Top 10 Common Web Application Vulnerabilities

Introduction

Web applications are a primary target for attackers. According to the OWASP Top 10, these are the most critical security risks facing web apps today. Understanding them is the first step toward building secure software. Below, we list the top 10 common vulnerabilities, with explanations and examples.

1. SQL Injection (SQLi)

SQL injection occurs when untrusted data is sent to an interpreter as part of a command or query. Attackers can trick the application into executing unintended SQL commands.

// Vulnerable code
String query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";
// If username = admin' -- , the query becomes:
SELECT * FROM users WHERE username = 'admin' -- ' AND password = ''

Mitigation: Use parameterized queries (prepared statements) or stored procedures, and validate input.

2. Cross-Site Scripting (XSS)

XSS allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, defacement, or redirects to malicious sites.

// Reflected XSS example
// URL: https://example.com/search?q=<script>alert('XSS')</script>
// The page outputs the search term without encoding.

Mitigation: Escape output, use Content Security Policy (CSP), and validate input.

3. Cross-Site Request Forgery (CSRF)

CSRF tricks an authenticated user into executing unwanted actions on a web application. For example, an attacker could forge a request to change the user’s email address.

<!-- Malicious site image that triggers a POST request -->
<img src="https://bank.com/transfer?amount=1000&to=attacker" />

Mitigation: Use anti‑CSRF tokens, SameSite cookies, and require re‑authentication for sensitive actions.

4. Broken Authentication

Weak authentication mechanisms allow attackers to compromise passwords, session tokens, or credentials. Examples: weak password policies, unencrypted credentials, session fixation.

Mitigation: Enforce strong password policies, implement multi‑factor authentication (MFA), and use secure session management.

5. Sensitive Data Exposure

Applications that don’t properly protect sensitive data (credit cards, PII, credentials) leave it vulnerable to theft. This includes transmitting data in clear text or using weak cryptography.

Mitigation: Encrypt data in transit (TLS) and at rest, avoid storing unnecessary sensitive data, and use strong, modern algorithms.

6. XML External Entities (XXE)

XXE attacks occur when XML input containing references to external entities is processed by a weakly configured XML parser. Attackers can read local files, perform SSRF, or cause denial of service.

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>

Mitigation: Disable XML external entity processing, use less complex data formats (e.g., JSON), and patch XML parsers.

7. Broken Access Control

Users can act outside of their intended permissions. For example, a standard user might access admin functionality by changing a parameter.

Mitigation: Enforce access controls server‑side, deny by default, and use centralized access control mechanisms.

8. Security Misconfiguration

Default configurations, verbose error messages, unnecessary features, or outdated software can open doors for attackers.

Mitigation: Harden your environment, remove unnecessary features, and keep software updated.

9. Insecure Deserialization

Flaws in deserialization of untrusted data can lead to remote code execution, replay attacks, or privilege escalation.

Mitigation: Avoid accepting serialized objects from untrusted sources; use integrity checks (e.g., digital signatures) on serialized data.

10. Insufficient Logging & Monitoring

Without proper logging and monitoring, breaches can go undetected for months, allowing attackers to persist and cause more damage.

Mitigation: Implement centralized logging, monitor for suspicious activities, and establish incident response procedures.

Stay Vigilant

These ten vulnerabilities represent the most common entry points for attackers. By understanding and mitigating them, you can dramatically reduce your application’s risk. Regular security testing, including vulnerability assessments and penetration tests, is key to staying ahead.