Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor.

Data from 118 web application tests showed that more than a quarter (27%) of threats identified as high risk were categorised as SQL injection, while 21% of medium risk issues were classified as XSS.

Other frequently occurring threats to information security included a lack of patching (16%), Denial of Service (DoS) vulnerabilities affecting Apache web servers (13%), cross-site request forgery (CSRF) (4%), no, or poor, encryption (4%) and issues around password management (4%).

Roy Hills, technical director and NTA Monitor founder, said: "SQL injection and cross-site scripting continue to remain persistent and serious security flaws in web applications.

"Both issues are relatively easy to avoid but poor web development practices, specifically around input validation, are causing SQL and XSS to remain prevalent."

Results also highlighted a marked jump in the average number of vulnerabilities found per web application - up from 14 in 2009 to 15.6 in 2010.

The total number of flaws identified per test has substantially increased too. In 2010, 70% of tests had more than 11 flaws compared with just 47% in 2009.

Analysis of the test results has shown a slight drop in the overall total occurrence of high risk issues (allows hackers to access system and easily exploit known vulnerability) in web application tests - down from 28% in 2009 to 25% in 2010 - but a significant rise in medium risk threats (allows hackers to disrupt services and possibly provide access to the system) - up from 62% in 2009 to 79% in 2010.

On average, each web application test, which were carried out by NTA Monitor on a wide range of blue chip businesses and public sector organisations, contained 0.4 high risks, 3.5 medium risks, 8.7 low risks and 2.9 informational risks.

Evaluating the test results by industry sector, IT & Telecoms was found to be the least secure with above average high and medium risks (0.6 and 4.1 respectively), and slightly above average total number of vulnerabilities at 16.7 per test.

Central and local government organisations, however, have seen a marked improvement in information security from 2009. Although local government had above average high risk vulnerabilities at 0.6 per test, the average total number of vulnerabilities per test was just 12.2 compared with 19.3 in 2009. And risks classified as a medium threat were well below average too.

No high risks were identified in web applications being run by central government departments, but average total numbers of vulnerabilities per test were running at well above sector average at 19.9.

The sector seen to be the most secure according to test data was finance, which had below average high (0.1), medium (2.5) and total number of risks (13.7) per web application test.

Roy Hills added: "Although it appears from our test results organisations may be starting to tackle threats identified as high risk, the number of vulnerabilities discovered per application rose significantly last year, with medium risk issues seeing a substantial growth too.

"Analysing the data, it seems to be the same old problems as last year, which means that people are not getting on top of the underlying causes of these issues. With fines now being handed out to organisations for data loss, it's vital security managers ensure they have robust security measures in place for web applications, and that they follow them diligently if they are to avoid large-scale information security breaches and the subsequent financial fall-out."

For further information and tips and advice on tackling the top security flaws visit the security tips section. Or to request a full copy of the web application test results telephone 01634 721855 or email This email address is being protected from spambots. You need JavaScript enabled to view it. .

Here is the list of the top ten security risks found by NTA Monitor during 2010.

Top five high

1. SQL (27%)

2. Patch management (16%)

3. XSS (6%)

4. CSRF (4%)

5. Password issues (4%)

Top five medium

1. XSS (21%)

2. DOS (Apache) (13%)

3. No account lockout mechanism (10%)

4. Static session ID is used before and after authentication (5%)

5. No encryption (4%)

(Risk description and information available from NTA Monitor)

This article was first released on: 1st March 2011