Almost two-thirds of web applications have been found to be at risk from cross-site scripting (XSS).
According to the Web Application Vulnerability report by security consultancy Context Information Security, web applications developed for government, financial services and law and insurance sectors had the greatest increase in vulnerabilities.
The findings come from penetration tests carried out on almost 600 custom-built web applications. Web applications built for government were found to contain the highest number of vulnerabilities in 2011, and while the financial services sector had one of the lowest counts in 2010, this changed in 2011 with an average increase of roughly 1.5 vulnerabilities per web application tested.
The law and insurance sector also produced similar results, with an average increase of roughly 2.5 vulnerabilities per web application penetration test.
Michael Jordon, research and development manager at Context, said: “While the number of vulnerabilities identified in applications from 2010 and 2011 has not increased greatly, it does indicate that developers are continuing to make the same mistakes and are still not addressing web application security sufficiently.
“While some of the vulnerability categories such as server configuration and information leakage had bigger rises, more serious cross-scripting and SQL injections present the biggest and potentially most damaging threats to web applications.
“It is certainly clear that penetration testing before allowing a web application to go live is more relevant and essential than ever.”