Scribd
Upload
46 views2 pages

Top 10 Web Application Security Risks

The top 10 web application security risks are injection flaws, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. These risks can allow attackers to compromise passwords, access unauthorized data and functionality, execute scripts to hijack sessions or redirect users, gain remote code execution capabilities, and maintain long-term presence on systems without detection.

Uploaded by

Ayaz Alam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
46 views2 pages

Top 10 Web Application Security Risks

The top 10 web application security risks are injection flaws, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. These risks can allow attackers to compromise passwords, access unauthorized data and functionality, execute scripts to hijack sessions or redirect users, gain remote code execution capabilities, and maintain long-term presence on systems without detection.

Uploaded by

Ayaz Alam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Top 10 Web Application Security Risks

1. Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP


injection, occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data can trick
the interpreter into executing unintended commands or accessing
data without proper authorization.
2. Broken Authentication. Application functions related to
authentication and session management are often implemented
incorrectly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to
assume other users’ identities temporarily or permanently.
3. Sensitive Data Exposure. Many web applications and APIs do not
properly protect sensitive data, such as financial, healthcare, and
PII. Attackers may steal or modify such weakly protected data
to conduct credit card fraud, identity theft, or other crimes.
Sensitive data may be compromised without extra protection,
such as encryption at rest or in transit, and requires special
precautions when exchanged with the browser.
4. XML External Entities (XXE). Many older or poorly configured
XML processors evaluate external entity references within XML
documents. External entities can be used to disclose internal
files using the file URI handler, internal file shares, internal port
scanning, remote code execution, and denial of service attacks.
5. Broken Access Control. Restrictions on what authenticated users
are allowed to do are often not properly enforced. Attackers can
exploit these flaws to access unauthorized functionality and/or
data, such as access other users’ accounts, view sensitive files,
modify other users’ data, change access rights, etc.
6. Security Misconfiguration. Security misconfiguration is the most
commonly seen issue. This is commonly a result of insecure
default configurations, incomplete or ad hoc configurations, open
cloud storage, misconfigured HTTP headers, and verbose error
messages containing sensitive information. Not only must all
operating systems, frameworks, libraries, and applications be
securely configured, but they must be patched/upgraded in a
timely fashion.
7. Cross-Site Scripting XSS. XSS flaws occur whenever an
application includes untrusted data in a new web page without
proper validation or escaping, or updates an existing web page
with user-supplied data using a browser API that can create
HTML or JavaScript. XSS allows attackers to execute scripts in
the victim’s browser which can hijack user sessions, deface web
sites, or redirect the user to malicious sites.
8. Insecure Deserialization. Insecure deserialization often leads to
remote code execution. Even if deserialization flaws do not result
in remote code execution, they can be used to perform attacks,
including replay attacks, injection attacks, and privilege
escalation attacks.
9. Using Components with Known Vulnerabilities. Components, such
as libraries, frameworks, and other software modules, run with
the same privileges as the application. If a vulnerable component
is exploited, such an attack can facilitate serious data loss or
server takeover. Applications and APIs using components with
known vulnerabilities may undermine application defenses and
enable various attacks and impacts.
10. Insufficient Logging & Monitoring. Insufficient logging and
monitoring, coupled with missing or ineffective integration with
incident response, allows attackers to further attack systems,
maintain persistence, pivot to more systems, and tamper, extract,
or destroy data. Most breach studies show time to detect a
breach is over 200 days, typically detected by external parties
rather than internal processes or monitoring.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy