WASC Web Application Security Statistics Project

On Tuesday this week, the Web Application Security Consortium (WASC) has released a new project, which they call “Web Application Security Statistics Project“. The goal of this project is to better understand the web application vulnerability landscape, which I think is a very good goal because even after years most “normal” people and even security specialists haven’t accepted web applications as a potential dangerous area and from my point of view this is because they can’t see what’s going on there and where they should focus on to start. For this problem, this project is exactly what we need and also for people who are already in this field of security, they can now show much easier why a company should care about webappsec.

The data in the project are based on automated vulnerability scans in combination with manual verification, to avoid false positives. The used tools were:

All of these four web application vulnerability scanners are using the Web Security Threat Classification as a baseline and from my point of view the WASC TC is one of or perhaps the most important project(s) out there on the topic of web application security.

To say also some negative words, even if I think it’s a very good idea to have such a project I’m not sure, how useful the data out of it are. Just as an example: The actual statistics say us, that 15.70% of all web applications have some Information Leakage but what exactly is this? When we have a look at the first phrase in the description by the WASC we can read “Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.” For me this means for example also that if the web server gives me his banner, then we have an information leakage and this behaviour, we can find in nearly 100% of all tests (out of my experience). Now you can say that the statistics only talk about vulnerabilities in the application itself and not the ones in the web server but if that’s true, then we have for example to kick out Directory Indexing, HTTP Response Splitting and also OS Commanding which makes no sense at all. I think, that the statistics have to become more specific on each thread class because also the point “Cross Site Scripting” (84.57% of all web applications are vulnerable to this kind of attack if we believe in the project’s data) is not very meaningful because it’s a huge difference if an application for example is vulnerable to temporary XSS or if you can inject your script code permanently. Or also think about SQL Injection (26.38% of all web applications are vulnerable to this out of the statistics), there it’s very important to know if we can “just” get some data out of the database or if we can also read local files or even worse delete the whole database (of course I know that most of the time getting the data out of the database has a bigger impact than deleting all the data ;) )

So my conclusion on this project is, that it’s not perfect but it points in the right direction and many people out there including me, have been waiting for such a project for a long time. Keep up the good work guys :)