The Open Web Application Security Project Foundation, the not for profit organisation that is focussed on improving software security, has a list of the top Web application vulnerabilities and what to do about them. Here are 10 of the most common.
1. Unvalidated inputs
Definition: Not checking whether text a user types into a field on a website is appropriate for that field.
Problem: Hackers use these fields to type commands that allow them to scan for vulnerabilities and gain access.
What you can do: Validate that each field accepts only those characters that are common for that field (such as numbers for a post code field) and are an appropriate length. Run the inputs against a small library of post codes and addresses to confirm that the information is valid.
2. Broken access control
Definition: Access controls determine what a user can access after logging in to his personal account and blocks access to other accounts.
Problem: About half of all websites have serious access problems because of poor testing during development.
What you can do: Test all possible permutations of what a user may do to try to access information that is not his own.
3. Broken authentication and session management
Definition: After logging into a website with a user name and password, you receive a cookie that works like a hand stamp at a night club, authenticating your identity as you go through the site.
Problem: Sometimes companies will customize authentication, inadvertently allowing hackers to infiltrate sessions and use the ID cookie to access the legitimate user's account.
What you can do: Rely on the built-in authentication schemes in the application; use secured sockets layer (SSL) to encrypt the session.
4. Cross-site scripting
Definition: When a hacker sends commands embedded in queries to a website.
What you can do: Make sure every text field will accept only those characters and length of characters that are suitable for that field--for example, five numbers in a ZIP code field and five numbers only.
5. Buffer overflow
Definition: Allows an attacker to input more information than the buffer can manage.
Problem: Attacker can take control of application server, gaining access to all the data that the server manages.
What you can do: Move away from C++ programming language, which is most vulnerable, to Java or .Net languages. If you must use C++, use static analysis tools to find overflow vulnerabilities.