In the first part of this article we looked at first five web security threats. In this part of the article, we are looking at the rest of five security threats that includes programming and server configuration and management.

Sixth - SQL Injection. All of the web applications have a back end connected to a database. All of these databases use SQL or it’s variants for data definition and manipulation. If the input fields of the web application are not validated properly, an attacker can insert some of the SQL commands that will be passed to the database and get executed in the SQL form. This way, instead of the execution of the business logic, an SQL code is executed giving the attacker the control of the web application.

Seventh - Improper Error Handling. Error conditions that are expected when operating in normal conditions are not handled properly. If an attacker can figure out the unhandled error conditions, then they can attack and gain detailed system information, service interruption or eventually crash the server.

Eighth - Insecure Storage. Usually web applications use cryptographic functions and tools to protect information when it is transported and stored. Some of these encryption mechanisms and functions may not effect properly resulting a breach of security. This maybe due to two reasons; a) Encryption mechanism being not strong so the attackers can easily break them b) Strong encryption mechanism has not been applied correctly.

Ninth - Denial of Service (DoS) Attacks. This is one form of attacked which is in use from the inception of Internet and World Wide Web. In this method, attacker will use the system resources of the web server until other legitimate users cannot use the system. This can eventually cause a web application crash.

Tenth - Insecure Configuration Management. Even though this is the last web security threat of the list, this is one of the most common and ignored security vulnerability. Each and every server that hosts web applications should be configured to be secured, as they are not fully configured for security out of the box. There can be many inbuilt and third party tools that should be installed and configured before exposing the web application to public.