Common Web Application Vulnerabilities
Comprehensive Guide to OWASP Top 10 and Beyond
Introduction to Web Application Vulnerabilities
Web applications are the backbone of modern digital infrastructure, powering everything from e-commerce platforms to critical government services. However, the same technologies that make web applications powerful and accessible also introduce numerous security vulnerabilities that malicious actors constantly seek to exploit.
According to the Verizon Data Breach Investigations Report, web applications remain one of the most common attack vectors for data breaches. Understanding these vulnerabilities is not just for security professionals — developers, system administrators, and business stakeholders all benefit from security awareness.
The Open Web Application Security Project (OWASP) maintains the OWASP Top 10, which represents the most critical security risks to web applications. This list is updated periodically based on data from security organizations worldwide and serves as the foundation for web application security best practices.
Why This Guide Matters
94% of applications tested had at least one vulnerability in OWASP categories
Web application attacks account for 26% of all data breaches
The average cost of a data breach exceeds $4 million globally
Most attacks are opportunistic, targeting known vulnerabilities
OWASP Top 10 Overview
The OWASP Top 10 represents the consensus of security experts about the most critical web application security risks. Understanding each category helps organizations prioritize their security efforts and allocate resources effectively.
A03: SQL Injection Explained
SQL Injection (SQLi) remains one of the most dangerous and prevalent web vulnerabilities. It occurs when an attacker can insert malicious SQL statements into application queries, potentially gaining unauthorized access to databases, reading sensitive data, modifying database content, or even executing administrative operations.
Types of SQL Injection
Data is extracted using the same channel used to inject the SQL code. This is the most common type, where results are returned directly in the application response.
No data transfer occurs. Attackers reconstruct database structure by sending payloads and observing behavioral differences, such as query execution time or error responses.
Data is retrieved using different channels, such as DNS requests or HTTP requests. Used when in-band channels are not available.
Example Attack Scenario
# Vulnerable PHP code:
query = "SELECT * FROM users WHERE
username = '" + username + "'
AND password = '" + password + "'"
# Attacker input for username:
' OR '1'='1
# Resulting query (executed):
SELECT * FROM users WHERE username = '' OR '1'='1'
AND password = ''
# This returns the first user, granting unauthorized accessCross-Site Scripting (XSS) Types
Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Unlike SQL injection which targets the database, XSS targets the users of a web application, making it a client-side vulnerability that can steal session tokens, deface websites, or redirect users to malicious sites.
Malicious input is permanently stored on the target server (database, comment field, forum post) and served to all users who access that content.
Malicious script is reflected off a web server without being stored, typically through URL parameters, search boxes, or error messages.
Vulnerability exists in client-side code that processes user input and dynamically updates the page without proper sanitization.
XSS Payloads
# Basic script injection
<script>alert(document.cookie)</script>
# Image tag with onerror handler
<img src=x onerror=alert('XSS')>
# Inline event handler
<div onmouseover=alert('XSS')>hover me</div>
# JavaScript URI
<a href="javascript:alert('XSS')">click me</a>
# SVG element injection
<svg onload=alert('XSS')>A01: Broken Access Control
Broken Access Control (A01 in OWASP Top 2021) is the most critical security risk. It occurs when applications fail to properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access unauthorized functionality and data, such as viewing sensitive files, modifying other users accounts, or changing access rights.
Users can perform actions they are not authorized to do, such as accessing admin functions or modifying privileged accounts.
Users can access resources belonging to other users with similar privileges, like viewing another user account details.
Exposing internal object references (database keys, file paths) without proper authorization checks.
Improperly configured Cross-Origin Resource Sharing allows unauthorized cross-origin requests.
A02: Cryptographic Failures
Previously known as Sensitive Data Exposure, Cryptographic Failures occur when applications fail to properly protect sensitive data. This includes data at rest (stored in databases) and data in transit (traveling over networks). The most common failures involve transmitting sensitive data over unencrypted channels or failing to encrypt sensitive data altogether.
Common Cryptographic Failures
- - Transmitting sensitive data over HTTP instead of HTTPS
- - Using deprecated cryptographic algorithms (MD5, SHA1)
- - Storing passwords without proper hashing
- - Using default or weak cryptographic keys
- - Missing encryption for sensitive fields in databases
- - Not enforcing encryption (not using HSTS)
- - Weak key generation or management
- - Not verifying certificates properly
Best Practices for Cryptographic Security
# GOOD: Use strong hashing for passwords bcrypt.hash(password, 12) argon2(password) scrypt(password) # GOOD: Use strong encryption for data at rest AES-256-GCM ChaCha20-Poly1305 # GOOD: Use TLS 1.3 for data in transit TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 # BAD: Never use these MD5, SHA1 (for hashing) DES, 3DES (for encryption) SSLv3, TLS 1.0, TLS 1.1
A05: Security Misconfiguration
Security Misconfiguration is one of the most common issues leading to web application breaches. It occurs when security settings are not defined, implemented, or maintained properly. Misconfigurations can exist at any level of the application stack, from the web server and database to the application framework and API.
Common Misconfigurations
- 1. Default credentials or configurations left unchanged
- 2. Unnecessary features enabled (ports, services, pages)
- 3. Error handling reveals stack traces or sensitive info
- 4. Missing security headers or weak header configurations
- 5. Cloud services with overly permissive access
Hardening Checklist
- 1. Change all default credentials immediately
- 2. Remove or disable unnecessary features and services
- 3. Implement proper error handling without stack traces
- 4. Configure all security headers (CSP, HSTS, X-Frame-Options)
- 5. Regular security configuration reviews and updates
A07: Broken Authentication
Authentication systems are responsible for verifying user identity. When these systems fail, attackers can compromise passwords, session tokens, or exploit implementation flaws to assume other users identities temporarily or permanently. Broken authentication affects applications that handle user credentials poorly.
Automated attacks using stolen username/password pairs from data breaches
Predictable, exposed, or non-expiring session identifiers
No multi-factor authentication for sensitive operations
No complexity requirements or password length limits
XML External Entities (XXE)
XXE vulnerabilities occur when XML input containing references to external entities is processed by a weakly configured XML parser. Attackers can use this to read local files on the server, perform port scanning, execute remote code (in some configurations), or cause denial of service.
XXE Attack Payload
# Basic XXE to read local file
<?xml version="1.0"?>
<!DOCTYPE doc [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<doc>&xxe;</doc>
# XXE to cause SSRF
<?xml version="1.0"?>
<!DOCTYPE doc [
<!ENTITY xxe SYSTEM
"http://internal-server:8080/admin">
]>
<doc>&xxe;</doc>
# Billion Laughs Attack (DoS)
<?xml version="1.0"?>
<!DOCTYPE doc [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<doc>&lol3;</doc>XXE Prevention
- - Disable XML external entity processing in parsers
- - Use less complex data formats like JSON where possible
- - Validate and sanitize all XML input
- - Implement Positive Input Validation
- - Ensure SAST tools detect XXE vulnerabilities
Cross-Site Request Forgery (CSRF)
CSRF tricks a logged-in users browser into sending unauthorized requests to a web application. Since browsers automatically include cookies with each request, the target application cannot distinguish between legitimate requests initiated by the user and forged requests sent via the attackers code.
CSRF Attack Flow
legitimate site
malicious page
cookie with request
unbeknownst to user
CSRF Prevention Techniques
# 1. CSRF Tokens (Synchronizer Token Pattern) # Server generates unique token per session <input type="hidden" name="csrf_token" value="abc123"> # 2. Double Submit Cookie # Cookie and header must match Cookie: csrf=abc123 Header: X-CSRF-Token: abc123 # 3. SameSite Cookies Set-Cookie: session=xyz; SameSite=Strict Set-Cookie: session=xyz; SameSite=Lax # 4. Origin/Referer Header Validation # Verify request originates from expected domain
A06: Using Components with Known Vulnerabilities
Applications today rely heavily on third-party components, libraries, and frameworks. When these components have known vulnerabilities and are used in your application, they become the weakest link in your security posture. Attackers actively scan for applications using vulnerable components.
Risk Factors
- - Outdated libraries and frameworks
- - Unpatched dependencies with known CVEs
- - Using unofficial or modified packages
- -信任第三方 code without verification
- - No dependency scanning in CI/CD
Mitigation Strategies
- - Regular dependency updates and patching
- - Use Software Composition Analysis (SCA) tools
- - Implement automated vulnerability scanning
- - Remove unused dependencies
- - Monitor CVE databases for your stack
Tools for Dependency Scanning
# Node.js - npm audit npm audit # Python - safety pip install safety safety check # Java - OWASP Dependency-Check ./dependency-check.sh --project APP --scan . # Go - govulncheck govulncheck ./... # Ruby - bundler-audit bundle-audit
A09: Insufficient Logging and Monitoring
Most successful attacks start with vulnerability probing, reconnaissance, and exploitation. Without adequate logging and monitoring, organizations cannot detect these activities in time to prevent damage. Studies show that the average time to detect a breach is over 200 days, often discovered by external parties rather than internal teams.
What Should Be Logged
- - All authentication events (success and failure)
- - Access control failures
- - All server-side input validation failures
- - High-value transactions (payments, changes)
- - Suspicious outbound traffic patterns
- - Error and warning events
- - Configuration changes
- - Session management events
Log Best Practices
- - Logs should include: who, what, when, where (IP), and outcome
- - Use structured logging format (JSON) for easier analysis
- - Centralize logs in a SIEM solution
- - Implement real-time alerting for critical events
- - Ensure log integrity (tamper-proof storage)
- - Regular log review and anomaly detection
A10: Server-Side Request Forgery (SSRF)
SSRF occurs when web applications fetch remote resources without validating the user-supplied URL. Attackers can force the application to send crafted requests to unexpected locations, even bypassing firewall restrictions or accessing internal services that should not be exposed.
- - Access internal APIs behind firewall
- - Scan internal network for open ports
- - Read local files via file:// protocol
- - Attack internal services (Redis, MongoDB)
- - Port scanning external systems
- - Validate and sanitize all user input URLs
- - Use allowlist for permitted domains/IPs
- - Disable HTTP redirections
- - Enforce URL schema allowlist (http, https)
- - Network segmentation and firewall rules
How to Prevent These Vulnerabilities
Preventing web application vulnerabilities requires a multi-layered approach combining secure development practices, automated testing, and continuous security monitoring. Here is a comprehensive strategy to protect your applications.
- + Threat modeling
- + Secure architecture review
- + Security requirements
- + Risk assessment
- + Secure coding guidelines
- + Code review process
- + SAST tools in IDE
- + Developer security training
- + DAST scanning
- + Penetration testing
- + Dependency scanning
- + Security regression tests
- + Security hardening
- + Configuration management
- + Secrets management
- + Deployment verification
- + Continuous monitoring
- + WAF deployment
- + Log aggregation
- + Incident response plan
- + Regular patching
- + Dependency updates
- + Security audits
- + Vulnerability monitoring
Security Testing Tools
Effective vulnerability identification requires both automated tools and manual testing expertise. Here are the essential tools every security professional and development team should know.
Frequently Asked Questions
What are the OWASP Top 10 vulnerabilities?
The OWASP Top 10 is a standard awareness document for developers about the most critical security risks to web applications. It includes Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software and Data Integrity Failures, Logging and Monitoring Deficiencies, and SSRF (Server-Side Request Forgery).
How can I prevent SQL injection attacks?
SQL injection can be prevented by using parameterized queries or prepared statements instead of string concatenation, implementing input validation, using ORM frameworks that handle escaping automatically, applying the principle of least privilege for database accounts, and regular security testing with tools like Burp Suite or SQLMap.
What is the difference between stored and reflected XSS?
Stored XSS (Persistent XSS) occurs when malicious input is permanently stored on the target server, such as in a database or comment field, and served to users who view that content. Reflected XSS occurs when malicious input is reflected off a web server without being stored, typically through URL parameters or error messages that include unsanitized user input.
How does broken authentication differ from weak authentication?
Broken authentication refers to flaws in the authentication mechanisms themselves that allow attackers to bypass login, compromise passwords, session IDs, or exploit implementation errors. Weak authentication refers to using easily guessable passwords, lack of multi-factor authentication, or inadequate password policies. Both are categorized under Authentication Failures in OWASP Top 10 2021.
What is XXE and why is it dangerous?
XXE (XML External Entities) is a vulnerability that allows attackers to exploit XML parsers by including malicious external entity references in XML documents. This can lead to Server-Side Request Forgery (SSRF), port scanning, remote code execution, or reading sensitive files from the server. It is particularly dangerous in applications that parse XML input without proper configuration.
How should organizations implement logging and monitoring?
Effective logging and monitoring should include logging all authentication attempts (success and failure), recording access control failures, ensuring logs contain sufficient context for forensic analysis, using centralized log management, implementing real-time alerting for suspicious activities, establishing incident response procedures, and regularly testing the monitoring system itself.
What tools can help identify web vulnerabilities?
Several tools can help identify web vulnerabilities: Burp Suite (industry standard for web testing), OWASP ZAP (open-source alternative), Nikto (web server scanner), SQLMap (SQL injection detection), XSStrike (XSS detection), Nuclei (vulnerability scanner templates), and commercial tools like Acunetix or Nessus. Manual testing with these tools provides the best coverage.
How often should security testing be performed?
Security testing should be performed at multiple stages: during development (integrated into CI/CD pipelines), before each major release, after significant code changes, and regularly throughout the year with automated scanning. For high-risk applications, quarterly penetration testing is recommended. Additionally, any deployment of new features or infrastructure changes should trigger a security review.
Master Web Application Security
Learn to identify, exploit, and prevent web application vulnerabilities in our comprehensive ethical hacking and penetration testing courses. Hands-on labs with real vulnerable applications.