Top 5 Most Common Security Vulnerabilities on Web Applications

Security vulnerabilities can result from software bugs, weak passwords or software that’s already been infected by a computer virus or script code injection. These security vulnerabilities require patches, or fixes, in order to prevent the potential for compromised integrity by hackers or malware.

Below are the top 5 most common security vulnerabilities.

1. Cross Site Scripting

Cross-site scripting (XSS) targets an application’s users by injecting code, usually a client-side script such as JavaScript, into a web application’s output. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the attacker. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

This is characterized by a forged request came from the cross-site. It is an attack that occurs when a malicious website, email, or program causes a user’s browser to perform an unwanted action on a trusted site.

Vulnerable Objects: User Profile page, User account forms, and Business transaction page.

2. SQL Injection

This is a security vulnerability that allows an attacker to alter backend SQL statements by manipulating the user-supplied data. This usually occurs when the user input is sent to an interpreter as part of command or query and trick the interpreter into executing unintended commands and gives access to unauthorized data. Moreover, the SQL command which when executed by web application can also expose the back-end database. As a result, an attacker can inject malicious content into the vulnerable fields.

Sensitive data like User Names, Passwords, etc. can also be read from the database. The database data can be modified and the administration operations can be executed on the database. Here is how to Secure your website from SQL Injection Vulnerabilities

Vulnerable Objects: Input Fields and URLs interacting with the database.

3. Insecure Direct Object References

Insecure Direct Object References occurs when a developer exposes a reference to an internal implementation object. Example of this is a file, directory, or database key as in URL or as a FORM parameter. Thus, the attacker can use this information to access other objects and can create a future attack to access the unauthorized data. Because of this, an attacker can gain access to unauthorized internal objects. He or she can also modify data or compromise the application.

Vulnerable Objects: In the URL.

4. Security Misconfiguration

A good Security Configuration must be defined and deployed for the application, frameworks, server, and platform. Unfortunately, if these are not properly configured, an attacker can have unauthorized access to sensitive data or functionality. Such flaws may result in complete system compromise. As a result, making use of this vulnerability, the attacker can enumerate the underlying technology and application server version information, database information and gain information about the application to mount few more attacks.

Vulnerable objects: URL, Form Fields, Input fields

5. Insecure Cryptographic Storage

Insecure Cryptographic storage exists when the sensitive data is not stored securely. User credentials, profile information, health details, credit card information, etc. are examples of sensitive data information on a website. This data will be stored in the application database and when this data is not properly stored by not using encryption or hashing, it will be vulnerable to the attackers.

Hashing is the transformation of the string characters into shorter strings of fixed length or a key. To decrypt the string, the algorithm used to form the key should be available.

As a result, an attacker can steal, modify such weakly protected data to conduct identity theft, credit card fraud or other crimes.

Vulnerable objects: Application database


All of these security vulnerabilities are important to know most especially to the developers, designers, managers, architects, and organizations. You have to be aware of these so that you can be vigilant with regards to every single information that you give online. Responsible usage of important information should be a priority for all the companies so that they won’t lose customers and investors.