This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.
1. Cross Site Scripting (21.5%)
2. SQL Injection (14%)
3. PHP includes (9.5%)
4. Buffer overflows (7.9%)
Mike Sutton wanted to know just how prevalent are SQL Injection Vulnerabilities? So he ran a little test, and found that out of 1000 web sites 11.3% of them were vulnerable!
I also heard this from Mike Andrews in his How to Break Web Software talk. He says that the number of buffer overflow vulnerabilities have been going down over the years as more people are aware of them, and there are lots of automated tools for finding them. But the number of web application vulnerabilities has been sky rocketing.
Buffer Overflows were first talked about in the 1970’s by the NSA, and they are still somewhat of a problem – do you think we will still be talking about Cross Site Scripting and SQL Injection in 30 years?
Related Entries
How to Break Web Software – April 21, 2006
Top 20 Internet Security Vulnerabilities of 2005 – November 23, 2005
MySpace Hacked with CSRF and XSS – October 13, 2005
Detecting SQL Injection with ScriptProtect – May 18, 2005
ScriptProtect in ColdFusion MX 7 not a catch all – May 17, 2005
Digg
Reddit
FurlBookmark Murdok: 
*Originally published at Pete Freitag’s Homepage.
Pete Freitag (http://www.petefreitag.com/) is a software engineer, and
web developer located in central new york. Pete specializes in the
HTTP protocol, web services, xml, java, and coldfusion. In 2003 Pete
published the ColdFusion MX Developers Cookbook with SAMs Publishing.
Pete owns a Firm called Foundeo (http://foundeo.com/) that specializes
in Web Consulting, and Products for Web Developers.
