The top 10 web vulnerabilities… and what to do about them

A handy primer on the most common web vulnerabilities


The Open Web Application Security Project Foundation, the not for profit organisation that is focussed on improving software security, has a list of the top Web application vulnerabilities and what to do about them. Here are 10 of the most common.

1. Unvalidated inputs

Definition: Not checking whether text a user types into a field on a website is appropriate for that field.

Problem: Hackers use these fields to type commands that allow them to scan for vulnerabilities and gain access.

What you can do: Validate that each field accepts only those characters that are common for that field (such as numbers for a post code field) and are an appropriate length. Run the inputs against a small library of post codes and addresses to confirm that the information is valid.

2. Broken access control

Definition: Access controls determine what a user can access after logging in to his personal account and blocks access to other accounts.

Problem: About half of all websites have serious access problems because of poor testing during development.

What you can do: Test all possible permutations of what a user may do to try to access information that is not his own.

3. Broken authentication and session management

Definition: After logging into a website with a user name and password, you receive a cookie that works like a hand stamp at a night club, authenticating your identity as you go through the site.

Problem: Sometimes companies will customize authentication, inadvertently allowing hackers to infiltrate sessions and use the ID cookie to access the legitimate user's account.

What you can do: Rely on the built-in authentication schemes in the application; use secured sockets layer (SSL) to encrypt the session.

4. Cross-site scripting

Definition: When a hacker sends commands embedded in queries to a website.

Problem: A hacker types JavaScript into any text field, such as a change-of-address field. When a legitimate user types information into that field, the JavaScript is activated, which allows the hacker to take control of the session and grants him all the user's session rights, enabling him to move money or steal credit card numbers.

What you can do: Make sure every text field will accept only those characters and length of characters that are suitable for that field--for example, five numbers in a ZIP code field and five numbers only.

5. Buffer overflow

Definition: Allows an attacker to input more information than the buffer can manage.

Problem: Attacker can take control of application server, gaining access to all the data that the server manages.

What you can do: Move away from C++ programming language, which is most vulnerable, to Java or .Net languages. If you must use C++, use static analysis tools to find overflow vulnerabilities.

"Recommended For You"

Cybercriminals compromise home routers to attack online banking users Researchers find Twitter login is vulnerable to hackers