Top 100 Web Vulnerabilities Reference

Purpose

Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.

Prerequisites

• Basic understanding of web application architecture (client-server model, HTTP protocol)
• Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)
• Understanding of authentication and authorization concepts
• Access to web application security testing tools (Burp Suite, OWASP ZAP)
• Knowledge of secure coding principles recommended

Outputs and Deliverables

• Complete vulnerability catalog with definitions, root causes, impacts, and mitigations
• Category-based vulnerability groupings for systematic assessment
• Quick reference for security testing and remediation
• Foundation for vulnerability assessment checklists and security policies

---

Core Workflow

Phase 1: Injection Vulnerabilities Assessment

Evaluate injection attack vectors targeting data processing components:

SQL Injection (1)

• Definition: Malicious SQL code inserted into input fields to manipulate database queries
• Root Cause: Lack of input validation, improper use of parameterized queries
• Impact: Unauthorized data access, data manipulation, database compromise
• Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts

Cross-Site Scripting - XSS (2)

• Definition: Injection of malicious scripts into web pages viewed by other users
• Root Cause: Insufficient output encoding, lack of input sanitization
• Impact: Session hijacking, credential theft, website defacement
• Mitigation: Output encoding, Content Security Policy (CSP), input sanitization

Command Injection (5, 11)

• Definition: Execution of arbitrary system commands through vulnerable applications
• Root Cause: Unsanitized user input passed to system shells
• Impact: Full system compromise, data exfiltration, lateral movement
• Mitigation: Avoid shell execution, whitelist valid commands, strict input validation

XML Injection (6), LDAP Injection (7), XPath Injection (8)

• Definition: Manipulation of XML/LDAP/XPath queries through malicious input
• Root Cause: Improper input handling in query construction
• Impact: Data exposure, authentication bypass, information disclosure
• Mitigation: Input validation, parameterized queries, escape special characters

Server-Side Template Injection - SSTI (13)

• Definition: Injection of malicious code into template engines
• Root Cause: User input embedded directly in template expressions
• Impact: Remote code execution, server compromise
• Mitigation: Sandbox template engines, avoid user input in templates, strict input validation

Phase 2: Authentication and Session Security

Assess authentication mechanism weaknesses:

Session Fixation (14)

• Definition: Attacker sets victim's session ID before authentication
• Root Cause: Session ID not regenerated after login
• Impact: Session hijacking, unauthorized account access
• Mitigation: Regenerate session ID on authentication, use secure session management

Brute Force Attack (15)

• Definition: Systematic password guessing using automated tools
• Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
• Impact: Unauthorized access, credential compromise
• Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA

Session Hijacking (16)

• Definition: Attacker steals or predicts valid session tokens
• Root Cause: Weak session token generation, insecure transmission
• Impact: Account takeover, unauthorized access
• Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags

Credential Stuffing and Reuse (22)

• Definition: Using leaked credentials to access accounts across services
• Root Cause: Users reusing passwords, no breach detection
• Impact: Mass account compromise, data breaches
• Mitigation: MFA, breach password checks, unique credential requirements

Insecure "Remember Me" Functionality (85)

• Definition: Weak persistent authentication token implementation
• Root Cause: Predictable tokens, inadequate expiration controls
• Impact: Unauthorized persistent access, session compromise
• Mitigation: Strong token generation, proper expiration, secure storage

CAPTCHA Bypass (86)

• Definition: Circumventing bot detection mechanisms
• Root Cause: Weak CAPTCHA algorithms, improper validation
• Impact: Automated attacks, credential stuffing, spam
• Mitigation: reCAPTCHA v3, layered bot detection, rate limiting

Phase 3: Sensitive Data Exposure

Identify data protection failures:

IDOR - Insecure Direct Object References (23, 42)

• Definition: Direct access