1M top Alexa site, how secure are they? Join me as we explore my research into the state of web app insecurity, common issues that were found, disclosure experience and the methods used to test 1M sites plus the odd meme or two. I will also release some of the scripts built for the research, including an XSS spider to automatically crawl sites, find XSS entry points and detect vulnerabilities with no user interaction.