HP follows suit by gobbling up SpiDynamics

As expected, HP announced the acquisition of SpiDynamics today. Another huge validation for the Application Security space. Finally, companies are realizing that with 75% of attacks occurring at the application layer and 7 out of 10 applications vulnerable, there's a drastic need to take action. Large companies like IBM and HP realize this tremendously upward movement and want to get ahead of the curve to meet the customers needs. HP had been in conversation with Spi for the last couple of months and plans to integrate Spi's products into the Mercury quality assurance suite.

While integrating security testing with functional testing is important (note: Cenzic has already integrated with Mercury and Borland), we believe that for customers it's not a good solution if the security product loses its identity completely for a number of reasons. First, customers like best of breed products. They don't want to buy Mercury just because they want security testing. Secondly, most of the testing and buying is still taking place at the Chief Security Officer (CSO) and the InfoSec group levels. This organization is typically separate from Development/Q.A. organization. Not having a stand-alone product can severely hinder Information Security group's efforts. Finally, about 99% of the applications are already in production and until they go through new development, some one still needs to test for security and find vulnerabilities.

People are asking us if Cenzic is next in the acquisition train. Frankly, we are focused on building the business and continue significant enhancements to our risk-management solutions. We will always be open to strategic relationships with security vendors like Cisco, Juniper, Symantec, McAfee, Verisign, and CA or ALM vendors like Compuware, and Borland, that help enhance value for the customers. Our motto continues to be - Superior Solution, Superior Service. Stay tuned.

- Mandeep Khera, Cenzic Inc.

Impact of IBM Acquisition of Watchfire

As the announcement of IBM acquisition of Watchfire hit the wire on Wednesday, June 6th, there was a lot of buzz going around in the media about the impact of this acquisition. I have provided some of the links from these articles below. Many reporters and security executives have asked me about my thoughts on the topic which I would like to share here as well.

First of all, I think the acquisition is a big-time validation for the application security space. It also means that more and more companies are getting serious about application security. However, application security still has a long way to go. As far as the impact on the existing Watchfire customers, we'll have to wait and see. From all the indications so far, it looks like IBM will suck Watchfire product Appscan into its Rational suite. This can't be good for Watchfire customers because there won't be a standalone product and IBM will not focus on enhancing the security functionality in the product. It'll become just another feature or Rational quality testing suite.

We also believe that there's too much hype about integrating security testing tools into Software Development Lifecycle (SDLC). We agree that's important to test early in the development lifecycle. However, with all this people, companies are starting to focus only on the new applications as they develop. What about the remaining 99% of Web applications that are already in production?  A good analogy is the anti-virus products where anti-virus scan can be run before OS and other software are installed on the desktop but most of the testing occurs after the user starts using the desktop.

Cenzic believes that companies need to take a holistic risk-management approach. Find out how many apps you have and at what stage, find out who owns those apps, track when those apps were tested and how often, understand what's still vulnerable, and at the management level create metrics to understand the security posture of the company and monitor on an ongoing basis. This is not about ad-hoc testing of a few applications just to get a check box item crossed. This is about protecting your brand and your customers.

We are sure there'll be more consolidation in this space as various Application Lifecycle Management (ALM) vendors (HP, Compuware, Microsoft, and Borland), Security vendors (Symantec, McAfee, Verisign, and CA), and Infrastructure vendors (Cisco, Juniper, Citrix, and many others) need to add similar functionality to their portfolio. We just hope that the customers will push their vendors to offer combined solutions that are more holistic rather than a point solution as part of a development suite.

Whatever the solution, companies need to start testing applications for security vulnerabilities NOW. We have a catastrophe waiting to happen based on what we saw in Cenzic's first Quarterly Trends Report (download from http://www.cenzic.com) - 7 out of 10 applications are vulnerable, about 70% of total vulnerabilities are application related, and over 75% of attacks happening at the application layer - a recipe for a disaster for the Commercial and the Government sectors.

News stories from IBM/Watchfire deal:

http://www.computerwire.com/industries/research/?pid=53971D9D%2D84F3%2D4D7B%2DAFCF%2DB26EC2D93CAA
http://www.onstrategies.com/blog/?p=198 http://www.scmagazine.com/us/news/article/662742/ibm-keeps-mind-security-watchfire-buy
http://www.infoworld.com/article/07/06/06/IBM-to-buy-Watchfire_1.html
http://www.networkcomputing.com/showArticle.jhtml?articleID=199902344&queryText=watchfire+cenzic
http://www.internetnews.com/bus-news/article.php/3681766
http://www.computerworld.com/blogs/node/5652

Mandeep Khera, Cenzic Inc.

Reflections on our Q1 2007 Application Security Trends Report

Now that our Application Security Trends Report Q1 2007 is out the door I want to discuss some of the major challenges we faced in putting it together and also give our audience a sense of our vision for the future of the report. Our goals for the quarterly trends report were three-fold, and some of the these goals we were able to achieve better than others: to discuss major events that affected application security during Q1 time-frame, to compile relevant and accurate statistics for the period, and to give a sense of attack patterns and events in the so-called underground.  These were lofty goals to begin with, but we did our best. That being said, our first Trends Report was still our first report, and we didn't get to do everything we wanted to do. Below are a some of the areas that we hope to improve upon in the future.

1. Level of Abstraction: Its a challenge to strike a balance between an appropriate high-level overview of the vulnerability data verses a very low-level and comprehensive categorization. The more detailed your categorization system the more risk you run of confusing your audience or producing a final work that's more convoluted than informative.The  OWASP Top 10, for example has 10 categories for web application vulnerability types, whereas WASC has 6 top level threat classes with 24 subcategories. Future versions of our report will utilize a list of Web Application Risks that we think strikes the best balance between detail and breadth. In other words, we were not entirely satisfied with either of the major web application vulnerability taxonomies, so we're going to come up with our own.

2. Definition of a Web Application verses Web-enabled technology. As the web becomes more diversified and dynamic in the types of applications that interact to deliver its functionality and content, web application vulnerabilities will become more diversified. This time around we used a working definition of a web application: those server-side technologies that provide for infrastructure and functionality for delivering web content to the user, plus the web browser. While I won't go into our motivation for including browser vulnerabilities in the report, its clear that when one begins to categorize things this way you have departed from a strict definition of a web-application as a pure server-side technology that you assess or scan from a black-box perspective when doing an assessment. This can cause some confusion since its a departure from the ordinary way we think of web applications.

We're ok with this departure because it makes sense, but it also doesn't go far enough or do justice to very large amounts of vulnerability data relevant to web application security. In future reports you can expect us to broaden our definition of a web application even further, which will lengthen the report, but also pull in additional security information that is important for web users. This doesn't mean that we will treat traditional web application vulnerabilities with any less importance, it means that the definition of a traditional web application is showing signs of stress, and a broader definition will be a better overall fit for the vulnerability data. To keep things clear we will create categories for types of web application vulnerabilities that exist in non server-side technologies, and detail this broader picture as vulnerabilities disclosed in web-enabled technologies. Web Applications and Web-enabled technologies will be covered in separate sections to avoid confusion. Here are a few examples:

*A cross-site scripting vulnerability in Poodle-cart 1.0 would be categorized as a web application vulnerability.

*A cross-site scripting vulnerability in Adobe Acrobat Reader would be categorized and counted under the web-enabled technology section. (This time around we did not include or count any of these types of web-enabled technology vulnerabilities).

*A web-exploitable vulnerability in Quicktime would be categorized under the web-enabled technology section.

*A Web-exploitable vulnerability in the Super-Slurp Desktop Buddy ToolBar would be categorized under the web-enabled technology section.

*Vulnerabilities in web browsers will be categorized under the web-enabled technology section.

*Web-exploitable vulnerabilities in ActiveX controls for web applications will be categorized under the web-enabled technology section.

*Vulnerabilities in web servers, web application servers, etc., will be included among web application vulnerabilities, as a subcategory (i.e. the web application pie chart will have two slices).

By covering both traditional web application vulnerabilities as well as web-enabled technology vulnerabilities we can avoid leaving out information that will help to inform and protect our readers, while at the same time keeping a clear distinction between traditional server-side applications and client-side technologies with web-based vulnerabilities.

Why do things this way? Why all the craziness? Well, (to quell the conspiratorial types) we're not trying to pad the report for length so that we can win the my Trends Report is bigger than your Trends Report contest. We're not trying to out-Symantec Symantec. Rather, its our viewpoint that all technologies which use HTTP, and have HTTP exploitable vulnerabilities, should get coverage in our Application Security Trends Report. We want to provide this coverage while still keeping traditional web application vulnerabilities front and center.   

-Tom

 

Cooking with Security

In case you hadn't realized it quite yet, I'm big on analogies. It makes understanding things so much easier. I'm also big on drawing weird connections between things but that's a topic for another blog entry. This time I'm discussing black box testing versus white box testing.

I was making myself tacos for dinner the other night when I realized the comparison. I had pulled out the cheese, immediately saw the mold all over it and realized it wasn't good. I was essentially white box testing the ingredients for my tacos. My "source code scanner" (me) found the one bad "function" (the cheese) in what would be the "entire program" (the taco). And as would be expected with a white box test, it saved me time and effort by replacing the cheese before it ended up on the final product.

From this little bit, it sounds like a white box tester is all that would be needed, something to validate the ingredients / parts. But as everyone can tell you with food, it's the final product that matters. You need that final black box test to look at the product as it is deployed to take all the factors into account. You need to crunch into that taco and discover if too much hot sauce was deployed or if the meat was cold or if the cheese was bad. Or maybe there is an extra ingredient (like honey) that your white box testing said was not spoiled but your black box testing would reveal as not a good fit for the final product. Comparably you need to see how the web application functions in the final environment to know if it is secure. Is there a problem with how two functions are interacting? Does one page not call the right sub-procedure? Is it deployed on a faulty or insecure web server?

There are advantages to testing from both perspectives: white box testing will help save efforts of implementing a faulty component, black box testing will validate the deployed product. But if I had to choose only one method of testing, I know I would pick black box testing. Only after that crunch into the taco can you know the final result is good.

- Mike Kazmierczak, Cenzic, Inc.

Q1 2007 Application Security Trend Report

Cenzic's CIA Labs has recently finished up its Q1 2007 Application Security Trend Report. I thought I would drop a line here to give you the highlights. You can get the full report from Cenzic (you should see a link to the file from the homepage). You can also try to get it here via a direct link.

In preparing the report we drew on a number of sources including SecurityTracker, Bugtraq, Full-Disclosure, as well as various academic and private sector studies. Citing the sources we overtly used though isn't enough to give full credit where it is due though, as our work was inspired by Symantec's Internet Security Threat Report. A few remarks are in order.

I am a huge fan of Symantec's Internet Security Threat Report, currently on volume 11 (cf. ISTR Volume XI). Ever since I first got my hands on this report I've always thought of it as the very best in its class, a work of art even. Rather than a veil through which to spew forth marketing data, its a robust research product that gives accurate, informative, and useful data to the security professional. I've plugged Symantec's Threat Report in every talk/presentation I have given for the last two years. Two things have always come to my mind when reading it: I wish it were more focused on application security rather than security in general (yes, it was a selfish wish), and I always wanted more detail regarding the attack data discussed in the reports. Monthly breakdowns, more details, and a backdrop against which to correlate the data.

So you can imagine my happiness when I approached Cenzic's Management about us doing our own trend report, a report focused on application security that delved into the details I always felt were missing in the ISTR, and was given the go ahead. Off the bat we faced a major hurdle. Unlike Symantec we didn't have a global network of thousands of intrusion sensors that we could tap into as a data feed. So I turned to the SANS Internet Storm Center and Dshield as the source of raw data, and queried these organizations for their Q1 probe and attack data as it related to port 80. I am not sure if all our readers are familiar with the concept of collaborative security models, so I will discuss how this data is collected. Thousands of users submit their firewall, IDS, router, and ACL logs to these organizations and the statistics on blocked traffic are crunched daily. This information gives a picture of probing and attack activity and is very useful when looking at high-level trends and patterns. The drawback is that the data is raw and uninterpreted.

Rather than trying to build a story around every peak and curve on a graph of such data, we decided to give readers a backdrop against which to consider the observed activity. After each month's probe and attack data we provided a list of major events that occurred during the same time-frame, as well as information from US-CERT. This gives a canvas against which the reader can look at the trends and draw their own conclusions. It also serves to highlight significant application security events that occurred during the Q1 2007 period.

Next we engaged in the herculean task of hand counting and categorizing all of the application vulnerabilities disclosed during the Q1 period.  Here are some of the highlights from our work:

• Roughly 67% of the vulnerabilities affected Web servers, Web applications and Web browsers.

• Applications written in PHP comprise roughly 30% of all vulnerabilities.

• Vulnerabilities within the PHP programming language versions 4 and 5,including wrappers, extensions, and bundled components comprised 3% of total vulnerabilities.

• Roughly 63% of the Web application vulnerabilities can be accounted for by 4 vulnerability classes: file inclusion, SQL injection, cross-site scripting, and directory traversal.

• Roughly 71% of the reported vulnerabilities are classified as easily or trivially exploitable.

• Vulnerabilities in Web Server or Web Application Server technologies comprised around 7% of the total reported Web application vulnerabilities.

• Remote file inclusion vulnerabilities in PHP comprise 17% of the reported Web application vulnerabilities and were reported in roughly equal proportion to SQL injection vulnerabilities.

• 19% of all reported Web application vulnerabilities involved cross-site Scripting.

In addition to the probe and attack data we also polled data from our ClickToSecure service on the types of vulnerabilities we found to be most prevalent in the wild. Above all we hope that we have provided our readers with an informative and thought provoking trend report for the Q1 2007 period.

-Tom Stracener