Web Application Security Statistics

According to the Web Application Security Consortium, automatic scanning detected up to 86% sites with one or some vulnerabilities of medium (or higher) risk level (Urgent-High). Black box and white box analysis methods increase it to 92-98%, respectively.

More than 13%* of all reviewed sites can be compromised completely automatically.

About 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical) detected during automatic scanning (T. 1).

Detailed analysis shows that 99% of web applications are not compliant with PCI DSS standard (T. 6, P. 13).

The most wide spread vulnerabilities are Cross-site Scripting, different types of Information Leakage, SQL Injection, HTTP Response Splitting;

Administration issues are 20% more frequent cause of a vulnerability than system development errors;

Detailed white box method analysis allows to detect up to 91 vulnerabilities per web application, while automatic scanning – only 3;

Compared to 2007, the number of sites with wide spread SQL Injection and Cross-site Scripting vulnerabilities fell by 13% and 20%, respectively.

The number of sites with different types of Information Leakage rose by 24% from 2007.

The probability to compromise a host automatically rose from 7 to 13 %.