Oct 06 2010

Top Overall Threats to Web Applications

AnnexCore

There are increasingly more threats that web developers face when protecting their software. With vigilant individuals (OWASP) highlighting the sneaky tactics of would be exploiters, majority of the vulnerabilities can be shielded against through proactive effort. In this document, we hope to briefly list out some of the top security risks faced by web applications.

1. SQL, LDAP, XPath, and OS Commands Injection – Attacker will exploit the syntax of the targeted interpreter through basic text. Nearly any source of data can be exploited as an injection vector.
2. Cross-Site Scripting(XSS) – Attacker will exploit interpreter through a text based script, similar to Injections it can be used on nearly any sort of data.
3. Insecure Direct Object References – An authorized system user changes a parameter value to a system object to an unauthorized object the user isn’t granted access to.
4. Broken Authentication & Session Management – Any flaws in the authentication or session management functions to fake identity of users.
5. Security Misconfiguration – Unauthorized access is gained through unused pages, unpatched flaws, or unprotected files and default accounts.
6. Cross-Site Request Forgery – Forged HTTP requests are tricked into giving image tags, XSS, or various others .
7. Failure to Restrict URL Access – Changing the URL to a privileged page giving the user access to private pages which aren’t protected.
8. Insecure Cryptographic Storage – When attackers gain access indirectly to crypto systems through finding keys, channels that already decrypt, or even find cleartext copies of data.
9. Insufficient Transport Layer Protection – When SSL isn’t used thoroughly or incorrect this often happens when an attacker monitors traffic to find vulnerabilities.

This post may contain affiliate links for which we receive commission if you visit a link and purchase something based off our recommendation. By making a purchase through an affiliate link, you won't be charged anything extra. We only recommend products and services we've thoroughly tested ourselves and trust.