Top 100 Web Vulnerabilities

S.No Vulnerability Definition Root Cause Impact Mitigation

Injection Vulnerabilities

A type of security Inadequate input validation Unauthorized access to

Use parameterized queries or prepared
vulnerability that allows and improper use of SQL sensitive data, data
SQL Injection statements to prevent SQL Injection.
1 attackers to manipulate SQL queries without manipulation, database
(SQLi) Implement input validation and sanitize user
queries executed by a web parameterization or prepared corruption, or complete system
input to filter out malicious SQL code.
application's database. statements. compromise.

A vulnerability that allows Session hijacking, phishing Implement strict input validation, sanitize user
Lack of proper input
Cross-Site attackers to inject malicious attacks, cookie theft, input, and use output encoding to prevent XSS
2 validation and output
Scripting (XSS) scripts into web pages defacement of web pages, or attacks. Use Content Security Policy (CSP)
encoding in web applications.
viewed by other users. malware distribution. headers to restrict the execution of scripts.

A vulnerability that allows Unauthorized actions

Cross-Site attackers to trick
3 Request authenticated users into
Forgery (CSRF) executing unintended
actions on web applications.
Implement CSRF tokens, validate and compare
Lack of CSRF tokens or performed by authenticated
request tokens, use anti-CSRF tokens in forms,
inadequate validation of users without their consent,
and employ same-site cookie attributes to
requests. such as fund transfers or
mitigate CSRF attacks.
account deletions.

Implement strict input validation, perform

A vulnerability that allows Insecure input validation, lack Complete compromise of the
regular security updates and patches, apply
Remote Code attackers to execute of proper access controls, and target system, unauthorized
4 the principle of least privilege, and employ
Execution (RCE) arbitrary code on a target vulnerabilities in software data access, data manipulation,
network segmentation to mitigate RCE
system remotely. components or services. or installation of malware.
attacks.
Implement strict input validation, use
A vulnerability that allows Inadequate input validation Unauthorized access to system parameterized queries or prepared
Command attackers to execute and improper handling of resources, data leakage, system statements, sanitize user input, and avoid
5
Injection arbitrary system commands user-controlled input in compromise, or execution of executing system commands with user-
on a target system. system commands. arbitrary commands. controlled input to mitigate Command
Injection.

Kumar MS

S.No Vulnerability Definition
A vulnerability that allows
attackers to manipulate XML
6 XML Injection input to exploit weaknesses
in XML processing
functionality.
A vulnerability that allows
attackers to manipulate Inadequate input validation
LDAP (Lightweight Directory
7 LDAP Injection
Access Protocol) queries unfiltered user input in LDAP
used for authentication and
authorization.
A vulnerability that allows
attackers to manipulate
8 XPath Injection XPath queries used for XML
data selection and
manipulation.
A vulnerability that allows
Inadequate input validation
attackers to inject malicious
9 HTML Injection
HTML code into web pages
encoding in web applications.
viewed by other users.
A vulnerability that allows
attackers to execute
Server-Side
malicious code or scripts on
10 Includes (SSI)
a web server by injecting
Injection
commands into Server-Side
Include (SSI) statements.
Top 100 Web Vulnerabilities
Root Cause
Lack of proper input
validation and inadequate
XML parsing techniques in
applications.
and improper use of
queries.
Lack of proper input
validation and inadequate
handling of user-controlled
input in XPath queries.
and improper output
Inadequate input validation
and improper use of
unfiltered user input in SSI
statements.
Impact Mitigation
Implement strict input validation, use secure
Information disclosure, data
XML parsing libraries, sanitize user input, and
manipulation, denial of service,
apply appropriate access controls to mitigate
or execution of arbitrary code.
XML Injection attacks.
Unauthorized access to
Implement strict input validation, use
sensitive data, user account
parameterized LDAP queries, and sanitize user
compromise, or denial of
input to prevent LDAP Injection.
service.
Unauthorized access to
Implement strict input validation, use
sensitive data, XML data
parameterized XPath queries, and sanitize
manipulation, or denial of
user input to prevent XPath Injection.
service.
Defacement of web pages,
Implement strict input validation, sanitize user
phishing attacks, session
input, and use output encoding to prevent
hijacking, or the execution of
HTML Injection.
malicious scripts.
Unauthorized access to Implement strict input validation, use secure
sensitive data, server SSI configuration settings, and avoid using
compromise, or the execution user-controlled input in SSI statements to
of arbitrary code. prevent SSI Injection.
Kumar MS

S.No Vulnerability Definition
A vulnerability that allows
attackers to execute
OS Command
11 arbitrary operating system
Injection
commands on a target
system.
A variant of SQL Injection
where attackers can infer
Blind SQL
12 information from the
Injection
database without directly
viewing it.
A vulnerability that allows
attackers to inject malicious
Server-Side
code or templates into
13 Template
server-side template
Injection (SSTI)
engines used for dynamic
content generation.
A vulnerability that allows
an attacker to hijack a user's
14 Session Fixation session by fixing or
manipulating the session ID
before the user logs in.
A cyberattack method that
Weak password policies, lack
involves systematically
Brute Force trying all possible
15
Attack combinations of passwords
protection against automated
or keys until the correct one
is found.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Implement strict input validation, use
Lack of input validation and Unauthorized access to system
parameterized system commands, sanitize
improper handling of user- resources, data leakage, system
user input, and avoid executing system
controlled input in operating compromise, or execution of
commands with user-controlled input to
system commands. arbitrary commands.
mitigate OS Command Injection.
Inadequate input validation Implement time-based or boolean-based SQL
Information leakage, data
and improper use of Injection detection techniques, perform
manipulation, or unauthorized
unfiltered user input in SQL regular security audits, and use parameterized
access to sensitive data.
queries. queries to prevent Blind SQL Injection.
Lack of input validation and Implement strict input validation, use secure
Server compromise, data
improper handling of user- template engine configurations, and avoid
leakage, or execution of
controlled input in server- using user-controlled input in template files to
arbitrary code on the server.
side template engines. prevent Server-Side Template Injection.
Broken Authentication and Session Management
Implement secure session management
Insecure session
Unauthorized access to user practices such as using session tokens that are
management and improper
accounts, session hijacking, data regenerated upon login, enforcing HTTPS, and
handling of session
theft, or privilege escalation. validating session IDs to prevent Session
identifiers.
Fixation attacks.
Implement account lockout mechanisms,
of account lockout Account compromise, data enforce strong password policies, use multi-
mechanisms, or inadequate theft, unauthorized access, or factor authentication, and monitor for
denial of service. suspicious login attempts to mitigate Brute
login attempts. Force Attacks.
Kumar MS

S.No Vulnerability Definition
A cyberattack where an
attacker gains unauthorized
Session
16 access to a user's session by
Hijacking
stealing or guessing their
session ID.
A technique used to uncover
passwords by systematically
Password
17 trying all possible
Cracking
combinations until the
techniques to protect stored
correct one is found.
A vulnerability that arises
when passwords are stored
Weak Password
18 in an insecure manner, such
Storage
as plaintext or with weak
encryption methods.
A vulnerability that occurs
when authentication
Insecure
19 mechanisms are not
Authentication
properly implemented or
enforced.
A cyberattack where an
attacker steals a user's
20 Cookie Theft cookies, often through
techniques like session
hijacking or XSS attacks.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Insecure transmission of
Implement secure session management, use
session tokens, session Unauthorized access to user
HTTPS, enforce the use of secure cookies, and
fixation vulnerabilities, or accounts, data theft, privilege
regularly rotate session IDs to prevent Session
weak session management escalation, or impersonation.
Hijacking attacks.
practices.
Weak or predictable Implement strong password policies, use
passwords, inadequate password hashing algorithms with salting,
Account compromise, data
password policies, or enforce regular password changes, and
theft, unauthorized access, or
insufficient encryption educate users about creating strong and
privilege escalation.
unique passwords to prevent Password
passwords. Cracking attacks.
Implement strong encryption methods such as
Lack of encryption,
Account compromise, data bcrypt or Argon2 for password hashing,
inadequate hashing
breach, unauthorized access, or enforce the use of salt, and securely store
algorithms, or improper
identity theft. passwords in hashed form to prevent Weak
storage practices.
Password Storage vulnerabilities.
Implement multi-factor authentication, use
Lack of multi-factor
strong encryption for authentication data,
authentication, weak Account compromise,
enforce secure authentication protocols (such
authentication protocols, or unauthorized access, data
as OAuth), and regularly audit authentication
improper session breaches, or identity theft.
mechanisms to prevent Insecure
management.
Authentication vulnerabilities.
Insecure transmission of
Implement secure cookie handling practices,
cookies, session fixation Unauthorized access to user
use HTTPS, enforce HttpOnly and Secure flags
vulnerabilities, or XSS accounts, session hijacking, data
for cookies, and regularly rotate session IDs to
vulnerabilities in web theft, or impersonation.
prevent Cookie Theft attacks.
applications.
Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

A vulnerability that arises Poor password management Educate users about the risks of credential
Account compromise, data
when users reuse the same practices, lack of awareness reuse, enforce strong password policies,
Credential breaches, identity theft, or
21 username and password about the risks of credential encourage the use of password managers, and
Reuse unauthorized access to multiple
across multiple accounts or reuse, or inadequate security implement multi-factor authentication to
accounts.
services. education. mitigate Credential Reuse vulnerabilities.

Sensitive Data Exposure

A vulnerability that occurs
when sensitive data is not
Inadequate adequately encrypted,
22
Encryption making it vulnerable to
unauthorized access or
theft.
A vulnerability where an
Insecure Direct
attacker can access and
Object
23 manipulate unauthorized
References
data objects directly via
(IDOR)
object references.
A vulnerability that occurs
when sensitive data is
24 Data Leakage inadvertently disclosed or
exposed to unauthorized
parties.
Implement strong encryption algorithms (e.g.,
AES), use secure encryption protocols (e.g.,
Lack of encryption protocols, Data breaches, unauthorized
TLS/SSL), enforce proper key management
weak encryption algorithms, access to sensitive information,
practices, and regularly audit encryption
or improper key or exposure of confidential
mechanisms to ensure adequate protection of
management. data.
sensitive data against Inadequate Encryption
vulnerabilities.
Implement proper access controls, perform
Improper access control input validation and authorization checks, use
mechanisms, lack of Unauthorized access to unique and unpredictable identifiers for
validation or authorization sensitive data, exposure of objects, enforce the principle of least
checks on object references, confidential information, or privilege, and conduct thorough security
or predictable object compromise of user privacy. assessments to identify and mitigate Insecure
identifiers. Direct Object References (IDOR)
vulnerabilities.
Implement robust access controls, use
Inadequate data protection
Breach of privacy, loss of encryption for sensitive data, employ data loss
measures, weak access
sensitive information, financial prevention (DLP) solutions, regularly audit
controls, or improper
damage, reputation loss, or data handling processes, and provide security
handling of sensitive
regulatory penalties. awareness training to prevent Data Leakage
information.
vulnerabilities.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Implement encryption for data at rest (e.g.,
using full-disk encryption, database
A vulnerability that arises Failure to implement Unauthorized access to
encryption), enforce encryption policies, use
when data is stored without encryption mechanisms, lack sensitive data, data breaches,
Unencrypted secure key management practices, regularly
25 encryption, making it of awareness about data exposure of confidential
Data Storage assess data storage systems, and educate
susceptible to unauthorized security best practices, or information, or regulatory non-
personnel on the importance of data
access or theft. inadequate security controls. compliance.
encryption to mitigate Unencrypted Data
Storage vulnerabilities.
Implement appropriate security headers in
A vulnerability where critical Inadequate configuration of
web server configurations, use automated
security headers, such as web servers, lack of Increased risk of XSS attacks,
tools to scan for missing headers, configure
Missing Security Content-Security-Policy awareness about security clickjacking, data breaches, or
26 web application firewalls (WAFs) to enforce
Headers (CSP) or X-Frame-Options, headers, or failure to unauthorized access to sensitive
security policies, and regularly audit web
are absent from web implement security best information.
applications to identify and address Missing
responses. practices.
Security Headers vulnerabilities.

Implement strict file upload validation,

A vulnerability that occurs
Lack of input validation, Unauthorized file uploads, enforce file type restrictions, use secure file
when applications handle
Insecure File insufficient file permissions, execution of malicious code, permissions, employ sandboxing or isolation
27 files in an insecure manner,
Handling or improper file processing data breaches, or compromise techniques for file execution, and regularly
allowing attackers to upload
mechanisms. of system integrity. update and patch file handling libraries to
or execute malicious files.
mitigate Insecure File Handling vulnerabilities.

Security Misconfiguration
Implement strong password policies, enforce
A vulnerability where Failure to change default password complexity requirements, use
Unauthorized access, data
default or weak passwords passwords, lack of password password managers, regularly rotate
Default breaches, privilege escalation,
28 are used for authentication, complexity requirements, or passwords, educate users on password
Passwords or compromise of sensitive
making systems susceptible inadequate password security best practices, and conduct regular
information.
to unauthorized access. management practices. audits to identify and change default or weak
passwords.

Kumar MS

S.No Vulnerability Definition
A vulnerability that occurs
when a web server exposes
29 Directory Listing the contents of directories, directory access restrictions,
allowing unauthorized users or misconfigured directory
to browse files.
A vulnerability where APIs
lack proper authentication
Unprotected
30 or access controls, enabling
API Endpoints
attackers to interact with
them without authorization.
A vulnerability where
unnecessary ports and
Open Ports and services are left open on
31
Services systems, increasing the
attack surface and risk of
exploitation.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Disable directory indexing, configure proper
Improper server
Exposure of sensitive files, directory access permissions, use default
configurations, lack of
disclosure of confidential index files, implement secure server
information, or unauthorized configurations, and regularly scan web servers
access to directory contents. for directory listing vulnerabilities to prevent
indexing settings.
unauthorized access to directory contents.
Implement authentication mechanisms (e.g.,
OAuth, API keys), enforce access controls, use
Absence of authentication Unauthorized access to
encryption for API communications,
mechanisms, inadequate sensitive data, data breaches,
implement rate limiting and throttling,
access controls, or poorly leakage of confidential
regularly audit API endpoints, and employ
implemented API security information, or manipulation of
security testing techniques (e.g., penetration
measures. API functionality.
testing) to identify and remediate
Unprotected API Endpoints vulnerabilities.
Conduct port scanning and vulnerability
assessments, close unnecessary ports and
services, implement firewall rules and
Failure to close unused ports, Increased exposure to network
network segmentation, use intrusion
lack of port filtering or attacks, unauthorized access to
detection and prevention systems (IDPS),
firewall rules, or improper systems, or exploitation of
monitor network traffic, and regularly update
network configurations. vulnerabilities in open services.
and patch systems to mitigate the risks
associated with Open Ports and Services
vulnerabilities.
Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Implement strong authentication
mechanisms, enforce least privilege access,
A vulnerability arising from Lack of proper authentication Unauthorized access to
use role-based access control (RBAC),
inadequate access controls, mechanisms, insufficient sensitive data, data breaches,
Improper regularly review and update access control
32 allowing unauthorized users authorization checks, or privilege escalation, or
Access Controls policies, conduct access control audits, and
to gain access to sensitive misconfigured access control compromise of system
employ security testing techniques to identify
resources or data. lists (ACLs). integrity.
and remediate Improper Access Controls
vulnerabilities.
Implement data encryption, enforce strict
A vulnerability that occurs Inadequate data protection access controls, use data anonymization
Breach of privacy, loss of
when sensitive information measures, weak access techniques, conduct regular data audits,
Information sensitive information, financial
33 is inadvertently disclosed or controls, or improper provide security awareness training, and
Disclosure damage, reputation loss, or
exposed to unauthorized handling of sensitive establish incident response procedures to
regulatory penalties.
users. information. prevent and mitigate Information Disclosure
vulnerabilities.
Implement a robust patch management
Neglecting patch program, prioritize critical security patches,
A vulnerability resulting Exploitation of known
management processes, lack automate patch deployment where possible,
from failure to apply security vulnerabilities, malware
Unpatched of awareness about available conduct vulnerability assessments and patch
34 patches or updates, leaving infections, data breaches, or
Software patches, or operational compliance checks, monitor vendor
systems vulnerable to compromise of system
constraints preventing advisories, and establish procedures to quickly
known exploits. integrity.
patching. remediate Unpatched Software
vulnerabilities.

Kumar MS

S.No Vulnerability Definition
A vulnerability where Cross-
Origin Resource Sharing
Misconfigured (CORS) policies are
35
CORS improperly configured,
allowing unauthorized
access to resources.
A vulnerability that occurs
HTTP Security when security headers in
Headers HTTP responses are not
36
Misconfiguratio properly configured to
n protect web applications
from various attacks.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Configure CORS policies to restrict access to
Incorrect CORS policy
Unauthorized access to trusted domains, use appropriate CORS
settings, lack of
sensitive data, cross-site headers (e.g., Access-Control-Allow-Origin),
understanding of CORS
request forgery (CSRF) attacks, enforce same-origin policy, regularly audit
security implications, or
or data leakage between CORS configurations, and conduct security
misconfigured server
different origins. testing to identify and address Misconfigured
settings.
CORS vulnerabilities.
Configure security headers like Content
Security Policy (CSP), X-Content-Type-Options,
Incorrect configuration of X-Frame-Options, X-XSS-Protection, HTTP
Increased susceptibility to
security headers, lack of Strict Transport Security (HSTS), and others as
attacks such as XSS, clickjacking,
awareness about security appropriate, regularly audit HTTP headers for
or data injection, compromising
best practices, or failure to misconfigurations, and utilize automated tools
the security and integrity of
implement recommended to enforce proper security headers in web
web applications.
security controls. server configurations to mitigate HTTP
Security Headers Misconfiguration
vulnerabilities.
Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
XML-Related Vulnerabilities

XXE is a type of attack

against applications that
parse XML input. It occurs Disable external entity processing, use secure
when an attacker can XML parsers that do not resolve external
Unauthorized access to
influence the processing of Insecure XML parsers, lack of entities, perform input validation and
XML External sensitive information, leakage
XML data by including input validation, or enabling sanitization, restrict XML parser permissions,
37 Entity (XXE) of confidential data, server-side
external entities, which can external entity processing in use XML firewall or web application firewall
Injection request forgery (SSRF), or denial
lead to various security XML documents. (WAF), and employ security testing techniques
of service (DoS).
issues such as reading (e.g., fuzzing) to identify and remediate XXE
sensitive files, executing vulnerabilities.
arbitrary code, or launching
denial of service attacks.

XEE is a vulnerability similar

Limit entity expansion, configure XML parsers
to XXE but involves
Insecure XML parsers, Resource exhaustion, denial of to restrict entity expansion, implement input
expanding XML entities
XML Entity enabling entity expansion, or service (DoS), or crashing the validation and filtering, use XML processing
38 excessively, leading to
Expansion (XEE) lack of input validation in XML parser, impacting libraries with built-in protections against XEE,
resource exhaustion, denial
XML documents. application availability. and perform security testing to identify and
of service attacks, or
mitigate XEE vulnerabilities.
crashing the XML parser.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

XML Bomb is a type of attack

where an XML document Implement XML parsing limits, restrict entity
Crafted XML documents
with nested entities is Denial of service (DoS), expansion depth, use efficient XML processing
containing nested entities
crafted to consume resource exhaustion, or libraries with safeguards against XML bombs,
39 XML Bomb with recursive expansion, lack
excessive system resources crashing the XML parser, perform input validation and sanitization, and
of input validation or filtering
when parsed, causing denial impacting system availability. conduct security testing to detect and mitigate
in XML parsers.
of service (DoS) or crashing XML Bomb vulnerabilities.
the XML parser.

Broken Access Control

Implement robust access control mechanisms,

Inadequate authorization employ principle of least privilege, conduct
refers to the failure to Lack of proper access control Unauthorized access to regular access reviews and audits, use strong
properly enforce access mechanisms, weak or sensitive data, manipulation of authentication methods, enforce role-based
Inadequate
40 controls, allowing misconfigured authorization critical functionalities, or access controls (RBAC), employ centralized
Authorization
unauthorized users to access policies, or improper exposure of confidential identity and access management (IAM)
sensitive resources or implementation. information. solutions, and perform security testing to
perform actions. identify and remediate authorization
vulnerabilities.

Implement least privilege principles, restrict

Privilege escalation occurs
access to sensitive resources, regularly update
when an attacker gains Vulnerabilities in the system Unauthorized access to
and patch systems and applications, use
unauthorized access to or application, misconfigured sensitive data, manipulation of
Privilege strong authentication and encryption, monitor
41 elevated privileges, enabling permissions, or exploitation system configurations, or
Escalation privilege usage, conduct security awareness
them to perform actions of weaknesses in access execution of malicious code
training, and employ security testing to
beyond their intended level controls. with elevated privileges.
identify and remediate privilege escalation
of access.
vulnerabilities.

Kumar MS

S.No Vulnerability Definition
Insecure Direct Object
References (IDOR) occur
when an application exposes
Insecure Direct
internal implementation
42 Object
details, allowing attackers to
References
manipulate object
references and access
unauthorized resources.
Forceful browsing, also
known as directory traversal,
occurs when an attacker
Forceful
43 attempts to access restricted
Browsing
files or directories by
manipulating URLs or other
parameters.
Missing Function-Level
Access Control (MFAC)
Missing
occurs when an application
44 Function-Level
fails to properly enforce
Access Control
access controls on specific configuration of authorization or exposure of confidential assessments, perform code reviews to identify
functions or operations.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Implement proper access controls, validate
Lack of proper access Unauthorized access to and sanitize user input, enforce strict
controls, exposing internal sensitive data or resources, authorization checks, use indirect object
object references, or leakage of confidential references, avoid exposing sensitive
insufficient validation of user information, or manipulation of information in URLs or responses, conduct
input. critical functionalities. security testing to identify and remediate
IDOR vulnerabilities.
Implement secure access controls, validate
and sanitize user input, enforce proper
Unauthorized access to
Weak access controls, lack of authorization checks, use secure file and
sensitive files or directories,
input validation, or directory permissions, employ web
exposure of confidential data,
insufficient authorization application firewalls (WAFs) or intrusion
or compromise of system
checks. detection systems (IDS), restrict directory
integrity.
listing, conduct security testing to identify and
remediate forceful browsing vulnerabilities.
Inadequate access control Unauthorized access to Implement granular access controls, enforce
mechanisms, insufficient sensitive functionalities or proper authorization checks for each function
validation of user operations, manipulation of or operation, use role-based access controls
permissions, or improper critical system functionalities, (RBAC), conduct thorough security
policies. data. and remediate MFAC vulnerabilities.
Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Insecure Deserialization

Remote Code Execution

Employ secure deserialization practices,
(RCE) via Deserialization
Insecure deserialization Execution of arbitrary code on validate and sanitize input data, use
occurs when an attacker can
Remote Code implementations, lack of the server, leading to complete libraries/frameworks with built-in protections
manipulate the
45 Execution via input validation, or allowing compromise of the system, against RCE via deserialization, employ type
deserialization process of
Deserialization untrusted data to be unauthorized data access, or checking, integrity checks, and digital
objects in an application to
deserialized. system takeover. signatures, and restrict object instantiation
execute arbitrary code
and execution privileges.
remotely.

Data corruption, integrity Implement robust data validation and

Data Tampering refers to the Weak data validation and
breaches, unauthorized changes integrity mechanisms, encrypt sensitive data,
unauthorized modification integrity checks, lack of
to sensitive information, use secure hashing algorithms, enforce access
46 Data Tampering of data, altering its integrity encryption or hashing,
financial loss, reputational controls and authentication, implement
or structure, typically to gain inadequate access controls or
damage, or system secure communication protocols, and monitor
an advantage or cause harm. authentication mechanisms.
compromise. for suspicious activities or modifications.

Object Injection occurs when Implement secure deserialization practices,

untrusted data is Insecure deserialization Arbitrary code execution, validate and sanitize input data, use
deserialized into objects and practices, allowing untrusted unauthorized access to sensitive libraries/frameworks with built-in protections
47 Object Injection manipulated in a way that data to instantiate objects, information, elevation of against object injection, employ type checking
leads to arbitrary code lack of input validation or privileges, or complete and integrity checks, restrict object
execution or unauthorized type checking. compromise of the system. instantiation privileges, and limit the scope of
access to sensitive data. deserialization operations.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
API Security Issues

Implement secure authentication mechanisms

Insecure API Endpoints refer Poorly designed or Unauthorized access to (e.g., OAuth, JWT), enforce proper
to API endpoints that lack implemented API endpoints, sensitive data, data breaches, authorization checks, use HTTPS/TLS
Insecure API
48 proper authentication, lack of authentication or manipulation of resources, or encryption, apply input validation and data
Endpoints
authorization, or encryption authorization checks, exposure of sensitive sanitization, employ API security best
mechanisms. insufficient encryption. information. practices (e.g., rate limiting, access controls),
conduct regular security audits and testing.

Store API keys securely, avoid hardcoding keys

API Key Exposure occurs Improper handling or storage in code, use secure key management
Unauthorized access to API
when API keys or tokens are of API keys, unintentional practices, encrypt keys at rest and in transit,
API Key resources, misuse of API
49 leaked, stolen, or exposed exposure in code repositories limit key access privileges, rotate keys
Exposure services, data breaches, or
due to poor security or network traffic, lack of regularly, monitor for key usage and
compromise of user accounts.
practices or configuration. encryption. suspicious activities, implement API key
revocation mechanisms.
Implement rate limiting controls based on
Failure to implement rate
Lack of Rate Limiting refers user, IP address, or API key, set appropriate
limiting mechanisms, Denial of service (DoS) attacks,
to the absence of controls to rate limits for different API endpoints, monitor
Lack of Rate overlooking the importance API abuse, resource exhaustion,
50 limit the number of requests API usage and traffic patterns, use caching
Limiting of controlling API usage, or degraded system
an API consumer can make mechanisms, employ distributed denial of
insufficient security performance.
within a timeframe. service (DDoS) protection, analyze and
measures.
respond to abnormal usage patterns.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Implement rigorous input validation and
sanitization routines, validate input data
Inadequate Input Validation Lack of input validation against predefined criteria and whitelists, use
Injection attacks (e.g., SQL
occurs when input data checks, accepting and parameterized queries for database
Inadequate injection, XSS), data corruption,
51 received by an API is not processing user-supplied data interactions, escape or encode output data,
Input Validation security vulnerabilities, or
properly validated for without validation, trusting employ web application firewalls (WAFs) and
unexpected behavior.
correctness or security. input from untrusted sources. intrusion detection/prevention systems
(IDS/IPS), educate developers on secure
coding practices.
Insecure Communication

A Man-in-the-Middle Implement end-to-end encryption (e.g.,

Weaknesses in network
(MITM) Attack occurs when Eavesdropping on sensitive TLS/SSL), use secure communication protocols
infrastructure, lack of
Man-in-the- an attacker intercepts and data, unauthorized access or (e.g., HTTPS, SSH), employ digital certificates
encryption, insecure
52 Middle (MITM) alters communication modification of data, session and mutual authentication, implement
communication channels,
Attack between two parties hijacking, impersonation, or network segmentation and monitoring,
compromised or spoofed
without their knowledge or injection of malicious content. educate users on secure browsing and
network devices.
consent. communication practices.

Use strong encryption algorithms (e.g., AES),

Insufficient Transport Layer
Unauthorized access to enforce the use of TLS 1.2/1.3, configure
Security refers to Weak encryption algorithms,
sensitive data, data leakage, cipher suites securely, ensure proper
Insufficient inadequate protection of outdated protocols (e.g.,
interception of credentials or certificate validation and revocation checks,
53 Transport Layer data during transmission SSLv2, SSLv3), misconfigured
personal information, or disable insecure protocols and features,
Security over a network, leading to encryption settings, lack of
compromise of communication regularly update and patch systems,
exposure to interception or certificate validation.
integrity. implement network monitoring and detection
tampering.
mechanisms.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Configure SSL/TLS settings securely, use
Insecure SSL/TLS
Weak cipher suites, improper strong cipher suites with perfect forward
Configuration refers to Exposure of sensitive data to
SSL/TLS protocol versions, secrecy (PFS), enable HSTS and secure
Insecure improperly configured interception, man-in-the-
lack of forward secrecy, renegotiation, ensure proper certificate
54 SSL/TLS SSL/TLS settings, leaving the middle attacks, decryption of
incomplete certificate chain, management and validation, enable OCSP
Configuration communication channel encrypted traffic, or
weak or self-signed stapling, implement TLS termination at load
vulnerable to attacks or compromise of server integrity.
certificates. balancers or reverse proxies, conduct regular
exploitation.
security assessments and audits.
Insecure Communication Use secure communication protocols (e.g.,
Use of outdated or insecure
Protocols involve the use of Exposure of sensitive data to HTTPS, SSH, SFTP), enforce encryption and
protocols (e.g., HTTP, Telnet),
Insecure protocols that lack proper interception, sniffing attacks, authentication, implement strong session
lack of encryption or
55 Communication security mechanisms, eavesdropping, session management controls, disable insecure
authentication mechanisms,
Protocols making communication hijacking, unauthorized access, protocols, employ VPNs or encrypted tunnels
inadequate session
susceptible to interception or manipulation of data. for remote access, conduct regular security
management.
or manipulation. assessments and vulnerability scans.
Client-Side Vulnerabilities

DOM-based Cross-Site
Scripting (XSS) occurs when
an attacker injects malicious Implement proper input validation and output
Improper handling of user Theft of session cookies, user
scripts into a web encoding, utilize Content Security Policy (CSP),
input, lack of output credentials, sensitive data
56 DOM-based XSS application's Document sanitize user input, avoid client-side rendering
encoding, client-side exposure, unauthorized actions
Object Model (DOM), of untrusted data, use security libraries and
processing of untrusted data. on behalf of the user.
leading to the execution of frameworks for input validation and encoding.
unauthorized code in the
victim's browser.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Insecure Cross-Origin
Communication occurs Lack of proper Cross-Origin
Implement strict CORS policies, use CSRF
when web applications allow Resource Sharing (CORS) Unauthorized access to
tokens and anti-CSRF mechanisms, enforce
Insecure Cross- communication between configuration, relaxed Same- sensitive data, leakage of
proper authentication and authorization
57 Origin different origins (domains) Origin Policy (SOP), confidential information, cross-
controls, validate and sanitize data from cross-
Communication without proper security insufficient authentication site request forgery (CSRF), or
origin sources, minimize the exposure of
controls, leading to data and authorization manipulation of user sessions.
sensitive APIs.
leakage or unauthorized mechanisms.
access.
Browser Cache Poisoning
occurs when attackers Lack of cache validation Implement proper cache validation and cache-
Delivery of malicious content,
manipulate or poison the mechanisms, improper cache- control headers, use secure and updated
Browser Cache injection of unauthorized scripts
58 cache of a web browser, control headers, reliance on caching mechanisms, enforce HTTPS,
Poisoning or code, exploitation of user
leading to the serving of outdated or vulnerable implement strict Content Security Policy (CSP),
trust in cached resources.
malicious or unauthorized caching mechanisms. regularly monitor and audit cache behavior.
content to users.

Clickjacking, also known as

UI redress attack or User
Interface (UI) manipulation,
occurs when attackers trick
59 Clickjacking users into clicking on hidden
or disguised elements, often
leading to unintended
actions or malicious
outcomes.
Overlaying transparent or
Unauthorized actions Implement frame-busting techniques, utilize X-
invisible elements over
performed by users (e.g., Frame-Options header or Content Security
legitimate content,
clicking on hidden buttons), Policy (CSP) frame-ancestors directive, employ
manipulating the z-index
theft of sensitive information, JavaScript-based defenses (e.g., frame-killing
property, exploiting
spreading of malware or scripts), educate users on recognizing and
vulnerabilities in browser
phishing attacks. avoiding clickjacking attempts.
rendering engines.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

HTML5 Security Issues

encompass vulnerabilities Implement secure coding practices, validate
and risks associated with the Lack of input validation and and sanitize user input, enforce strict content
Cross-site scripting (XSS), data
use of HTML5 technologies, sanitization, improper use of security policies, utilize browser security
HTML5 Security leakage, privacy violations,
60 such as WebSockets, Web browser features, insufficient features (e.g., sandboxing), stay informed
Issues geolocation tracking, denial-of-
Storage, Geolocation API, security controls in HTML5 about HTML5 security advisories and updates,
service (DoS) attacks.
and Web Workers, which APIs. conduct security assessments and penetration
may introduce new attack testing.
surfaces or vectors.

Denial of Service (DoS)

Distributed Denial of Service

(DDoS) attacks involve
multiple compromised
systems, often controlled by in network protocols, misuse
Distributed
attackers, targeting a single
61 Denial of
system or network with a
Service (DDoS)
flood of traffic,
overwhelming its capacity to
respond to legitimate
requests.
Exploitation of vulnerabilities
of legitimate network
resources, exploitation of damage to reputation, potential
botnets or malware-infected
devices.
Implement network-level protections (e.g.,
firewalls, intrusion detection/prevention
Disruption of services,
systems), utilize rate limiting and traffic
downtime, loss of revenue,
filtering mechanisms, employ DDoS mitigation
services, maintain robust network
data breaches or theft.
infrastructure, deploy scalable and resilient
architecture.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

Application Layer Denial of

Service (DoS) attacks target Implement proper input validation and output
the application layer of a Insecure application design or Degradation of application encoding, use rate limiting and throttling
system or network, coding, lack of input performance, unavailability of mechanisms, employ caching and load
Application
62 exploiting vulnerabilities in validation or sanitization, services, disruption of user balancing, deploy web application firewalls
Layer DoS
software or protocols to susceptibility to recursive or experience, potential data loss (WAFs), conduct security testing and code
exhaust resources, degrade inefficient operations. or corruption. reviews, monitor and analyze application
performance, or render traffic.
services unavailable.

Resource Exhaustion attacks

aim to deplete system Optimize resource utilization and allocation,
Inefficient resource
resources, such as CPU, employ rate limiting and traffic shaping,
management, lack of proper Slow performance, system
memory, disk space, or implement caching and load balancing,
Resource resource monitoring and crashes, unresponsiveness,
63 network bandwidth, by monitor system health and performance
Exhaustion allocation, susceptibility to service degradation, potential
overwhelming or consuming metrics, use resource quotas and limits,
denial-of-service (DoS) data loss or corruption.
them with excessive deploy robust intrusion detection and
attacks.
requests or malicious prevention systems (IDPS).
activity.
Slowloris is a type of DDoS
attack that aims to exhaust
server resources by keeping Exploitation of limitations in Utilize web server configuration hardening,
Server overload, depletion of
many connections open and web server software, enable connection timeouts and request
resources, denial of service,
sending partial HTTP manipulation of HTTP limits, deploy web application firewalls
64 Slowloris Attack service unavailability,
requests, preventing the connection handling, evasion (WAFs), implement rate limiting and traffic
disruption of website or
server from serving of traditional DDoS mitigation shaping, use DDoS mitigation services,
application functionality.
legitimate requests and techniques. monitor server logs for suspicious activity.
ultimately causing denial of
service.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

XML Denial of Service (XDoS)

attacks exploit
Implement strict XML parsing and validation,
vulnerabilities in XML
Improper handling of XML CPU/memory exhaustion, use XML schema validation, limit XML
parsers or processing
input, lack of input validation application unresponsiveness, document size and complexity, enforce
XML Denial of libraries to craft specially
65 or sanitization, excessive denial of service, disruption of timeouts and limits on XML processing, utilize
Service crafted XML documents,
resource usage by complex XML-based services or XML security features and libraries, monitor
causing resource exhaustion
XML document structures. applications. XML processing performance and resource
or excessive CPU/memory
usage.
consumption during parsing
or validation.

Other Web Vulnerabilities

Server-Side Request Forgery

(SSRF) is a vulnerability that
allows an attacker to
Server-Side manipulate server-side
66 Request requests made by the web
Forgery (SSRF) application, potentially
accessing internal systems
or services that should not
be exposed.
Lack of input validation or
sanitization, insecure
handling of user-supplied
input, misuse of network
protocols.
Unauthorized access to
sensitive internal resources,
data leakage, potential data
breaches, compromise of
backend systems.
Implement strict input validation and
sanitization, validate and restrict user-
controlled input, utilize whitelisting and
blacklisting, firewall and network
segmentation, restrict outbound connections,
employ secure coding practices and
frameworks.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

HTTP Parameter Pollution

(HPP) occurs when multiple
Implement proper input validation and
values are submitted for the Lack of input validation or Data corruption or
encoding, enforce strict parameter parsing
HTTP same parameter, leading to sanitization, improper manipulation, unexpected
rules, use POST requests for sensitive data,
67 Parameter ambiguity or handling of query parameters application behavior, security
avoid using user-controlled data in dynamic
Pollution (HPP) misinterpretation by the or form data, insecure coding vulnerabilities such as injection
queries or commands, utilize parameter
server, potentially resulting practices. attacks or privilege escalation.
separation techniques.
in unintended behavior or
security vulnerabilities.

Insecure Redirects and

Forwards occur when a web
application redirects or
Validate and sanitize redirect URLs, use
forwards users to other URLs Lack of input validation or Phishing attacks, unauthorized
whitelist-based validation, avoid dynamic
Insecure based on user input, without sanitization, insecure access to sensitive information,
redirects based on user-controlled input,
68 Redirects and properly validating or handling of redirect compromise of user credentials,
employ secure coding practices, utilize secure
Forwards sanitizing the redirect target, parameters, improper use of installation of malware or
redirection methods, implement contextual
allowing attackers to redirection functions. ransomware.
checks and access controls.
conduct phishing attacks or
direct users to malicious
websites.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

File Inclusion Vulnerabilities

arise when a web
Implement strict file path validation, restrict
application allows users to Insecure file path handling, Unauthorized access to
file inclusion to trusted directories, enforce
include files or resources lack of input validation or sensitive files or resources,
File Inclusion proper file permissions and access controls,
69 dynamically, without proper sanitization, improper file remote code execution, data
Vulnerabilities utilize whitelist-based validation, avoid user-
validation or access controls, permissions or access disclosure or leakage,
controlled input in file inclusion functions,
leading to unauthorized controls. compromise of server integrity.
implement secure coding practices.
access, remote code
execution, or data leakage.

Security Header Bypass

occurs when security
headers, such as Content Configure security headers correctly and
Cross-site scripting (XSS)
Security Policy (CSP), X- Misconfiguration of security comprehensively, enforce security policies at
attacks, clickjacking, data
Frame-Options, or X-XSS- headers, insecure handling of both client and server sides, use modern
Security Header injection or manipulation,
70 Protection, are improperly HTTP responses, lack of security standards and practices, perform
Bypass bypass of security controls,
configured or enforced, server-side enforcement of regular security audits and testing, follow
compromise of user privacy or
allowing attackers to bypass security policies. industry best practices for secure web
data.
security controls and exploit application development.
vulnerabilities in web
applications.
Clickjacking, also known as
UI redressing, is a technique
Unauthorized actions Implement frame-busting techniques, utilize
used by attackers to trick Insecure framing of web
performed by the user, frame-sandboxing attributes, employ
users into clicking on content, lack of frame-busting
unintended disclosure of clickjacking protection headers, avoid
71 Clickjacking elements of a web page that or frame-sandboxing
sensitive information, execution overlaying content from untrusted sources,
are invisible or disguised, techniques, improper
of malicious commands or educate users about potential risks and
potentially leading to handling of user interactions.
scripts. precautions.
unintended actions or
disclosures.

Kumar MS

S.No Vulnerability Definition
Inadequate Session Timeout
refers to the failure to
terminate user sessions
after a period of inactivity, Lack of session management
Inadequate
leaving sensitive session
72 Session
data exposed to
Timeout
unauthorized access or
hijacking attacks,
compromising user privacy
and security.
Insufficient Logging and
Monitoring occurs when a
web application fails to log
or monitor security-related
Insufficient
events and activities
73 Logging and
adequately, making it
Monitoring
difficult to detect and implement incident response
respond to security incidents
or breaches in a timely
manner.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Configure appropriate session timeout values
Unauthorized access to user
based on application requirements, enforce
accounts or data, session
session expiration mechanisms, implement
controls, insufficient session hijacking, privilege escalation,
session invalidation on user logout or browser
timeout settings, insecure exposure of sensitive
close, use secure session tokens and cookies,
session token handling. information, compromised user
conduct regular security audits and
privacy.
monitoring.
Lack of comprehensive Implement robust logging mechanisms, log
Delayed detection of security
logging mechanisms, security-relevant events and activities, utilize
incidents, difficulty in
inadequate monitoring of intrusion detection and prevention systems
identifying and investigating
security events, failure to (IDPS), establish centralized logging and
security breaches, increased
monitoring infrastructure, conduct regular log
risk of data breaches or theft.
procedures. analysis and security incident response drills.
Kumar MS

S.No Vulnerability Definition
Business Logic
Vulnerabilities stem from
flaws or weaknesses in the
design, implementation, or
configuration of business
Business Logic
74 logic processes within web
Vulnerabilities
applications, enabling
attackers to manipulate
business workflows or
transactions for malicious
purposes.
API Abuse occurs when
attackers exploit
vulnerabilities or
misconfigurations in web
APIs (Application
75 API Abuse Programming Interfaces) to
gain unauthorized access,
extract sensitive data, or
perform malicious actions
against web applications or
backend systems.
Top 100 Web Vulnerabilities
Root Cause Impact Mitigation
Financial losses, fraudulent Perform comprehensive threat modeling and
Insecure business logic
transactions, unauthorized data risk assessment, validate and enforce business
design, lack of input
access or manipulation, logic rules, implement proper input validation
validation or enforcement,
disruption of business and authorization checks, conduct security
improper authorization or
operations, reputational testing and code reviews, monitor and audit
access controls.
damage. business processes and transactions.
Insecure API design or
Unauthorized data access or
implementation, lack of
manipulation, compromised
authentication or
user privacy, denial of service, Implement strong authentication
authorization controls,
account takeover, exposure of
excessive trust in client-
sensitive information.
supplied data.
Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Mobile Web Vulnerabilities

Insecure data storage on

Implement secure data storage practices (e.g.,
mobile devices refers to
Inadequate encryption, lack encryption, secure key management), store
storing sensitive information Unauthorized access to
Insecure Data of secure storage sensitive data in secure storage areas (e.g.,
(such as passwords, tokens, sensitive data, data breaches,
76 Storage on mechanisms, storing sensitive Keychain on iOS, Keystore on Android), avoid
or personal data) in an identity theft, financial loss,
Mobile Devices data in plain text or weakly storing sensitive data locally if possible, use
unprotected or easily regulatory non-compliance.
encrypted formats. secure APIs for accessing data, perform
accessible manner on
security assessments and audits.
mobile devices.

Insecure data transmission Implement TLS encryption for data

on mobile devices refers to transmission, use HTTPS for web
Lack of transport layer
transmitting sensitive Data interception, communication, validate server certificates,
Insecure Data security (TLS), failure to
information over eavesdropping, unauthorized avoid transmitting sensitive data over
77 Transmission on enforce encryption for data in
unencrypted or insecure access to sensitive information, unencrypted channels, employ secure
Mobile Devices transit, reliance on insecure
communication channels, man-in-the-middle attacks. communication libraries and APIs, enforce
communication protocols.
such as HTTP instead of encryption in mobile apps, educate users
HTTPS. about secure communication practices.

Insecure mobile API Implement secure authentication mechanisms

endpoints refer to
vulnerabilities in the APIs
Insecure Mobile used by mobile applications,
78
API Endpoints allowing attackers to exploit
weaknesses and gain
unauthorized access to
sensitive data or resources.
Lack of input validation, (e.g., OAuth, JWT), enforce authorization
insufficient authentication Data exposure, unauthorized checks for API requests, use HTTPS for API
and authorization access to sensitive information, communication, apply input validation and
mechanisms, insecure data account takeover, privilege sanitization, employ API security best
transmission, API escalation. practices (e.g., rate limiting, API tokens),
misconfigurations. conduct regular security assessments of APIs,
monitor and log API activity.

Kumar MS

S.No Vulnerability Definition
Mobile app reverse
engineering involves the
process of decompiling,
analyzing, and
Mobile App
understanding the inner
79 Reverse
workings of a mobile
Engineering credentials, reliance on client- or credentials, unauthorized sensitive data, use secure authentication and
application to uncover
vulnerabilities, extract
sensitive information, or
modify its behavior.
Insecure IoT device
management refers to
vulnerabilities in the
management interfaces, lack
Insecure IoT management interfaces or
80 Device protocols of IoT devices,
Management allowing unauthorized
access, manipulation, or
control of the devices and
associated data.
Weak authentication on IoT
devices refers to
vulnerabilities in the
credentials, lack of password
Weak authentication mechanisms
policies, absence of multi-
81 Authentication used by IoT devices, making
on IoT Devices it easier for attackers to
bypass or brute-force
authentication and gain
unauthorized access.
Top 100 Web Vulnerabilities
Root Cause Impact
Lack of obfuscation, weak Exposure of proprietary
code protection, insecure algorithms or intellectual
storage of sensitive data or property, theft of sensitive data hardcoding sensitive information, encrypt
side security controls. app modifications.
IoT Web Vulnerabilities
Poorly implemented
Unauthorized access to IoT
devices, compromise of device
of secure authentication
functionality, data breaches,
mechanisms, inadequate
unauthorized data collection or
access controls, insecure
manipulation.
communication protocols. security assessments and penetration testing.
Default or hardcoded
Unauthorized access to IoT
devices, unauthorized control
or manipulation of device
factor authentication,
functionality, data breaches,
inadequate session
privacy violations.
management.
Mitigation
Apply code obfuscation techniques to make
reverse engineering difficult, use binary
protection tools, implement runtime
application self-protection (RASP), avoid
authorization, conduct security testing and
code reviews, monitor app behavior for
suspicious activities.
Implement secure management interfaces
with strong authentication (e.g., multi-factor
authentication), enforce access controls, use
secure communication protocols (e.g., TLS),
regularly update device firmware, conduct
Use strong, unique passwords for device
authentication, enforce password complexity
and expiration policies, implement multi-
factor authentication, disable default accounts
and passwords, encrypt authentication
credentials, periodically review and update
authentication mechanisms.
Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

Regularly update device firmware and

IoT device vulnerabilities
Design flaws, implementation Compromise of device integrity, software, implement secure coding practices,
encompass various security
errors, insecure unauthorized access or control, conduct thorough security assessments and
IoT Device weaknesses and flaws
82 configurations, lack of data breaches, privacy testing, adhere to IoT security standards and
Vulnerabilities present in IoT devices,
security updates and patches, violations, disruption of guidelines, monitor and analyze device
making them susceptible to
inadequate security testing. services. behavior for signs of compromise, establish
exploitation by attackers.
incident response procedures.

Web of Things (WoT) Vulnerabilities

Unauthorized access to Implement strong authentication mechanisms

smart homes refers to Unauthorized control over such as multi-factor authentication, regularly
Poorly configured or default
security weaknesses or smart home devices, update device firmware and software, use
Unauthorized settings, lack of strong
vulnerabilities in smart compromise of home security secure communication protocols (e.g., TLS),
83 Access to Smart authentication mechanisms,
home devices or systems and privacy, potential theft or configure devices with unique and strong
Homes insecure communication
that allow unauthorized vandalism, surveillance or passwords, enable network segmentation,
protocols.
individuals to gain access to monitoring of occupants. monitor device activity for signs of
the home. unauthorized access.

Implement data encryption for sensitive

IoT data privacy issues
pertain to concerns
IoT Data Privacy regarding the protection and
84
Issues privacy of personal data
collected and transmitted by
IoT devices.
Inadequate data encryption, Unauthorized access or information, provide clear and transparent
data leakage, insufficient user disclosure of sensitive personal privacy policies, obtain explicit consent for
consent or control over data information, loss of privacy, data collection and sharing, minimize data
collection and sharing, lack of potential identity theft, collection and retention, anonymize or
transparency in data handling surveillance or profiling of pseudonymize collected data, regularly audit
practices. individuals. data handling practices for compliance with
privacy regulations.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Authentication Bypass

Insecure "Remember Me"

functionality refers to
Weak implementation of Implement strong session management
vulnerabilities in Unauthorized access to user
Insecure session management, lack of controls, enforce proper expiration policies for
authentication mechanisms accounts, compromise of
"Remember proper expiration controls for session tokens, encrypt and securely store
85 that allow attackers to sensitive information, privilege
Me" session tokens, inadequate user credentials, use multi-factor
bypass authentication escalation, impersonation of
Functionality protection of stored authentication, regularly review and audit
requirements by exploiting legitimate users.
credentials. authentication mechanisms.
flaws in the "Remember
Me" feature.

CAPTCHA bypass involves

Implement stronger CAPTCHA mechanisms
techniques used by attackers Weak or outdated CAPTCHA Increased risk of automated
(e.g., reCAPTCHA v3), integrate CAPTCHA with
to circumvent CAPTCHA algorithms, inadequate attacks such as credential
other bot detection methods, implement rate
CAPTCHA challenges, typically used to implementation or validation stuffing, account takeover,
86 limiting and IP blocking for suspicious activity,
Bypass distinguish between human of CAPTCHA responses, spamming, data scraping, and
continuously monitor and update CAPTCHA
users and automated bots, reliance solely on CAPTCHA distributed denial-of-service
solutions to mitigate emerging bypass
thereby enabling automated for bot detection. (DDoS) attacks.
techniques.
attacks on web applications.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Server-Side Request Forgery (SSRF)

Implement strict input validation and

Blind Server-Side Request
Forgery (SSRF) is a
vulnerability that allows an
87 Blind SSRF attacker to send crafted
requests from the server to
other internal or external
systems.
Inadequate input validation
and sanitization, lack of
proper access controls, and
trust in user-supplied input
without proper verification.
sanitization of user-controlled input, utilize
Data leakage, unauthorized
allowlists for URL whitelisting, enforce proper
access to internal systems,
access controls, use network-level restrictions
server exploitation, and
to prevent outgoing connections to sensitive
potential compromise of
resources, and employ security tools like Web
sensitive information.
Application Firewalls (WAFs) to detect and
block SSRF attacks.

Implement server-side request timeout

Lack of input validation and Similar to Blind SSRF, with the mechanisms to limit the time spent on
Time-Based Blind SSRF is a
sanitization, server-side added risk of increased processing SSRF requests, monitor server
variation of SSRF where the
processing delays that detection difficulty and slower response times for anomalies, utilize anomaly
Time-Based attacker exploits delays in
88 indicate successful or exploitation, which may prolong detection tools to identify suspicious behavior,
Blind SSRF the server's response to
unsuccessful SSRF requests, the attacker's presence and and conduct thorough security testing,
infer the success or failure of
and reliance on timing-based increase the impact of the including penetration testing and vulnerability
SSRF attacks.
detection mechanisms. attack. scanning, to identify and mitigate SSRF
vulnerabilities.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Content Spoofing

MIME sniffing, also known

as content-type sniffing,
Lack of proper MIME type
refers to the behavior of
some web browsers to
89 MIME Sniffing
override the specified MIME
type of a resource and
instead infer it from the
content of the resource.
Implement strict MIME type declarations in
server responses, use the "X-Content-Type-
validation, browsers Potential security risks such as
Options" header with the "nosniff" directive to
attempting to guess the content spoofing, XSS attacks,
prevent MIME sniffing, validate user-uploaded
MIME type based on the and data leakage.
files to ensure they match the expected MIME
content of the resource.
type.

X-Content-Type-Options
bypass refers to
vulnerabilities that allow Improper configuration of the Ensure the X-Content-Type-Options header is
attackers to bypass the X- X-Content-Type-Options Potential security risks such as properly configured with the "nosniff"
X-Content-Type- Content-Type-Options header, allowing attackers to MIME sniffing, content directive, use strong content-type validation
90
Options Bypass header, which is intended to manipulate or circumvent the spoofing, XSS attacks, and data on the server side, and employ additional
prevent MIME type sniffing protection provided by the leakage. security mechanisms such as Content Security
and force the browser to header. Policy (CSP).
respect the declared content
type.

Content Security Policy (CSP)

bypass refers to
Implement a comprehensive CSP policy with
vulnerabilities that allow Improper implementation of
Potential security risks such as strict directives, including proper whitelisting
Content attackers to circumvent or CSP directives, allowing
XSS attacks, data injection, of trusted sources, avoiding the use of unsafe
91 Security Policy evade the protections attackers to inject malicious
unauthorized access to sensitive inline scripts, and regular auditing and testing
(CSP) Bypass provided by a CSP, which is scripts or content that
resources, and data exfiltration. of the CSP configuration for potential
designed to mitigate various bypasses the CSP restrictions.
bypasses.
types of attacks such as XSS
and data injection.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Business Logic Flaws

Inconsistent validation
Implement consistent validation mechanisms
vulnerabilities occur when Inadequate implementation Potential security risks such as
across all input points, use centralized
input data is not consistently of validation logic, failure to injection attacks, data
Inconsistent validation libraries or functions, enforce strict
92 validated across different enforce consistent validation tampering, privilege escalation,
Validation input validation rules, and conduct thorough
parts of an application, standards across all input and unauthorized access to
security testing to identify and address
leading to varying levels of points. sensitive data.
inconsistencies.
security checks.

Race conditions arise in

Lack of proper Implement proper synchronization
multi-threaded or Potential security risks such as
synchronization mechanisms, mechanisms, use thread-safe programming
concurrent software systems data corruption, resource
improper handling of shared practices, employ transactional controls for
93 Race Conditions when the sequence or contention, privilege escalation,
resources or critical sections, critical operations, and conduct thorough
timing of operations can and unauthorized access to
inadequate concurrency testing under various concurrency scenarios to
lead to unexpected or sensitive data.
controls. detect and prevent race conditions.
unintended behavior.

Order processing
Weak or insecure Implement strong authentication and
vulnerabilities occur when Potential security risks such as
authentication and authorization controls, enforce strict
Order an application's order unauthorized order
authorization mechanisms, validation of order-related data, apply role-
94 Processing management system is modification, data tampering,
inadequate validation of based access controls, monitor and log order
Vulnerabilities susceptible to exploitation, financial loss, and reputational
order-related data, lack of processing activities, and conduct regular
manipulation, or damage.
proper access controls. security assessments and audits.
unauthorized access.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation

Price manipulation
Weak or inadequate access Implement strong access controls to restrict
vulnerabilities involve
controls, lack of proper Potential security risks such as access to price-related functionalities, validate
unauthorized modifications
Price validation and verification of financial loss, revenue leakage, and verify price-related data inputs, monitor
95 or alterations to product
Manipulation price-related data, customer dissatisfaction, and and log price modification activities, and
prices, often leading to
insufficient monitoring and reputational damage. implement anomaly detection mechanisms to
financial losses or fraudulent
logging. identify suspicious price changes.
activities.

Account enumeration
Implement uniform error handling to avoid
vulnerabilities occur when Differential error messages,
Potential security risks such as differential responses, ensure consistent
an attacker can determine inconsistent response times,
Account unauthorized access, credential response times for valid and invalid requests,
96 the validity of user accounts predictable user identifiers or
Enumeration stuffing attacks, brute force use random or non-sequential user identifiers,
or credentials through account enumeration
attacks, and account takeover. and implement account lockout mechanisms
various techniques or endpoints.
to prevent brute force attacks.
methods.

User-based flaws encompass Implement strong authentication and

Insecure authentication and
a wide range of authorization mechanisms, enforce proper
authorization mechanisms, Potential security risks such as
vulnerabilities that result session management controls, validate and
User-Based inadequate session unauthorized access, privilege
97 from weaknesses or sanitize user input, apply least privilege
Flaws management, lack of user escalation, data leakage, and
inadequacies in user-related principles, and conduct thorough security
input validation, and account compromise.
functionalities or features testing to identify and remediate user-based
insufficient access controls.
within an application. flaws.

Kumar MS
 Top 100 Web Vulnerabilities
S.No Vulnerability Definition Root Cause Impact Mitigation
Zero-Day Vulnerabilities

Implement comprehensive security testing

Unknown vulnerabilities
Lack of visibility or awareness Potential security risks such as methodologies such as penetration testing,
refer to security weaknesses
about potential security risks, unauthorized access, data vulnerability scanning, and code reviews to
Unknown or flaws in software or
98 limited understanding of the breaches, system compromise, identify and remediate unknown
Vulnerabilities systems that have not yet
underlying software or and exploitation by malicious vulnerabilities. Stay updated with security
been identified or publicly
system components. actors. advisories, patches, and updates released by
disclosed.
software vendors and security communities.

Unpatched vulnerabilities Establish effective patch management

Failure to apply security
are security flaws or practices to regularly identify, prioritize, and
patches or updates released Potential security risks such as
weaknesses in software or apply security patches or updates to mitigate
Unpatched by software vendors or exploitation by attackers, data
99 systems for which no known vulnerabilities. Implement automated
Vulnerabilities maintainers, lack of patch breaches, system compromise,
patches or updates have patch management tools and processes to
management processes or and disruption of services.
been applied to address the streamline the patching process and ensure
procedures.
issue. timely deployment of updates.

Implement proactive security measures such

Day-zero exploits, also Lack of awareness or as intrusion detection systems, behavior-
known as zero-day exploits, protection against newly Potential security risks such as based anomaly detection, and network
Day-Zero are attacks that target identified vulnerabilities, unauthorized access, data segmentation to detect and mitigate day-zero
100
Exploits vulnerabilities in software or delayed response to security breaches, system compromise, exploits. Stay informed about emerging
systems that have not yet advisories or vulnerability and disruption of services. threats and vulnerabilities through threat
been discovered or patched. disclosures. intelligence feeds, security advisories, and
industry forums.

Kumar MS