In the first part of this article we looked at first five web security threats. In this part of the article, we are looking at the rest of five security threats that includes programming and server configuration and management.

Sixth - SQL Injection. All of the web applications have a back end connected to a database. All of these databases use SQL or it’s variants for data definition and manipulation. If the input fields of the web application are not validated properly, an attacker can insert some of the SQL commands that will be passed to the database and get executed in the SQL form. This way, instead of the execution of the business logic, an SQL code is executed giving the attacker the control of the web application.

Seventh - Improper Error Handling. Error conditions that are expected when operating in normal conditions are not handled properly. If an attacker can figure out the unhandled error conditions, then they can attack and gain detailed system information, service interruption or eventually crash the server.

Eighth - Insecure Storage. Usually web applications use cryptographic functions and tools to protect information when it is transported and stored. Some of these encryption mechanisms and functions may not effect properly resulting a breach of security. This maybe due to two reasons; a) Encryption mechanism being not strong so the attackers can easily break them b) Strong encryption mechanism has not been applied correctly.

Ninth - Denial of Service (DoS) Attacks. This is one form of attacked which is in use from the inception of Internet and World Wide Web. In this method, attacker will use the system resources of the web server until other legitimate users cannot use the system. This can eventually cause a web application crash.

Tenth - Insecure Configuration Management. Even though this is the last web security threat of the list, this is one of the most common and ignored security vulnerability. Each and every server that hosts web applications should be configured to be secured, as they are not fully configured for security out of the box. There can be many inbuilt and third party tools that should be installed and configured before exposing the web application to public.

The Internet and web are becoming increasingly vulnerable with the advancement of technologies and skills of the people who use it for wrong reasons. When compared to early stage hack attacks, recent methods of attacking are very much advance and complex. But there are some techniques used even today introduced some decades ago. Let’s have a look at the top 10 web security vulnerabilities in out list.

First - Unvalidated Input. The information that comes from the web browser is not validated by the web application. This way, a third party can alter the web request and pass incorrect or harmful information to the web browser.

Second - Broken Access Control. Even though lot of web applications have frameworks implemented for access control and role authentication, some of these rules are not used effectively in the web application. So mistakenly a regular user maybe assigned higher level of authority.

Third - Broken Authentication and Sessions management. As we know, if you log in to a web application, a unique session is created for you. If this sessions details are not protected correctly (by a technique such as encryption), some one can steal it and misuse. This way, attackers can compromise password, keys, session cookies etc.

Fourth - Cross Site Scripting (XSS) - A well-known web site that is trusted by end-users can be used by an attacker to transport an attack to the end user. By clicking a link of the trusted website, the end user actually executes a code written by an attacker in another web application or web site. This way, an attacker can disclose the session details, attack the end users machine and provide incorrect content and fool the end user.

Fifth - Buffer Overflows. This is one of the very common and familiar types of attack. This is not common only for web application but also for operating systems. For web applications, an attacker may send a chunk of data which crashes the web application and taken control of some of it’s processes. There are some programming and scripting languages that does not validate whether the data stream id too much and it can crash the web application (Ex: CGI, libraries, drivers and web application server components).