As Web site vulnerabilities go, cross-site scripting (XSS) is undeniably the big star; but two recent reports suggest that the rise of Web 2.0 will cause the name of cross-site request forgery (CSRF) to splash across the headlines.

April 19 WhiteHat Security released its Security Web Application Security Risk Report, and the Open Web Application Security Project (OWASP) recently posted the first release candidate of their Ten Most Critical Web Application Security Vulnerabilities report.

Both WhiteHat and OWASP acknowledge that hard data about Web vulnerabilities is limited, making assessments like these a challenge.

Though OWASP independently named its top ten, the group's decisions were based in large part on the statistics disclosed by MITRE in their Vulnerability Trends for 2006 report released in October. MITRE's statistics are drawn from the Common Vulnerabilities and Exposures database, which contains all publicly known vulnerabilities across many products. WhiteHat's stats are aggregated from the Web sites monitored by the company's WhiteHat Sentinel vulnerability assessment product—sites which, according to WhiteHat, are "more likely to represent the most 'important' and 'secure' Web sites found on the Web, conducting high-volume transactions or managing sensitive information."

Both reports show that cross-site scripting is the most prevalent Web vulnerability, but the most interesting takeaway is how each addressed cross-site request forgery, a vulnerability that is at the root of the JavaScript hijacking attack described recently by Fortify Software and by Jeremiah Grossman of WhiteHat.

Breaking away from MITRE's numbers, OWASP ranked CSRF fifth, above information leakage, broken authentication, and insecure cryptography storage and communication. From the report:

"Cross site request forgery (CSRF) is the major new addition to this edition of the OWASP Top 10. Although raw data [from MITRE] ranks it at #36, we feel that it is important enough that applications should start protection efforts today, particularly for high-value applications and applications that deal with sensitive data."

CSRF did not make it to WhiteHat's top ten, but it is the only vulnerability class that the company devoted discussion to, separately. From the report:

"The challenging part about defending against this is that it's a valid request from the authenticated user. There is no 'hack,' so to speak. Most experts agree that the majority of features on the average Web site are not protected against this attack and that current scanning capability is extremely limited at CSRF detection."

BACK TO MAIN STORY: "AJAX AND HIJACKS: Web 2.0 is growing up. And we're not ready."