1. https://appdevelopermagazine.com/html5
  2. https://appdevelopermagazine.com/86-percent-of-php-based-applications-contain-at-least-one-crosssite-scripting-vulnerability/
12/8/2015 8:07:10 AM
86 Percent of PHP Based Applications Contain at Least One CrossSite Scripting Vulnerability
/PHP-Cross-Site-Scripting-App-Developer-Magazine_85xc5y8g.jpg
App Developer Magazine

HTML5

86 Percent of PHP Based Applications Contain at Least One CrossSite Scripting Vulnerability


Tuesday, December 8, 2015

Stuart Parkerson Stuart Parkerson


Veracode is reporting that its analytics show 86 percent of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability and 56 percent have at least one SQL injection (SQLi) when initially assessed by Veracode. The analysis is part of a supplement to Veracode’s “2015 State of Software Security: Focus on Application Development”, which is a report based on benchmarking analytics from its cloud-based platform. 

The report also indicates that four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode failed at least one of the OWASP Top 10 (an industry-standard security benchmark).

Veracode reports that these application vulnerability trends have also been seen across a wider family of web scripting languages, as applications written in Classic ASP and ColdFusion have are twice as likely to contain these flaws compared to more modern languages such as .NET and Java.

The 2015 report captures data collected over the past 18 months from more than 200,000 automated assessments performed for Veracode’s customers across a range of industries and geographies. Other findings provided in the report include 

- Design of the language matters for security: Some languages are designed to avoid certain vulnerability classes. For example, by removing the need for developers to directly allocate memory, Java and .NET eliminate almost entirely those vulnerabilities dealing with memory allocation (such as buffer overflows). Another example is the default behaviors of some ASP.NET controls, which avoid common issues related to Cross-Site Scripting.

- Operating environment of the language matters for security: Some vulnerabilities are only relevant in certain execution environments. For example, some categories of information leakage are more severe for mobile, which combines large volumes of personal data with a number of always-on networking capabilities.

- Mobile development project teams need to focus on encryption: Eighty-seven percent of Android apps and 80 percent of iOS apps contained cryptographic issues according to the report. Veracode suggests this indicates that, while mobile app developers may be aware of the need for cryptography to protect sensitive data and thus use it in their applications, few of them know how to implement it correctly. 
86 Percent of PHP Based Applications Contain at Least One CrossSite Scripting Vulnerability




Read more: https://info.veracode.com/state-of-software-securi...




Subscribe to App Developer Magazine

Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.

MEMBERS GET ACCESS TO

  • - Exclusive content from leaders in the industry
  • - Q&A articles from industry leaders
  • - Tips and tricks from the most successful developers weekly
  • - Monthly issues, including all 90+ back-issues since 2012
  • - Event discounts and early-bird signups
  • - Gain insight from top achievers in the app store
  • - Learn what tools to use, what SDK's to use, and more

    Subscribe here



Stay Updated

Sign up for our newsletter for the headlines delivered to you

SuccessFull SignUp

Featured Stories


AI Executive Order aims to balance security and innovation
AI Executive Order aims to balance security and innovation Monday, June 29, 2026


Top manufacturing trends for 2026
Top manufacturing trends for 2026 Tuesday, June 23, 2026




API scoring tool shows if your API is ready for AI
API scoring tool shows if your API is ready for AI Monday, June 22, 2026


Agentic AI Reality Check: The Million-Dollar Mistake Hiding Inside ERP
Agentic AI Reality Check: The Million-Dollar Mistake Hiding Inside ERP Friday, June 19, 2026


Influencer Debate AI Anthropic IPO Reveals Industry Concerns
Influencer Debate AI Anthropic IPO Reveals Industry Concerns Wednesday, June 17, 2026


Subscription apps are losing users faster than ever
Subscription apps are losing users faster than ever Tuesday, June 16, 2026


DomainTools announces real time threat feeds
DomainTools announces real time threat feeds Monday, June 15, 2026


Take It Down Act results in warning letters from FTC
Take It Down Act results in warning letters from FTC Friday, June 12, 2026


Nvidia valuation fears grow
Nvidia valuation fears grow Friday, June 12, 2026


Anthropic launches Claude Design
Anthropic launches Claude Design Wednesday, June 10, 2026


Get More App News