Every year, Acunetix brings you an analysis of the most common web security vulnerabilities and network perimeter vulnerabilities. Our annual Web Application Vulnerability Report is based on real data taken from Acunetix Online. We randomly select websites and web applications protected using our software, anonymize them, and perform statistical analysis. Here are the findings for this year.

The State of Web Application Security

The 2020 report is optimistic but the state of web security is still far from perfect. Most high and medium severity vulnerabilities are less common in 2020 than in 2019. However, there are high severity vulnerabilities that may lead to the loss of sensitive information and that have become much more common this year.

What worries us most is that new websites and web applications (those that were not scanned before 2019) have more web vulnerabilities. This means that security is still a major problem in software development. Developers don’t know how to write secure code, they make common mistakes, they trust user input including form fields too much, and their work environments don’t help them maintain application code security.

Vulnerabilities at a Glance

Our report focuses on common vulnerabilities and security misconfigurations – those that you also find in the Open Web Application Security Project – OWASP Top 10 list. We found fewer SQL Injections, Cross-site Scripting (XSS) issues, vulnerable JavaScript libraries, potential CSRF attacks, and WordPress vulnerabilities. However, we noticed more issues related to remote code execution (RCE) and directory traversal (path traversal), which is very worrying.

The report also contains data on other software security issues including buffer overflow, host header injection flaws, denial-of-service and DDoS vulnerabilities, issues related to access control and broken authentication such as weak passwords, web server misconfigurations, and more.

Interestingly enough, when analyzing the data in our report we also noticed that PHP security keeps improving. However, this may be caused by the relative stability of the WordPress core, which is written using PHP.

Beware of the Consequences

In conclusion, the 2020 Web Application Vulnerability Report emphasizes the importance of web vulnerability scanning. Issues discovered by scanners such as Acunetix can have serious consequences and lead to server-side sensitive data exposure including user account compromise, credit card information theft, security breaches of back-end databases, as well as client-side attacks on user’s browsers.


Tomasz Andrzej Nidecki
Technical Content Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.