Web Security Stats Show XSS & Outdated Software Are Major Problems


Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.

Web Security Stats Show XSS & Outdated Software Are Major Problems

Data-based stats like these, which are not based on surveys, can be pretty useful – at least to get a broad overview of what is going on. These statistics also serve a solid purpose – they help all developers, security professionals and anyone who works with web applications better understand what might be going wrong.

XSS is way more common than SQL Injection

SQL Injection has been the most critical web application vulnerability in the last decade according to the OWASP Top 10 list of most critical web application security flaws (yeah come-on guys, we are still waiting for the new version!). Though the Netsparker statistics show us that it is the other way round, at least in terms of volume.

26% of the identified vulnerabilities, 40,908 to be exact, were a mix of reflected and DOM Cross-site scripting (XSS) vulnerabilities. Only 2% of the identified vulnerabilities were SQL Injections.

That is a big discrepancy, though this is not a surprise according to the authors. They said:

Developers have a lot of resources to write code that is not vulnerable to SQL Injections, such as prepared statements. New frameworks by default protects against SQL Injection and makes it quite hard to write insecure SQL code. On the other hand XSS vulnerabilities are much more complex to address and even when the framework has built-in protection, it’s very easy to make mistakes

Outdated & vulnerable software is still a major web application security risk

Update your apps, your server, your software – Apple, Google, Microsoft are constantly harping on this topic but it doesn’t seem to help that much.

It’s one of the easiest best practices to follow, especially in modern times with automated updates and patch management software easily available.

Insecure software versions are a problem

It seems not to be the case that people are following it with 5% of the identified issues related to outdated software.

If Equifax and Mossack Fonseca had their software up to date, last year we wouldn’t have had two of the biggest data breaches on the internet.

Accuracy is key to more secure web applications

There are several other statistics from which we can learn something from, an interesting one for me was the fact that Netsparker automatically verified around 80% of the identified vulnerabilities.

False positives are a big problem in automated vulnerability and security scanning as someone has to manually spend hours verifying the results and weeding out the false positives. With Netsparker automatically doing this, a smaller team can do more effective work and a larger team can be more productive doing less manual verification.

Read The Netsparker Scan Web Security Stats Report

The report is much more detailed and has much more statistics, so please read the Netsparker scan statistics report for all the numbers and common security issues that make web applications vulnerable to malicious hacker attacks and can save you from some embarrassment.

Posted in: Countermeasures


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


Comments are closed.