Purpose
The Web Application Security Consortium (WASC) is pleased to announce the launch of the WASC Web Application Security Statistics Project. This initiative is an open and collaborative effort among industry leaders to pool together sanitized data from professional services engagements to better understand the web application vulnerability landscape. Current data such as statistics derived from the Mitre CVE project, provide good insight into the types of vulnerabilities being discovered in open source and commercial applications of all flavors. We do not however have adequate insight into the types of vulnerabilities being found exclusively in deployed web applications and this is especially true for custom web applications. The WASC Web Application Security Statistics Project seeks to change this.
This initial round of statistics was compiled from data provided by four vendors - Whitehat Security, SPI Dynamics, Positive Technologies and Cenzic. We would like to thank all of the initial contributors for their participation. Our goal is to have the project grow over time with data from an increasing number of sources as this will improve the overall quality of the data. Statistical biases will be lessened as more entities contribute to the initiative so we would encourage those vendors engaged in web application scanning work to contact us if they are interested in participating in the project.
Methodology
Statistics have been compiled from past web application security engagements using automated scanning technologies. Various scanning tools have been used including WhiteHat Sentinel, SPI Dynamics WebInspect, Positive Technologies MaxPatrol and Cenzic Hailstorm. Identified vulnerabilities for all scanning technologies have been aggregated using the Web Security Threat Classification as a baseline.
The scans include a combination of raw scan results and results that have been manually validated to remove false positive results. The statistics do not include the results of any purely manual security audits (aka human assessments). With reference to the 'Vulnerability Stack' shown below, the focus of the automated scanning engagements from which the data is derived is primarily to uncover vulnerabilities in the 'Custom Web Applications' layer. However, the scanning tools used for these engagements will also identify vulnerabilities at the Third-Party Web Applications' and 'Web Server' layers. Therefore, these statistics reflect vulnerabilities in the top three layers of the Vulnerability Stack.
Vulnerability Stack
2006 Statistics (January 1 - December 31)
Total Sites Tested - 31,373
| Threat Classification | No. of Vulns | Vuln. % | No. of Sites | % of Vuln. Sites |
| Brute Force | 66 | 0.04% | 66 | 0.21% |
| Content Spoofing | 663 | 0.45% | 218 | 0.69% |
| Cross Site Scripting | 100,059 | 67.59% | 26,531 | 84.57% |
| Directory Indexing | 292 | 0.20% | 168 | 0.54% |
| HTTP Response Splitting | 4,487 | 3.03% | 3,062 | 9.76% |
| Information Leakage | 20,518 | 13.86% | 4,924 | 15.70% |
| Insufficient Authentication | 84 | 0.06% | 1 | 0.00% |
| Insufficient Authorization | 23 | 0.02% | 4 | 0.01% |
| Insufficient Session Expiration | 46 | 0.03% | 1 | 0.00% |
| OS Commanding | 143 | 0.10% | 44 | 0.14% |
| Path Traversal | 426 | 0.29% | 374 | 1.19% |
| Predictable Resource Location | 651 | 0.44% | 173 | 0.55% |
| SQL Injection | 19,607 | 13.25% | 8,277 | 26.38% |
| SSI Injection | 950 | 0.64% | 298 | 0.95% |
| XPath Injection | 14 | 0.01% | 6 | 0.02% |
| 148,029 | 100.00% | 44,147 | |
Graphs
Contributors
WASC would like to thank the following organizations for making this initiative possible. Each organization is responsible for contributing sanitized data from automated web application scanning which was then combined to produce aggregated statistics.
Participation
If you represent an organization which conducts automated web application security scans and would like to participate in the WASC Statistics Project, please contact
Sergey Gordeychik.
Statistics will be collected twice annually one week after June 30 and December 31.
