A scan of 396 Web applications has yielded 269 security vulnerabilities, of which the most popular were cross-site scripting (XSS) and SQL injection (SQLi) flaws.

The study was conducted by Web application security firm Netsparker, who used their automated security scanning tools, available for desktop and cloud environments.

Of the total 269 vulnerabilities discovered, there were multiple zero-day bugs, for which the Netsparker's team had to publish 114 public advisories. 32 of these reports also contained more than one security flaw.

XSS and SQLi accounted for 87% of all vulnerabilities discovered

Broken down per category, the researchers found 180 XSS vulnerabilities such as reflected XSS, stored XSS, DOM-based XSS and XSS via RFI (Remote File Inclusion). XSS flaws accounted for 67% of all security flaws discovered in the scan.

Second on the list were SQL injections that made up 20% of the grand total. This means 55 SQLi vulnerabilities, such as boolean and time-based (blind) SQL injections.

Third on the list were Remote and Local File Inclusion vulnerabilities, of which Netsparker discovered 16. Other vulnerabilities identified in the scan, but in lower numbers, include flaws such as Cross-Site Request Forgery (CSRF), Remote Command Execution (RCE), Command Injection, Open Redirection, HTTP Header Injection and Frame Injection.

A diversified software development landscape doesn't help Web security

Breaking down the open source apps per programming language, most of them were coded in PHP (326) and ASP/ASP.NET (31). Other 39 apps were built using a combination of more than 10 different technologies.

This diversification of the software development landscape may also play a role in the high number of security flaws since developers must be fluent and apt to safely code applications in multiple languages and technologies.

When it came to the databases used to store data, researchers found that MySQL was the most popular, being used in 337 apps, followed by MSSQL (29), and SQLite (5). Surprisingly, NoSQL databases were not that popular.

Things didn't evolve that much compared to two years ago

This research is a continuation of a previous study carried out in 2014. Back then, the same Netsparker researchers scanned 235 Web applications and discovered 127 vulnerable apps and 181 vulnerabilities.

Just like now, XSS led the pack with 117 vulnerabilities, followed by SQLi with 39. Below is an infographic for this year's results courtesy of Netsparker.