Professional Documents
Culture Documents
Top 100 Web Vulnerabilities: S.No Vulnerability Root Cause Impact Mitigation Injection Vulnerabilities
Top 100 Web Vulnerabilities: S.No Vulnerability Root Cause Impact Mitigation Injection Vulnerabilities
A vulnerability that allows Session hijacking, phishing Implement strict input validation, sanitize user
Lack of proper input
Cross-Site attackers to inject malicious attacks, cookie theft, input, and use output encoding to prevent XSS
2 validation and output
Scripting (XSS) scripts into web pages defacement of web pages, or attacks. Use Content Security Policy (CSP)
encoding in web applications.
viewed by other users. malware distribution. headers to restrict the execution of scripts.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
A vulnerability that allows
Lack of proper input Implement strict input validation, use secure
attackers to manipulate XML Information disclosure, data
validation and inadequate XML parsing libraries, sanitize user input, and
6 XML Injection input to exploit weaknesses manipulation, denial of service,
XML parsing techniques in apply appropriate access controls to mitigate
in XML processing or execution of arbitrary code.
applications. XML Injection attacks.
functionality.
A vulnerability that allows
attackers to manipulate Inadequate input validation Unauthorized access to
Implement strict input validation, use
LDAP (Lightweight Directory and improper use of sensitive data, user account
7 LDAP Injection parameterized LDAP queries, and sanitize user
Access Protocol) queries unfiltered user input in LDAP compromise, or denial of
input to prevent LDAP Injection.
used for authentication and queries. service.
authorization.
A vulnerability that allows
Lack of proper input Unauthorized access to
attackers to manipulate Implement strict input validation, use
validation and inadequate sensitive data, XML data
8 XPath Injection XPath queries used for XML parameterized XPath queries, and sanitize
handling of user-controlled manipulation, or denial of
data selection and user input to prevent XPath Injection.
input in XPath queries. service.
manipulation.
A vulnerability that allows Defacement of web pages,
Inadequate input validation Implement strict input validation, sanitize user
attackers to inject malicious phishing attacks, session
9 HTML Injection and improper output input, and use output encoding to prevent
HTML code into web pages hijacking, or the execution of
encoding in web applications. HTML Injection.
viewed by other users. malicious scripts.
A vulnerability that allows
attackers to execute Inadequate input validation Unauthorized access to Implement strict input validation, use secure
Server-Side
malicious code or scripts on and improper use of sensitive data, server SSI configuration settings, and avoid using
10 Includes (SSI)
a web server by injecting unfiltered user input in SSI compromise, or the execution user-controlled input in SSI statements to
Injection
commands into Server-Side statements. of arbitrary code. prevent SSI Injection.
Include (SSI) statements.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
A vulnerability that allows Implement strict input validation, use
Lack of input validation and Unauthorized access to system
attackers to execute parameterized system commands, sanitize
OS Command improper handling of user- resources, data leakage, system
11 arbitrary operating system user input, and avoid executing system
Injection controlled input in operating compromise, or execution of
commands on a target commands with user-controlled input to
system commands. arbitrary commands.
system. mitigate OS Command Injection.
A variant of SQL Injection
Inadequate input validation Implement time-based or boolean-based SQL
where attackers can infer Information leakage, data
Blind SQL and improper use of Injection detection techniques, perform
12 information from the manipulation, or unauthorized
Injection unfiltered user input in SQL regular security audits, and use parameterized
database without directly access to sensitive data.
queries. queries to prevent Blind SQL Injection.
viewing it.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
A cyberattack where an Insecure transmission of
Implement secure session management, use
attacker gains unauthorized session tokens, session Unauthorized access to user
Session HTTPS, enforce the use of secure cookies, and
16 access to a user's session by fixation vulnerabilities, or accounts, data theft, privilege
Hijacking regularly rotate session IDs to prevent Session
stealing or guessing their weak session management escalation, or impersonation.
Hijacking attacks.
session ID. practices.
Weak or predictable Implement strong password policies, use
A technique used to uncover
passwords, inadequate password hashing algorithms with salting,
passwords by systematically Account compromise, data
Password password policies, or enforce regular password changes, and
17 trying all possible theft, unauthorized access, or
Cracking insufficient encryption educate users about creating strong and
combinations until the privilege escalation.
techniques to protect stored unique passwords to prevent Password
correct one is found.
passwords. Cracking attacks.
A vulnerability that arises Implement strong encryption methods such as
Lack of encryption,
when passwords are stored Account compromise, data bcrypt or Argon2 for password hashing,
Weak Password inadequate hashing
18 in an insecure manner, such breach, unauthorized access, or enforce the use of salt, and securely store
Storage algorithms, or improper
as plaintext or with weak identity theft. passwords in hashed form to prevent Weak
storage practices.
encryption methods. Password Storage vulnerabilities.
Implement multi-factor authentication, use
A vulnerability that occurs Lack of multi-factor
strong encryption for authentication data,
when authentication authentication, weak Account compromise,
Insecure enforce secure authentication protocols (such
19 mechanisms are not authentication protocols, or unauthorized access, data
Authentication as OAuth), and regularly audit authentication
properly implemented or improper session breaches, or identity theft.
mechanisms to prevent Insecure
enforced. management.
Authentication vulnerabilities.
A cyberattack where an Insecure transmission of
Implement secure cookie handling practices,
attacker steals a user's cookies, session fixation Unauthorized access to user
use HTTPS, enforce HttpOnly and Secure flags
20 Cookie Theft cookies, often through vulnerabilities, or XSS accounts, session hijacking, data
for cookies, and regularly rotate session IDs to
techniques like session vulnerabilities in web theft, or impersonation.
prevent Cookie Theft attacks.
hijacking or XSS attacks. applications.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
A vulnerability that arises Poor password management Educate users about the risks of credential
Account compromise, data
when users reuse the same practices, lack of awareness reuse, enforce strong password policies,
Credential breaches, identity theft, or
21 username and password about the risks of credential encourage the use of password managers, and
Reuse unauthorized access to multiple
across multiple accounts or reuse, or inadequate security implement multi-factor authentication to
accounts.
services. education. mitigate Credential Reuse vulnerabilities.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Implement encryption for data at rest (e.g.,
using full-disk encryption, database
A vulnerability that arises Failure to implement Unauthorized access to
encryption), enforce encryption policies, use
when data is stored without encryption mechanisms, lack sensitive data, data breaches,
Unencrypted secure key management practices, regularly
25 encryption, making it of awareness about data exposure of confidential
Data Storage assess data storage systems, and educate
susceptible to unauthorized security best practices, or information, or regulatory non-
personnel on the importance of data
access or theft. inadequate security controls. compliance.
encryption to mitigate Unencrypted Data
Storage vulnerabilities.
Implement appropriate security headers in
A vulnerability where critical Inadequate configuration of
web server configurations, use automated
security headers, such as web servers, lack of Increased risk of XSS attacks,
tools to scan for missing headers, configure
Missing Security Content-Security-Policy awareness about security clickjacking, data breaches, or
26 web application firewalls (WAFs) to enforce
Headers (CSP) or X-Frame-Options, headers, or failure to unauthorized access to sensitive
security policies, and regularly audit web
are absent from web implement security best information.
applications to identify and address Missing
responses. practices.
Security Headers vulnerabilities.
Security Misconfiguration
Implement strong password policies, enforce
A vulnerability where Failure to change default password complexity requirements, use
Unauthorized access, data
default or weak passwords passwords, lack of password password managers, regularly rotate
Default breaches, privilege escalation,
28 are used for authentication, complexity requirements, or passwords, educate users on password
Passwords or compromise of sensitive
making systems susceptible inadequate password security best practices, and conduct regular
information.
to unauthorized access. management practices. audits to identify and change default or weak
passwords.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Implement strong authentication
mechanisms, enforce least privilege access,
A vulnerability arising from Lack of proper authentication Unauthorized access to
use role-based access control (RBAC),
inadequate access controls, mechanisms, insufficient sensitive data, data breaches,
Improper regularly review and update access control
32 allowing unauthorized users authorization checks, or privilege escalation, or
Access Controls policies, conduct access control audits, and
to gain access to sensitive misconfigured access control compromise of system
employ security testing techniques to identify
resources or data. lists (ACLs). integrity.
and remediate Improper Access Controls
vulnerabilities.
Implement data encryption, enforce strict
A vulnerability that occurs Inadequate data protection access controls, use data anonymization
Breach of privacy, loss of
when sensitive information measures, weak access techniques, conduct regular data audits,
Information sensitive information, financial
33 is inadvertently disclosed or controls, or improper provide security awareness training, and
Disclosure damage, reputation loss, or
exposed to unauthorized handling of sensitive establish incident response procedures to
regulatory penalties.
users. information. prevent and mitigate Information Disclosure
vulnerabilities.
Implement a robust patch management
Neglecting patch program, prioritize critical security patches,
A vulnerability resulting Exploitation of known
management processes, lack automate patch deployment where possible,
from failure to apply security vulnerabilities, malware
Unpatched of awareness about available conduct vulnerability assessments and patch
34 patches or updates, leaving infections, data breaches, or
Software patches, or operational compliance checks, monitor vendor
systems vulnerable to compromise of system
constraints preventing advisories, and establish procedures to quickly
known exploits. integrity.
patching. remediate Unpatched Software
vulnerabilities.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
XML-Related Vulnerabilities
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Missing Function-Level Inadequate access control Unauthorized access to Implement granular access controls, enforce
Access Control (MFAC) mechanisms, insufficient sensitive functionalities or proper authorization checks for each function
Missing
occurs when an application validation of user operations, manipulation of or operation, use role-based access controls
44 Function-Level
fails to properly enforce permissions, or improper critical system functionalities, (RBAC), conduct thorough security
Access Control
access controls on specific configuration of authorization or exposure of confidential assessments, perform code reviews to identify
functions or operations. policies. data. and remediate MFAC vulnerabilities.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Insecure Deserialization
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
API Security Issues
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Implement rigorous input validation and
sanitization routines, validate input data
Inadequate Input Validation Lack of input validation against predefined criteria and whitelists, use
Injection attacks (e.g., SQL
occurs when input data checks, accepting and parameterized queries for database
Inadequate injection, XSS), data corruption,
51 received by an API is not processing user-supplied data interactions, escape or encode output data,
Input Validation security vulnerabilities, or
properly validated for without validation, trusting employ web application firewalls (WAFs) and
unexpected behavior.
correctness or security. input from untrusted sources. intrusion detection/prevention systems
(IDS/IPS), educate developers on secure
coding practices.
Insecure Communication
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Configure SSL/TLS settings securely, use
Insecure SSL/TLS
Weak cipher suites, improper strong cipher suites with perfect forward
Configuration refers to Exposure of sensitive data to
SSL/TLS protocol versions, secrecy (PFS), enable HSTS and secure
Insecure improperly configured interception, man-in-the-
lack of forward secrecy, renegotiation, ensure proper certificate
54 SSL/TLS SSL/TLS settings, leaving the middle attacks, decryption of
incomplete certificate chain, management and validation, enable OCSP
Configuration communication channel encrypted traffic, or
weak or self-signed stapling, implement TLS termination at load
vulnerable to attacks or compromise of server integrity.
certificates. balancers or reverse proxies, conduct regular
exploitation.
security assessments and audits.
Insecure Communication Use secure communication protocols (e.g.,
Use of outdated or insecure
Protocols involve the use of Exposure of sensitive data to HTTPS, SSH, SFTP), enforce encryption and
protocols (e.g., HTTP, Telnet),
Insecure protocols that lack proper interception, sniffing attacks, authentication, implement strong session
lack of encryption or
55 Communication security mechanisms, eavesdropping, session management controls, disable insecure
authentication mechanisms,
Protocols making communication hijacking, unauthorized access, protocols, employ VPNs or encrypted tunnels
inadequate session
susceptible to interception or manipulation of data. for remote access, conduct regular security
management.
or manipulation. assessments and vulnerability scans.
Client-Side Vulnerabilities
DOM-based Cross-Site
Scripting (XSS) occurs when
an attacker injects malicious Implement proper input validation and output
Improper handling of user Theft of session cookies, user
scripts into a web encoding, utilize Content Security Policy (CSP),
input, lack of output credentials, sensitive data
56 DOM-based XSS application's Document sanitize user input, avoid client-side rendering
encoding, client-side exposure, unauthorized actions
Object Model (DOM), of untrusted data, use security libraries and
processing of untrusted data. on behalf of the user.
leading to the execution of frameworks for input validation and encoding.
unauthorized code in the
victim's browser.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Insecure Cross-Origin
Communication occurs Lack of proper Cross-Origin
Implement strict CORS policies, use CSRF
when web applications allow Resource Sharing (CORS) Unauthorized access to
tokens and anti-CSRF mechanisms, enforce
Insecure Cross- communication between configuration, relaxed Same- sensitive data, leakage of
proper authentication and authorization
57 Origin different origins (domains) Origin Policy (SOP), confidential information, cross-
controls, validate and sanitize data from cross-
Communication without proper security insufficient authentication site request forgery (CSRF), or
origin sources, minimize the exposure of
controls, leading to data and authorization manipulation of user sessions.
sensitive APIs.
leakage or unauthorized mechanisms.
access.
Browser Cache Poisoning
occurs when attackers Lack of cache validation Implement proper cache validation and cache-
Delivery of malicious content,
manipulate or poison the mechanisms, improper cache- control headers, use secure and updated
Browser Cache injection of unauthorized scripts
58 cache of a web browser, control headers, reliance on caching mechanisms, enforce HTTPS,
Poisoning or code, exploitation of user
leading to the serving of outdated or vulnerable implement strict Content Security Policy (CSP),
trust in cached resources.
malicious or unauthorized caching mechanisms. regularly monitor and audit cache behavior.
content to users.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Inadequate Session Timeout
refers to the failure to
Configure appropriate session timeout values
terminate user sessions Unauthorized access to user
based on application requirements, enforce
after a period of inactivity, Lack of session management accounts or data, session
Inadequate session expiration mechanisms, implement
leaving sensitive session controls, insufficient session hijacking, privilege escalation,
72 Session session invalidation on user logout or browser
data exposed to timeout settings, insecure exposure of sensitive
Timeout close, use secure session tokens and cookies,
unauthorized access or session token handling. information, compromised user
conduct regular security audits and
hijacking attacks, privacy.
monitoring.
compromising user privacy
and security.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Business Logic
Vulnerabilities stem from
flaws or weaknesses in the
Financial losses, fraudulent Perform comprehensive threat modeling and
design, implementation, or Insecure business logic
transactions, unauthorized data risk assessment, validate and enforce business
configuration of business design, lack of input
Business Logic access or manipulation, logic rules, implement proper input validation
74 logic processes within web validation or enforcement,
Vulnerabilities disruption of business and authorization checks, conduct security
applications, enabling improper authorization or
operations, reputational testing and code reviews, monitor and audit
attackers to manipulate access controls.
damage. business processes and transactions.
business workflows or
transactions for malicious
purposes.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Mobile Web Vulnerabilities
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Mobile app reverse
Apply code obfuscation techniques to make
engineering involves the
reverse engineering difficult, use binary
process of decompiling,
Lack of obfuscation, weak Exposure of proprietary protection tools, implement runtime
analyzing, and
Mobile App code protection, insecure algorithms or intellectual application self-protection (RASP), avoid
understanding the inner
79 Reverse storage of sensitive data or property, theft of sensitive data hardcoding sensitive information, encrypt
workings of a mobile
Engineering credentials, reliance on client- or credentials, unauthorized sensitive data, use secure authentication and
application to uncover
side security controls. app modifications. authorization, conduct security testing and
vulnerabilities, extract
code reviews, monitor app behavior for
sensitive information, or
suspicious activities.
modify its behavior.
IoT Web Vulnerabilities
Insecure IoT device
management refers to
Poorly implemented Implement secure management interfaces
vulnerabilities in the Unauthorized access to IoT
management interfaces, lack with strong authentication (e.g., multi-factor
Insecure IoT management interfaces or devices, compromise of device
of secure authentication authentication), enforce access controls, use
80 Device protocols of IoT devices, functionality, data breaches,
mechanisms, inadequate secure communication protocols (e.g., TLS),
Management allowing unauthorized unauthorized data collection or
access controls, insecure regularly update device firmware, conduct
access, manipulation, or manipulation.
communication protocols. security assessments and penetration testing.
control of the devices and
associated data.
Weak authentication on IoT
devices refers to Use strong, unique passwords for device
Default or hardcoded
vulnerabilities in the Unauthorized access to IoT authentication, enforce password complexity
credentials, lack of password
Weak authentication mechanisms devices, unauthorized control and expiration policies, implement multi-
policies, absence of multi-
81 Authentication used by IoT devices, making or manipulation of device factor authentication, disable default accounts
factor authentication,
on IoT Devices it easier for attackers to functionality, data breaches, and passwords, encrypt authentication
inadequate session
bypass or brute-force privacy violations. credentials, periodically review and update
management.
authentication and gain authentication mechanisms.
unauthorized access.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Authentication Bypass
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Server-Side Request Forgery (SSRF)
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Content Spoofing
X-Content-Type-Options
bypass refers to
vulnerabilities that allow Improper configuration of the Ensure the X-Content-Type-Options header is
attackers to bypass the X- X-Content-Type-Options Potential security risks such as properly configured with the "nosniff"
X-Content-Type- Content-Type-Options header, allowing attackers to MIME sniffing, content directive, use strong content-type validation
90
Options Bypass header, which is intended to manipulate or circumvent the spoofing, XSS attacks, and data on the server side, and employ additional
prevent MIME type sniffing protection provided by the leakage. security mechanisms such as Content Security
and force the browser to header. Policy (CSP).
respect the declared content
type.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Business Logic Flaws
Inconsistent validation
Implement consistent validation mechanisms
vulnerabilities occur when Inadequate implementation Potential security risks such as
across all input points, use centralized
input data is not consistently of validation logic, failure to injection attacks, data
Inconsistent validation libraries or functions, enforce strict
92 validated across different enforce consistent validation tampering, privilege escalation,
Validation input validation rules, and conduct thorough
parts of an application, standards across all input and unauthorized access to
security testing to identify and address
leading to varying levels of points. sensitive data.
inconsistencies.
security checks.
Order processing
Weak or insecure Implement strong authentication and
vulnerabilities occur when Potential security risks such as
authentication and authorization controls, enforce strict
Order an application's order unauthorized order
authorization mechanisms, validation of order-related data, apply role-
94 Processing management system is modification, data tampering,
inadequate validation of based access controls, monitor and log order
Vulnerabilities susceptible to exploitation, financial loss, and reputational
order-related data, lack of processing activities, and conduct regular
manipulation, or damage.
proper access controls. security assessments and audits.
unauthorized access.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Price manipulation
Weak or inadequate access Implement strong access controls to restrict
vulnerabilities involve
controls, lack of proper Potential security risks such as access to price-related functionalities, validate
unauthorized modifications
Price validation and verification of financial loss, revenue leakage, and verify price-related data inputs, monitor
95 or alterations to product
Manipulation price-related data, customer dissatisfaction, and and log price modification activities, and
prices, often leading to
insufficient monitoring and reputational damage. implement anomaly detection mechanisms to
financial losses or fraudulent
logging. identify suspicious price changes.
activities.
Account enumeration
Implement uniform error handling to avoid
vulnerabilities occur when Differential error messages,
Potential security risks such as differential responses, ensure consistent
an attacker can determine inconsistent response times,
Account unauthorized access, credential response times for valid and invalid requests,
96 the validity of user accounts predictable user identifiers or
Enumeration stuffing attacks, brute force use random or non-sequential user identifiers,
or credentials through account enumeration
attacks, and account takeover. and implement account lockout mechanisms
various techniques or endpoints.
to prevent brute force attacks.
methods.
Kumar MS
Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Zero-Day Vulnerabilities
Kumar MS