Top 10 Web app security gotchas

  1. Unvalidated input

    Information from Web requests is not validated. Attackers can use these flaws to attack back-end components.

  2. Broken access control

    Restrictions on what authenticated users may do are not enforced properly. Attackers can exploit these flaws to access other users' accounts and view sensitive files.

  3. Broken authentication and session management

    Account credentials and session tokens are not protected properly. Attackers can compromise passwords, keys and session cookies and assume other users' identities.

  4. Cross-site scripting flaws

    The Web application can be used to transport an attack to a user's browser.

  5. Buffer overflows

    Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process.

  6. Injection flaws

    Web applications pass parameters when they access external systems. If an attacker can embed malicious commands in these parameters, the external system may execute those commands, letting the attacker spoof the Web site.

  7. Improper error handling

    If attackers can cause errors to occur that the Web application does not handle, they can gain detailed system information and deny service.

  8. Insecure storage

    Cryptographic functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

  9. Denial of service

    Attackers can consume so many Web application resources that other legitimate users can no longer access or use the application.

  10. Insecure configuration management

    Lacking a strong server configuration standard, a site can have breaches from a variety of problems, such as unpatched security flaws in server software, default accounts with default passwords and misconfigured Secure Sockets Layer certificates.

Source: The Open Web Application Security Project

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB