Automated source code analysis of 33 web applications has found that 94 per cent of them have at least one high-severity vulnerability, according to security biz Positive Technologies.

"Web applications practically have a target painted on their back," said Leigh-Anne Galloway, cyber security resilience lead at the company in a statement today. "A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network."

These results from a survey of web apps in 2017 represent a worse showing than 2016, when a mere 58 per cent of applications tested had at least one high-severity flaw.

Of the 33 apps tests – Positive Technologies declined to name them – about half (46 per cent) were finance and banking web apps and every one of these had at least one high-severity flaw.

About 18 per cent of the web apps serve government sites. Every single one of these had a vulnerability that could be used to attack users. The remaining apps came from e-commerce (12 per cent), media (6 per cent), and IT (6 per cent) and other industries (12 per cent).

High-severity flaws include: arbitrary file reading (52 per cent), arbitrary file modification (48 per cent), SQL injection, XXE injection, and arbitrary file creation (each occurring in 42 per cent of the sample).

The most common problem identified was vulnerability to cross-site scripting (82 per cent), though this is not considered high-risk.

After that comes HTTP Response Splitting (58 per cent), a vulnerability by which a web app can be made to send a double HTTP response to a browser, with the header and field contents subject to partial control by the attacker. This is also not considered serious.

You can find out more about these vulnerability types, and how to mitigate them, on OWASP.org.

Galloway argues that the prevalence of web app bugs demonstrates the need for application source code scans. That may be but the flaws found also argue for greater developer diligence.

For example, the firm's analysis of a banking app found that the modules in the \filebrowser directory included a demo version of the application which could execute file management functions in the \root directory. The privilege problems also allowed copying and renaming of files, which could allow an attacker to fill of up available storage to cause a denial of service attack. ®