View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 3, 2015

Millions of sites at risk from XXS vulnerabilities

News: Old scripting languages leave make popular CMSs a target.

By Charlotte Henry

Vast numbers of applications written in web scripting languages do not meet an industry standard benchmark, with millions of websites potentially vulnerable as a result.

In a new report from Veracode, the firm says that four of out of five applications written in PHP, Classic ASP and ColdFusion failed to meet the OWSAP 10 standard.

The firm found that 86% of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability, while 56% have at least one SQL injection (SQLi).

Of particular concern is that the top 3 CMSs, WordPress, Joomla and Drupal, have large numbers of PHP applications developed for them. Those platforms combined make up 70% of all the CMSs in use, potentially leaving millions of websites vulnerable.

The recent mega breach of Paysafe was thought to involve exploiting a Joomla vulnerability.

Furthermore, those written in Classic ASP and ColdFusion have nearly twice as much chance of containing a XSS or an SQLi these flaws compared to those written in .NET and Java.

"When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them," said Chris Wysopal, Veracode CISO and CTO.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.