Seven out of every ten websites contain a security vulnerability that allows attackers to steal confidential information or cripple the website, according to a study by security vendor
Acunetix.
"The results show clearly that the problem of unsafe web applications is being ignored completely," said Kevin Vella, a vice president with Acunetix.
The firm over the past year scanned 3,200 websites belonging to businesses or non-commercial organisations that had volunteered for a security scan. It detected a total of 210,000 vulnerabilities, making for an average 66 security holes per online application.
Half of all the detected vulnerabilities were so-called SQL injection flaws. Another 42 per cent was made up of Cross Site Scripting vulnerabilities.
Attackers in a SQL injection attack use web forms to send instructions in the SQL database access language. They could use these commands to obtain an overview of past orders including credit card information, or they could get an overview of the login names and passwords for all users, including any administrators.
In an XSS attack, hackers submit JavaScript or other code to a website such as Gmail, MySpace or Digg. The code is then executed on the computer of each individual who visits the site. This could potentially compromise login and password information that is stored in cookies or lead to other unwanted disclosures of confidential information.
Security of online applications is a hot top in the security industry. The rise of hosted software is causing new services to get exposed to web where online criminals can attack them.
Acunetix' findings back up claims by other vendors of code scanning tools.
Spi Dynamics last week claimed that it has a 99 per cent success rate in breaching the security of its clients' online applications.