Infographic: Statistics About the Security Scans of 396 Open Source Web Applications

Every so often we publish advisories about vulnerabilities we identify in open source web applications while testing the Netsparker security scanning engine.

For example this year we have already published an advisory about a cross-site scripting vulnerability in MailPoet, a popular WordPress plugin that is installed on more than 300,000 websites, and an advisory about a HTTP header injection in LiteSpeed web server, which powers 2% of the websites on the internet. We got pretty excited about the LiteSpeed vulnerability, because it is a vulnerability in the web server software and not in a web application.

All Vulnerabilities Are Identified Automatically

Both of the above vulnerabilities, and all those documented in the advisories we published throughout the years were identified automatically with our scanning engine, that is used in both our web application security scanners Netsparker Desktop and Netsparker Enterprise.

Crunching the Numbers After Scanning 396 Open Source Web Applications

Since 2011 we scanned 396 open source web applications. The scanners identified 269 vulnerabilities and we published 114 advisories about the 0-day ones. 32 of the advisories include details about multiple vulnerabilities. According to the statistics above, around 30% of the open source web applications we scanned had some sort of direct impact vulnerability.

Even though these statistics are based on a small sample of web applications that are being used on the internet, it does give us an indication of how vulnerable to malicious hacker attacks many websites are. Actually, when you think about it, 30% is a very low number. The majority of reports that researchers and web security organizations published throughout the years state that a very high percentage of the web applications tested were vulnerable. Typically these high percentages vary between 60% and 80%.

Top 3 Most Popular Web Application Vulnerability Types

Out of the 269 vulnerabilities the Netsparker web vulnerability scanners identified:

180 were Cross-site Scripting vulnerabilities. These include reflected XSS, stored XSS, DOM Based XSS and XSS via RFI.

55 were SQL injection vulnerabilities. These also include the Boolean and Blind SQL Injections.

16 were File Inclusion vulnerabilities, including both remote file inclusions and local file inclusions.

 The rest of the vulnerability types are cross-site request forgery (CSRF), remote code execution, OS command injection, open redirection, HTTP header injection (web server software issue) and frame injection.

XSS and SQL Injection Lead the Way… Again!

Cross-site scripting vulnerabilities amount to 67% of all the identified vulnerabilities. SQL injection vulnerabilities amount to 20% of the vulnerabilities. Together, these two vulnerability types amount to 87% of all the identified vulnerabilities.

Cross-site scripting and SQL injection vulnerabilities have been included in the OWASP Top 10 since the project started, mainly because they are very easy to find and also very easy to exploit. And yet, even after years of raising awareness about these vulnerabilities, the majority of the web applications we use are vulnerable to these type of vulnerabilities.

Why Cross-site Scripting Vulnerabilities are by Far the Most Common Vulnerabilities in Web Applications?

When dealing with databases, with the help of parameterized queries it is very easy to make all the common CRUD (create, read, update and delete) operations safe against SQL injection attacks.

Though XSS is a different animal, and today’s complex web applications are not making the developers’ job any easier. Developers have to understand all the different contexts of the XSS attacks to write code that is not susceptible to XSS vulnerabilities. Unless they do understand it and write or use a library that can protect the application against XSS attacks in all output contexts (HTML, attribute, JavaScript, client-side template etc), we will keep on seeing the same trend; expect less SQL injection and more cross-site scripting vulnerabilities in web applications. And contrary to popular beliefs, cross-site scripting vulnerabilities can get as dangerous as SQL injection vulnerabilities.

Most Popular Languages Used to Built Scanned Web Applications

326 of the open source web applications we have scanned were built with PHP and 31 were built with ASP / ASP.NET. The remaining 39 applications were built with a variety of 10+ languages, including Java, Ruby on Rails and Python.

This in no way means that PHP is a more vulnerable language. We mostly scan open source web applications, and since the majority of them are written in PHP, this is expected. PHP has its own problems, like any other development language, but that’s a discussion for another blog post.

Building More Secure Web Applications

Back in 2013 we published an infographic and statistics about the vulnerabilities we identified back then, in which XSS and SQL injection vulnerabilities were the most popular. Three years down the line and things are roughly still the same.

Unfortunately many developers are intimidated by the fact that there is so much going on in web application security, hence they feel they can never really write secure code. Though most probably if they focus on addressing the basic, writing code that is not vulnerable to SQL Injection and cross-site scripting vulnerabilities, the statistics of 2018 will be a bit different. Let’s hope for the better.

Free Netsparker Enterprise Scans, No Strings Attached

We are happy to do our share to help open source developers write more secure code. We are offering free Netsparker Enterprise scans to all open source projects, no strings attached, no marketing bull.

If you are involved in an open source web application project, grab this opportunity and get in touch with us so we can get you started. After all, the more secure your web application is the better you can sleep at night!