It's not uncommon for web applications to have injection flaws,
especially SQL injection flaws. A hacker who finds one will send
malicious data as part of a command or query. The attacker's message
tricks the app into changing data or executing a command it was not
designed to obey.
2. Cross-site Scripting.
Cross-site Scripting flaws occur whenever an application sends
user-supplied data to a web browser without validating it first. Hackers
use these flaws to hijack users away from the site or deface it,
thereby costing the site owner in lost business.
3. Insecure Direct Object References.
Applications that lack checks to verify a user is authorized to view
particular content can be manipulated to access private data.
4. Broken Authentication.
When account credentials and session tokens aren't properly protected, hackers can assume users' identities online.
5. Cross-site Request Forgery (CSRF).
A CSRF attack tricks unknowing site visitors into submitting forged
HTTP requests via image tags, XSS, or other techniques. If the user is
logged in, the attack succeeds.
6. Security Misconfiguration.
Security misconfiguration flaws give hackers unauthorized access to
system data via default accounts, unused pages, unpatched flaws,
unprotected files and directories.
7. Insecure Cryptographic Storage.
Many web applications don't do enough to protect sensitive data such
as credit card numbers, Social Security numbers and login credentials .
Thieves may use this data for identity theft, credit card fraud or other
8. Failure to Restrict URL Access.
Often an app will protect sensitive interactions by not showing links
or URLs to unauthorized users. Attackers use this weakness to access
those URLs directly in order to carry out unauthorized actions.
9. Insufficient Transport Layer Protection.
Applications often fail to authenticate, encrypt and protect the
confidentiality of network traffic. Some use weak algorithms, expired or
invalid certificates or use them incorrectly. This allows hackers to
"eavesdrop" on online exchanges. An SSL Certificate typically
neutralizes this threat.
10. Invalidated Redirects & Forwards.
Web applications often redirect or forward legitimate users to other
pages and websites, using insecure data to determine the destination.
Attackers use this weakness to redirect victims to phishing or malware
sites, or use forwards to open private pages.