Seven out of every 10 websites contains a security vulnerability that could allow attackers to steal confidential information or cripple the website, according to a study by security vendor Acunetix.
"The results show clearly that the problem of unsafe web applications is being ignored completely," said Kevin Vella, a vice president with Acunetix.
The firm scanned 3,200 websites over the past year belonging to businesses or non-commercial organisations that had volunteered for a security scan.
It detected 210,000 vulnerabilities, making for an average 66 security holes per online application.
Half of all the detected vulnerabilities were so-called SQL injection flaws. Another 42 per cent was made up of Cross Site Scripting (XSS) vulnerabilities.
Attackers in a SQL injection attack use web forms to send instructions in the SQL database access language.
They could use these commands to obtain an overview of past orders including credit card information, or get an overview of the log-in names and passwords for all users, including any administrators.
This could potentially compromise log-in and password information stored in cookies or lead to other unwanted disclosures of confidential information.
The security of online applications is a hot topic in the security industry. The rise of hosted software is exposing new services to online attack.
Acunetix's findings back up claims by other vendors of code scanning tools. Spi Dynamics claimed last week that it has a 99 per cent success rate in breaching the security of its clients' online applications.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away