New research shows that scripting languages cause web vulnerabilities
To this news, I was like.WHHHHHHHAAAAAAAAAAttt?? But it is true. A new research showed that scripting languages, in general, spawn security vulnerabilities regarding web applications. Now this got many on the web their panties got all twisted. As millions are websites are now under potential security bugs that earlier we weren’t aware of.
Veracode, an app security firm has recently released its State Of Security: Focus On Application Development report. The PDF is available too. In this report the analyzed data of over 200,000 separate application from Oct 31st, 2013, to March 31st, 2015 is present.
To prepare this report, security researchers crawled through most of the popular languages including but not limited to
- PHP,
- Java,
- JavaScript,
- Ruby,
- .NET,
- C and C++,
- Microsoft Classic ASP,
- Android,
- iOS,
- and COBOL
and alongside it hundreds of thousands of applications for the past 18 months.
Now the comparison they used for the graphical statistics of the languages is with OWASP(Online web Application Security project). The analysis was how much of the passing rate of individual programming language was with OWASP. In short Classic AHP and ColdFusion are the riskiest programs and java and net are the safest of the bunch. But safe doesn’t mean completely shielded. So here below is the stat of each program.
- Classic ASP – Has 1,686 flaws/MB (1,112 of them are critical)
- ColdFusion –Has 262 flaws/MB (227 of them are critical)
- PHP –Has 184 flaws/MB (47 of them are critical)
- Java –Has 51 flaws/MB (5.2 of them are critical)
- .NET -Has 32 flaws/MB (9.7 of them are critical)
- C/C++ –Has 26 flaws/MB (8.8 of them are critical)
- iOS –Has 23 flaws/MB (0.9 of them are critical)
- Android –Has 11 flaws/MB (0.4 of them are critical)
- JavaScript -Has 8 flaws/MB (0.09 of them are critical)
The most vulnerable web apps are the ones that got PHP ..but why? Is PHP at the third position? The reason for that is ColdFusion is for niche users and Classic ASP is not taken any heed to.
A close inspection of PHP shows the following vulnerabilities
- Almost 86% of applications written in PHP have at least one XSS vulnerability
- 56% of apps included SQLi (SQL injection), which is easily exploitable…Read (Hack puts kid/parents data in danger)
- 67% of apps aren’t immune to directory traversal.
- 61% of apps aren’t immune to code injection.
- 58% of apps had problems with managing credentials
- 73% of apps are storehouse for cryptographic issues
- 50% aren’t immune to information leakage.
Now we know that OWASP almost never changes, but the new security vulnerabilities always pop up putting SQL and XSS (Cross Site Scripting) right at the top of Owasp
Now about how to tackle all this:
Using scripting language wisely is your salvation. Less then a quarter of java applications have SQL flaws which is much lower than PHP.
“Knowledge is amazing but is inconsequential if there is no wisdom behind that knowledge’s usage”