The list includes the following:

• Unvalidated parameters: In this scenario, information from Web requests isn’t validated before the Web application uses it. Attackers can use these flaws to attack backside components through a Web application.

• Broken access control: Organizations fail to enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.

• Broken account and session management: Account credentials and session tokens aren’t properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities.

• Cross-site scripting (XSS) flaws: An attacker can use the Web application as a mechanism to transport himself to a user’s browser. A successful attack can disclose the user’s session token, attack the local machine, or spoof content to fool the user.

• Buffer overflows:Attackers can crash Web application components in some languages that don’t properly validate input and, in some cases, use those components to take control of a process. These components can include CGI, libraries, drivers, and Web application server components.

• Command injection flaws: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system might execute them on behalf of the Web application.

• Error handling problems: Some Web applications don’t properly handle error conditions that occur during normal operation. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

• Insecure use of cryptography: Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

• Remote administration flaws: Many Web applications let administrators access the site using a Web interface. If these administrative functions aren’t carefully protected, an attacker can gain full access to all aspects of a site.

• Web and application server misconfiguration: Having a strong server configuration standard is critical to a secure Web application. Web and application server have many configuration options that affect security; they aren’t secure “out of the box.”

Tags: Application security, security testing, top 10 security threats