Security Vulnerability for Web Applications in 2023

Article posted by

Picture of Aromal Rajagopal
Aromal Rajagopal
I have two decades of global experience in various roles – from leading digital transformation projects, new product development, and Go-To-Market and consulting advisory in multiple industries to roll out of full digital projects from concept to deployment.
Let’s Connect
Table of Contents:
Share

OWASP Top 10 (2021): These are the ten most critical security risks facing web applications today, as identified by the Open Web Application Security Project (OWASP). They encompass threats like Injection attacks, Broken Authentication, and Cross-Site Scripting, among others.

CWE/SANS Top 25 (2020): The Common Weakness Enumeration (CWE) list, curated by the Software Assurance Community, outlines the top 25 most dangerous software weaknesses. This list includes vulnerabilities such as Injection, Improper Input Validation, and Security Misconfiguration.

These standards serve as crucial references for identifying and mitigating vulnerabilities in web applications, helping to bolster their security and protect against potential cyber threats.

OWASP Top 10 (2021):

  1. Injection:
  • SQL Injection (SQLi)
  • Command Injection
  • LDAP Injection
  1. Broken Authentication:
  • Weak Passwords
  • Session Management Issues
  • Insecure Authentication Methods
  1. Sensitive Data Exposure:
  • Inadequate Data Encryption
  • Insufficient Access Controls
  1. XML External Entity (XXE):
  • Improperly Configured XML Parsers
  1. Broken Access Control:
  • Inadequate Authorization Checks
  • Insecure Direct Object References (IDOR)
  1. Security Misconfiguration:
  • Inadequate Security Settings
  • Exposing Sensitive Information
  1. Cross-Site Scripting (XSS):
  • Stored XSS
  • Reflected XSS
  • DOM-based XSS
  1. Insecure Deserialization:
  • Remote Code Execution via Deserialization
  1. Using Components with Known Vulnerabilities:
  • Outdated or Vulnerable Libraries/Frameworks
  1. Insufficient Logging & Monitoring:
    • Inadequate Event Logging
    • Lack of Intrusion Detection

CWE/SANS Top 25 (2020):

  1. Injection:
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command
  • CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
  1. Improper Input Validation:
  • CWE-20: Improper Input Validation
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
  1. Inadequate Authorization:
  • CWE-285: Improper Authorization
  • CWE-862: Missing Authorization
  1. Information Exposure:
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-201: Information Exposure Through Sent Data
  1. Cross-Site Scripting (XSS):
  • CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page
  1. Security Misconfiguration:
  • CWE-16: Configuration
  • CWE-15: External Control of System or Configuration Setting
  1. Deserialization of Untrusted Data:
  • CWE-502: Deserialization of Untrusted Data
  1. Broken Access Control:
  • CWE-284: Improper Access Control
  1. Using Components with Known Vulnerabilities:
  • CWE-937: OWASP Top Ten
  • CWE-940: Missing Authorization
  1. Insufficient Logging & Monitoring:
    • CWE-532: Inadequate Security Log Information

These categories align with the widely recognized OWASP and CWE/SANS standards for web application security. Keep in mind that specific vulnerabilities may fall into multiple categories, as they can have multiple aspects to consider.

Contemporary Technological Perspectives

Keep up-to-date with the latest trends in software development through our meticulously researched and curated technology blog posts.