10 Most Common Web Application Attacks1. SQL Injection
As the all-time favorite category of application attacks, injections let attackers modify a back-end statement of command through unsanitized user input. With several SQL injections can ends up making the application spit out the entire user table, including passwords.
2. Broken Authentication and Session Management
Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Several types of programming flaws that allow attackers to bypass the authentication methods that are used by an application.
3. Cross-Site Scripting
4. Insecure Direct Object References
Applications don't always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. This type of insecure direct object reference allows attackers to obtain data from the server by manipulating file names.
5. Security Misconfiguration
Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform.
6. Sensitive Data Exposure
Sensitive Data Exposure deals with a lack of data encryption in transport and at rest. If your Web applications do not properly protect sensitive data, such as credit cards or authentication credentials, attackers can steal or modify the data to conduct credit card fraud, identity theft or other crimes.
7. Missing Function Level Access Control
It covers situations in which higher-privilege functionality is hidden from a lower-privilege or unauthenticated user rather than being enforced through access controls, let hackers easily demonstrates an attack in which a lower-privilege user gains access to the administration interface or a Web application.
8. Cross-Site Request Forgery
Cross-Site Request Forgery type of attack is used in conjunction with social engineering. It allows attackers to trick users into performing actions without their knowledge. An attacker can steal money from a victim’s banking account by leveraging social media by this.
9. Using Components With Known Vulnerabilities
Attackers can easily exploit old third-party components because their vulnerabilities have been publicized, and tools and proof of concepts often allow cyber criminals to take advantage of these flaws with ease. Any script kiddie can conduct an exploit.
10. Unvalidated Redirects and Forwards
Unvalidated Redirects and Forwards category of vulnerabilities is used in phishing attacks in which the victim is tricked into navigating to a malicious site. Attackers can manipulate the URLs of a trusted site to redirect to an unwanted location.
Best defense against these attacks is to develop secure applications. Developers must be aware of how application attacks work and build software defenses right into their applications. Educating and informing developers about application vulnerabilities is the goal of the Open Web Application Security Project (OWASP).