Of all the possible services on the Internet DNS, e-mail and the World Wide Web are by far the most pervasive. (In fact, in July 2002, the monthly Netcraft Web site survey reported that 37,235,470 active Web servers were connected to the Internet.) Of these, Web services are the most complex and the most frequently abused.
Originally a simple text-based information service, the Web has developed into a highly functional interactive application development platform that is being used for almost every possible application on both the Internet and Intranet. Major vendors have recognized the power of the Web and have made significant investments in Web development platforms. These include Sun (Java), Microsoft (Active Server Pages, Site Server and Commerce Server), the open source community (PHP) and others (ColdFusion). Such platforms make it very easy for standard administrators to develop complex applications. A simple wave of the Web development wand and suddenly everybody's a programmer, even me! Web applications are often developed by under-qualified, inexperienced developers. Unknowingly many programmers make errors that provide potential intruders with precisely the vector they need to penetrate the private network. As these applications are built on standard platforms, they tend to look similar, and tend to have similar security weaknesses.
The link for this article located at SecurityFocus is no longer available.