Positive Technologies: 82 Percent of Web Application Vulnerabilities are in the Source Code

Positive Technologies has released its report Web Application Vulnerabilities and Threats: Statistics for 2019 1, which found that 9 times out of 10, hackers can attack site visitors. Experts also found that 16 percent of applications contain vulnerabilities that allow attackers to take full control of the system, and on 8 percent of systems, full control of the web application server allowed attacking the local network. With full access to the web server, hackers can also place their own content on the attacked site (deface it) or even attack site visitors - for example, by infecting their computers with malware.

Web applications of financial institutions had the best security in 2019, with no systems in this industry receiving a “poor” or “extremely poor” security rating. Web applications of state institutions are the least secure. All of them contained high-risk vulnerabilities, and their security was rated as “poor” or “below average”  2.

High-Risk Vulnerabilities Fall but Source Code Security Needs to Improve

The percentage of web applications containing high-risk vulnerabilities in 2019 fell significantly, by 17 percentage points compared to the prior year. The average number of severe vulnerabilities per web application also fell, by almost 1.5 times. Nevertheless, the overall web application security level remains poor.

Positive Technologies experts reported that half of web sites in production had high-risk vulnerabilities. Moreover, 82 percent of vulnerabilities were located in application code. The high percentage of errors in the source code suggests that source code is not being checked for vulnerabilities during development, signaling that developers give short thrift to security, instead focusing on app functionality.

Authentication Attacks

Broken authentication was found in 45 percent of web applications. Many vulnerabilities in this category are classified as critical.

"Password-only authentication is a contributing factor in most authentication attacks," says Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies. "Lack of two factor authentication makes attacks very easy. Users tend to use weak passwords, which makes matters even worse. Bypassing access restrictions usually leads to unauthorized disclosure, modification, or destruction of data."

Attacks Against Users

According to the experts, 90 percent of web applications are vulnerable to attacks on clients. Cross-Site Scripting (XSS) remains a significant vulnerability, as in previous years. Attacks against users include infection of computers with malware (percentage of this type of attacks on individuals went up to 62% in the third quarter of 2019, versus 50% in the second quarter), phishing attacks aimed at obtaining credentials or other important data, and posing as a legitimate user via clickjacking to drive up likes and views.

Get a full copy of the report, Web Application Vulnerabilities and Threats: Statistics for 2019 here: https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/


  1. The experts analyzed 38 fully functional web applications of financial organizations (26% of the total number of analyzed apps), state institutions (8%), IT companies (29%), telecom (21%), and industry (16%).
  2. Web application security level is measured by Positive Technologies experts in the course of testing and assessment. The level they assign depends on the potential impact on the particular system in question, in the context of the type of information processed on that system.