86% of PHP-based apps contain at least one XSS vulnerability

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode failed at least one of the OWASP Top 10. Given the volume of PHP applications developed for the top three content management systems – WordPress, Drupal and Joomla, which represent more than 70 percent of all CMSs in use today – these findings raise concern over potential security vulnerabilities in millions of websites.


Analytics show that 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode. These vulnerability trends are also seen across the wider family of web scripting languages, where applications written in Classic ASP and ColdFusion are nearly twice as likely to contain these flaws compared to more modern languages such as .NET and Java.

As enterprises shift to continuous delivery and other DevOps innovations, the pressure is mounting to produce more secure software faster. Yet, according to SANS, less than 26 percent of organisations have mandated, ongoing secure coding education programs.

Design of the language matters for security. Some languages are designed from the ground up to avoid certain vulnerability classes. For example, by removing the need for developers to directly allocate memory, Java and .NET eliminate almost entirely vulnerabilities dealing with memory allocation (such as buffer overflows). Similarly, the default behaviours of some ASP.NET controls avoid common issues related to XSS.

Operating environment of the language matters for security. Some vulnerabilities are only relevant in certain execution environments. For instance, some categories of information leakage are most acute in the mobile environment, which combines large volumes of personal data with a plethora of always-on networking capabilities.

Mobile development project teams need to focus on encryption. Eighty-seven percent of Android apps and 80 percent of iOS apps contained cryptographic issues. This suggests that while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly. Given the rapid adoption of mobile applications in the healthcare industry, this is particularly concerning.

“When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them,” said Chris Wysopal, Veracode CISO and CTO.

Analytics also show a 28 percent higher fix rate for vulnerabilities found by ‘white box’ or static analysis (SAST) compared to those found by ‘black box’ or dynamic analysis (DAST). While no single assessment technology is sufficient to secure an application, understanding the each assessment technology’s strengths and weaknesses is important when it comes to fixing – not just finding – software vulnerabilities.

Veracode has now assessed more than a trillion lines of code for critical vulnerabilities that can lead to large-scale breaches. Their latest report captures data collected over the past 18 months from more than 200,000 automated assessments performed for customers across a range of industries and geographies.