9. 1. Unvalidated Inputs
2. Cross-Site Scripting (XSS)
3. Injection Flaws
4. Improper Error Handling
5. Broken Authentication and Session Management
6. Insecure Direct Object References
7. Cross-Site Request Forgery (CSRF)
8. Security Misconfiguration
9. Insecure Cryptographic Storage
10. Failure to Restrict URL Access
11. Insufficient Transport Layer Protection
Top 10 Web Vulnerabilities
10. Attacker can change any value of the input submitted
to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from
a for submission
Un-validated Input
13. Attacker
Injects code into the input data
Hide malicious code with Unicode
Counter measures
Input validations
Input length check
Cross Site Scripting
16. Attacker
Can inject System commands
Can inject other SQL
Can override access checks
Examples
Add more commands â; select * from users;â
Override access ââ OR 1=1;â
Counter Measures
Use prepared statements in SQL
Run with limited privileges
Filter / validate the input
SQL Injection