Top 10 Web app security gotchas
- Unvalidated input
Information from Web requests is not validated. Attackers can use these flaws to attack back-end components.
- Broken access control
Restrictions on what authenticated users may do are not enforced properly. Attackers can exploit these flaws to access other users' accounts and view sensitive files.
- Broken authentication and session management
Account credentials and session tokens are not protected properly. Attackers can compromise passwords, keys and session cookies and assume other users' identities.
- Cross-site scripting flaws
The Web application can be used to transport an attack to a user's browser.
- Buffer overflows
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process.
- Injection flaws
Web applications pass parameters when they access external systems. If an attacker can embed malicious commands in these parameters, the external system may execute those commands, letting the attacker spoof the Web site.
- Improper error handling
If attackers can cause errors to occur that the Web application does not handle, they can gain detailed system information and deny service.
- Insecure storage
Cryptographic functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
- Denial of service
Attackers can consume so many Web application resources that other legitimate users can no longer access or use the application.
- Insecure configuration management
Lacking a strong server configuration standard, a site can have breaches from a variety of problems, such as unpatched security flaws in server software, default accounts with default passwords and misconfigured Secure Sockets Layer certificates.
Source: The Open Web Application Security Project