Skip to content

Most Common Web Application Security Risks

Checklist · Chapter 11

Based on the OWASP (Open Web Application Security Project) annually-published top web application security risks. Architects on web apps should track the current list.

  • Untrusted data sent to an interpreter executes unintended commands (e.g. SQL injection / SQLi to read, alter, or delete data). Any user, internal or external, is a possible threat agent.
  • Mitigate: validate untrusted data, use parameterized SQL, apply least privilege, and layer a web application firewall (WAF) (which alone is not sufficient — it can’t catch every attack).
  • Flaws in authentication or session management.
  • Mitigate: salted password hashing, MFA, no default credentials, password-length/complexity/rotation policies, logout + short session timeouts, session IDs not in the URL and rotated after login, credentials only over secure connections. See IAM.
  • Failure to protect sensitive data (SSNs, credit cards, credentials).
  • Mitigate: identify sensitive data first; store only if necessary and discard early; encrypt at rest (including backups) and in transit with strong, current algorithms and proper key management; set browser directives/headers; disable caching of sensitive responses.
  • Against apps parsing XML: an external-entity reference processed by a misconfigured parser enables DoS, data disclosure, and SSRF. The billion laughs / XML-bomb attack expands nested entities to exhaust memory.
  • Mitigate: prefer a different format (e.g. JSON); otherwise disable DTDs, or disable external entities/entity expansion; keep XML libraries patched.
  • Missing/broken access checks let attackers act with elevated privileges.
  • Mitigate: enforce rights on the server side, not just the UI; use default deny; invalidate access tokens at logout; log failures and alert on repeated ones; test access control.
  • Insecure defaults and misconfigured components; more likely in complex apps.
  • Mitigate: configure securely before deployment; disable/remove/omit anything unnecessary (accounts, privileges, ports, services); change/disable default account passwords; don’t leak details in error messages/stack traces; keep OS, servers, DBMS, and frameworks patched.
  • Attackers execute scripts in the browser to hijack sessions, deface, or redirect. Three types: Reflected (untrusted data echoed without validation/escaping), Stored (persisted then rendered later), DOM (injected dynamically by client-side JS).
  • Mitigate: validate all user-supplied input and context-sensitively escape output before rendering.
  • Deserializing attacker-modified objects can enable remote code execution or tampered access-control data.
  • Mitigate: don’t accept serialized objects from untrusted sources; otherwise use integrity checks (e.g. digital signatures), isolate/low-privilege the deserialization code, and log deserialization exceptions.

Using components with known vulnerabilities

Section titled “Using components with known vulnerabilities”
  • Vulnerable third-party libraries/frameworks compromise the whole app.
  • Mitigate: track known vulnerabilities, patch/upgrade promptly, remove unused dependencies, obtain components from official sources over secure links, and replace or self-patch unmaintained libraries.
  • Enables many other attacks by letting them go unnoticed.
  • Mitigate: answer who/what/when (associate accounts with events, reconstruct timelines); centralize log management; automatic alerting; and secure the logs themselves against unauthorized access.
  • Attackers redirect users to malicious sites or forward to unauthorized pages.
  • Mitigate: avoid redirects/forwards where possible; if used, validate that target URLs point only to allowed destinations, review all such code, spider the site for redirects (HTTP 300–307, typically 302), and consider an interstitial “you are leaving this site” confirmation page.
  • Software Architect’s Handbook (Packt, 2018), Ch.11 “Most common web application security risks”, pp. 892-904.