Introduction
Web applications are the most common attack surface in modern organizations. Understanding the vulnerabilities that affect them is essential whether you are a developer writing secure code or a security professional testing an application.
This guide covers the most impactful categories and provides concrete examples.
SQL Injection
SQL injection occurs when user-supplied input is concatenated directly into a database query. An attacker can modify the query to extract data, bypass authentication, or in some cases execute commands on the underlying server.
// Vulnerable: direct string concatenation
const query = `SELECT * FROM users WHERE username = '${username}'`
// Safe: parameterized query
const query = 'SELECT * FROM users WHERE username = $1'
db.query(query, [username])Detection during testing involves submitting characters like single quotes, double hyphens, and payloads such as ' OR '1'='1 to observe how the application responds.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into pages viewed by other users. Reflected XSS is triggered via a crafted URL. Stored XSS persists in the database and executes for every user who views the affected content.
<!-- Vulnerable: rendering raw user input -->
<div>{@html userComment}</div>
<!-- Safe: text content escapes HTML -->
<div>{userComment}</div>Testing typically involves injecting payloads like <script>alert(1)</script> into input fields and URL parameters, then checking if the script executes in the browser.
Insecure Direct Object Reference (IDOR)
IDOR occurs when an application uses user-controlled identifiers to access resources without verifying authorization. Changing a numeric ID in a URL from 42 to 43 should not expose another user’s data.
Testing for IDOR requires creating two accounts and attempting to access one account’s resources using the session token of the other.
Broken Authentication
Weak session management, missing account lockout mechanisms, and predictable tokens all fall under broken authentication. This category regularly appears in the OWASP Top 10 because the consequences of a compromised account are severe.
Key checks include verifying that session tokens are invalidated on logout, that brute-force protection exists on login endpoints, and that password reset flows do not leak sensitive information.
Security Misconfiguration
Default credentials, overly permissive CORS policies, exposed error messages, and unpatched software all constitute security misconfigurations. This category is broad and often found through automated scanning, but manual review of HTTP headers and server responses reveals additional issues.
Tools for Application Security Testing
| Tool | Purpose |
|---|---|
| Burp Suite | HTTP proxy for intercepting and modifying requests |
| OWASP ZAP | Open-source web application scanner |
| ffuf | Fast web fuzzer for directory and parameter discovery |
| sqlmap | Automated SQL injection detection and exploitation |
| Nuclei | Template-based vulnerability scanner |
Building a Remediation-First Mindset
Finding vulnerabilities has no value without remediation. Every identified issue should be assigned a severity rating, linked to a code owner, and tracked through to resolution. Retesting after remediation confirms that fixes are effective and did not introduce new issues.
Security is not a one-time effort. Building it into development workflows through threat modeling, code review, and automated testing produces more durable outcomes than periodic audits alone.