Cross-site scripting was the most prevalent threat, accounting for 55 percent of serious vulnerabilities. Cross-site scripting is when an attacker injects into a Web page malicious scripts that can bypass a browser's security mechanism to gain access to a visiting user's computer.
Information leakage was the second most prevalent vulnerability. The flaw was found in 53 percent of the sites, down from 64 percent in 2010, when the vulnerability was number one. In general, WhiteHat found that Web application firewalls would have helped mitigate slightly more than 70 percent of custom Web application vulnerabilities.
SQL injection vulnerabilities, a favorite hacker target, was the eighth most prevalent flaw. Fully 5 percent of sites had at least one such vulnerability that could be exploited without logging in to the site.
SQL injection is a popular way to attack databases through a website. SQL statements are entered into a field on a web form in an attempt to get the website to pass the command to the database. A typical request is for the database to deliver its content to the attacker.
Such vulnerabilities have been around for years, and the fact that they persist speaks to the difficulty in building a defense. "It just shows us how far we still have yet to go in terms of dealing with them and how difficult it can be to remediate some of these exposures," Enterprise Management Associates' Crawford said.
Read more about malware/cyber crime in CSOonline's Malware/Cybercrime section.