Four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode failed at least one of the OWASP Top 10. Given the volume of PHP applications developed for the top three content management systems – WordPress, Drupal and Joomla, which represent more than 70 percent of all CMSs in use today – these findings raise concern over potential security vulnerabilities in millions of websites. Analytics show that 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode. These vulnerability trends are also seen across the wider family of web scripting languages, where applications written in Classic ASP and ColdFusion are nearly twice as likely to contain these flaws compared to more modern languages such as .NET and Java.
View full story
ORIGINAL SOURCE: Help Net Security