:: extra ::

Since the dawn of the Internet, the buffer overflow has been king. The Morris worm (the first worm the internet saw, link) exploited a buffer overflow in sendmail as one of it's methods of propagation, and buffer overflows have dominated the vulnerability landscape ever since. Well, until 2005 anyway. Steve Christey, one of the maintainers of the CVE database (link), reports that in 2005, the most reported vulnerability was cross-site scripting (link). Not only that, but buffer overflow wasn't even #2. The lineup in 2005 looked like this:

  #1 Cross-Site Scripting (16.0%)

  #2 SQL Injection (12.9%)

  #3 Buffer Overflow (9.8%)

2006 is shaping up to be even worse for the venerable buffer overflow. Looks like it will fall out of the top three entirely:
  #1 Cross-Site Scripting (21.5%)
  #2 SQL Injection (14.0%)
  #3 PHP includes (9.5%)

The world is a little different than it once was. I think there are three things going on:

1) There's good stuff on the web. More sites, more services, and more traffic every day. You could find plenty of cross-site scripting vulnerabilities in 1998 too, but there wasn't so much to gain by exploiting them.

2) Cross site scripting and SQL injection vulnerabilities are easy to find and easy to exploit. Web sites don't have those pesky firewalls blocking access to the good stuff, and most web sites are quite content to allow you to poke at them until you find the vulnerability you're looking for. Once you've found it, in many cases its a heck of a lot easier to develop a working exploit for a cross-site scripting hole than it is to write some robust shell code to exploit a buffer overflow.

3) Especially in the case of cross-site scripting, it's really hard to write bulletproof code. Languages such as Java and C# make buffer overflow a vanishing possibility and provide all the tools you need to avoid SQL injection, but they still make cross-site scripting hard to avoid.

Correction: Rob Lemos pointed out that PHP includes are in 3rd place for 2006.