One in four business web apps has a 'high-risk' flaw

One in four business web applications have at least one high-risk security issue, according to a report.

Analysing the web applications on behalf of its public and private sector clients around the world, NTA Monitor found that 27 per cent of all those tested had a high-risk issue, comparing to 17 per cent the previous year.

NTA looked at a wide range of industry sectors, and saw that the biggest change came with its charity and not-for-profit clients, where the average number of vulnerabilities for each web app more than tripled since last year to 15 per cent.

The sector with the highest number of high-risk vulnerabilities - those that could allow an attacker to gain network access - was services, which had an average of two high-risk flaws per test.

The most secure industry sectors were utilities and legal, as they were the only ones to have no high-level risks.

NTA found that the most common attacks against web application flaws were SQL injection, cross-site scripting and cross-request forgery.

SQL injection was the only one of these that was in the top three high-risk attacks from last year's report.

Roy Hills, technical director at NTA Monitor, said that user-supplied data needed to be cleaned before it was returned to the browser or stored in the database.

"This reduces the threat of SQL injection, which is a consistently prevalent high-risk throughout 2008 and 2009," he said in a statement.

"SQL injection enables attackers to modify the database queries initiated from an application so users can delete, create or update database records."