Top 10 Web Security Threats - Part 1

The Internet and web are becoming increasingly vulnerable with the advancement of technologies and skills of the people who use it for wrong reasons. When compared to early stage hack attacks, recent methods of attacking are very much advance and complex. But there are some techniques used even today introduced some decades ago. Let’s have a look at the top 10 web security vulnerabilities in out list.

First - Unvalidated Input. The information that comes from the web browser is not validated by the web application. This way, a third party can alter the web request and pass incorrect or harmful information to the web browser.

Second - Broken Access Control. Even though lot of web applications have frameworks implemented for access control and role authentication, some of these rules are not used effectively in the web application. So mistakenly a regular user maybe assigned higher level of authority.

Third - Broken Authentication and Sessions management. As we know, if you log in to a web application, a unique session is created for you. If this sessions details are not protected correctly (by a technique such as encryption), some one can steal it and misuse. This way, attackers can compromise password, keys, session cookies etc.

Fourth - Cross Site Scripting (XSS) - A well-known web site that is trusted by end-users can be used by an attacker to transport an attack to the end user. By clicking a link of the trusted website, the end user actually executes a code written by an attacker in another web application or web site. This way, an attacker can disclose the session details, attack the end users machine and provide incorrect content and fool the end user.

Fifth - Buffer Overflows. This is one of the very common and familiar types of attack. This is not common only for web application but also for operating systems. For web applications, an attacker may send a chunk of data which crashes the web application and taken control of some of it’s processes. There are some programming and scripting languages that does not validate whether the data stream id too much and it can crash the web application (Ex: CGI, libraries, drivers and web application server components).