FreakyZoidberg

The Web Application Security Consotium has announced the statistics for 2008.

The statistics includes data about 12186 web applications with 97554 detected vulnerabilities of different risk levels. The analysis shows that more than 13%* of all reviewed sites can be compromised completely automatically. About 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical) detected during automatic scanning However, detailed manual and automated assessment by white box method allows to detect these high risk level vulnerabilities with probability up to 80-96%. The probability to detect vulnerabilities with risk level more than medium (PCI DSS compliance level) is more than 86% by any method. At the same time, detailed analysis shows that 99% of web applications are not compliant with PCI DSS standard.

The most widespread vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection, Insufficient Transport Layer Protection, Fingerprinting и HTTP Response Splitting. As a rule, Cross-Site Scripting, SQL Injection and HTTP Response Splitting vulnerabilities are caused by design errors, while Information Leakage, Insufficient Transport Layer Protection and Fingerprinting are often caused by insufficient administration (e.g., access control).

The probability to detect vulnerabilities of different risk levels

The most widespread vulnerabilities in web applications (% Vulns ALL)

The probability to detect the most widespread vulnerabilities in web applications (% Sites ALL)

Percent of vulnerabilities out of total number of vulnerabilities (% Vulns ALL)

The probability to detect vulnerabilities depending on their origin

The probability to detect the most risky vulnerabilities in Web applications (% Sites BlackBox & WhiteBox)

Source : projects.webappsec.org