Web applications are the achilles heel of most corporate networks. In a given penetration test, it is almost always proprietary web applications that show the most critical vulnerabilities. We were interested which types of web application flaws we actually find and exploit most often with the highest impact – the “top worst security flaws” found in typical web applications.

Our analysis shows that some of the most published flaws, such as cross site scripting and remote file inclusion, are not necessarily the most relevant ones in practice.Our data source is a random sample of 50 web applications tested during the last two years. This includes penetration tests and source code reviews of all different kinds of web technologies. To determine the “winning” vulnerabilities, we plotted a chart that factors in the frequency and average security risk caused by the vulnerabilities occurring in the sample. The Y-axis shows the average risk (composed of exploit likelihood and impact) caused by the flaw. The X-axis reflects how often the vulnerability occurred in the sample.

Occurrence rate: Percentage of web applications tested where at least one vulnerability of this type was found
Risk: Average risk score (calculated as exploit likelihood x impact) of all vulnerabilities of this type within the sample
The category “others” includes some of the more exotic flaws that occurred only once in the sample, such as forgotten backdoors, SWF file include and LDAP injection


1. SQL Injection

This is still found in a lot of web applications. Possible exploit scenarios include theft of sensitive information or compromise of the web application. SQL injection is the clear winner of the web application flaw contest.

2. Weak passwords

Inadequate password policies are a very common issue. They usually lead to compromise of legitimate user accounts or administrative accounts, sometimes allowing to compromise a web application.

3. Autorisation problems

A common issue, especially in the more complex “Enterprise” applications. Usually slightly more difficult to exploit than weak passwords with similar impact.

4. Award for most critical flaw: Command or code injection

Command / code injection is the most critical vulnerability. It almost always allows an attacker to compromise the server. Unchecked file uploads are a close second.

5. Award for most common flaw: Information Disclosure

Almost all web applications have some information disclosure issues. Cross site scripting is also very common, with around 70% of web applications having one or several cross site scripting flaws.
The chart allows for a few other observations. Firstly, cross-site scripting issues, while easy to find and very common, are usually not very serious.  The reason is that XSS attacks scenarios are often very contrived and require a lot of user interaction. The exception is stored XSS, which sometimes allows for quite effective attacks. Personally I think that cross site scripting is overhyped. The same goes for CSRF – an attack vector that works practically everywhere, but is nearly impossible to exploit in any realistic way (for this reason I didn’t include “failure to protect against CSRF” in the analysis – if you want, you can imagine it as another data point on the lower right corner).It is also interesting to note that typical PHP application security issues, such as local and remote file inclusion, don’t occur all that frequently. This has several reasons: For once, companies don’t use PHP that much to build more complex applications. They also don’t use “PHP picture gallery 0.1” or similar products that are the source of 90% of web application security advisories. Secondly, it has become very common to activate PHP security features that thwart at least some attacks. And maybe there is also growing awareness about PHP security threats.

We can also see that password-policy-related issues and logic problems (e.g. autorisation) are just as prevalent and critical as injection-type flaws. This is not really news to security experts, but companies have to account for these kinds of flaws to achieve comprehensive security for their web applications.