What are the most common vulnerabilities on websites?
Here are the 17 most commom vulnerabilities. Click on each one to learn more.
SQL injection is a type of vulnerability that occurs when an attacker is able to insert malicious SQL code into a web application's query. This can allow the attacker to view, modify or delete data in the database, potentially giving them access to sensitive information.
Command injection is a type of vulnerability that occurs when an attacker is able to inject malicious commands into a web application, which are then executed by the system. This can allow the attacker to gain access to sensitive information, execute arbitrary code, or launch a denial of service attack.
Cross-Site Scripting (XSS) is a type of vulnerability that occurs when an attacker is able to inject malicious code (such as JavaScript) into a web page viewed by other users. This can allow the attacker to steal sensitive information (such as cookies or login credentials) or perform other malicious actions (such as redirecting the user to a different site or installing malware).
Remote File Injection (RFI) is a type of vulnerability that occurs when an attacker is able to inject a remote file into a web application, which is then executed by the system. This can allow the attacker to gain access to sensitive information, execute arbitrary code, or launch a denial of service attack.
Local File Injection (LFI) is a type of web application vulnerability that allows an attacker to read sensitive files on the web server. This can include configuration files, log files, and even source code. LFI can occur when an application takes user-supplied input and uses it to construct a file path without properly validating or sanitizing the input.
Cross-Site Request Forgery (CSRF) is a type of web application vulnerability that allows an attacker to perform unauthorized actions on a website on behalf of a victim. This can include making unauthorized purchases, changing account settings, or even transferring money.
Sensitive data exposure is a type of web application vulnerability that occurs when sensitive information, such as personal information, financial information, or login credentials, is transmitted or stored in an insecure manner. This can include sending sensitive information over an unencrypted connection, storing sensitive information in clear text, or using weak encryption methods.
Weak authentication is a type of web application vulnerability that occurs when an application does not properly verify the identity of a user. This can include using easily guessable passwords, weak encryption methods, or not properly verifying the identity of a user.
Authorization failure is a type of web application vulnerability that occurs when an application does not properly restrict access to sensitive resources or functionality. This can include allowing unauthorized users to access sensitive data, perform privileged actions, or access restricted areas of the application.
Validation failure is a type of web application vulnerability that occurs when an application does not properly validate user input, allowing an attacker to inject malicious data into the application. This can include injecting SQL, JavaScript, or other types of code into the application, which can be used to steal data, take over user accounts, or perform other types of malicious actions.
Session failure refers to a type of web application vulnerability that occurs when an application does not properly manage user sessions. This can include issues such as insecure session management, session hijacking, and session fixation.
An invalid HTTPS certificate refers to a situation where the certificate used to establish an HTTPS connection between a client and a server is not valid or trusted.
Weak HTTPS configurations refer to situations where the HTTPS configuration on a web server is not properly configured or does not meet industry standards for security. This can include issues such as using weak encryption algorithms, not properly configuring the server's SSL/TLS settings, or not properly validating the certificate chain.
CMS Vulnerability
CMS (Content Management System) vulnerabilities refer to security weaknesses or holes in a CMS software that can be exploited by an attacker to gain unauthorized access to the CMS or the website it manages.
Plugin Vulnerabilities
Plugin vulnerabilities refer to security weaknesses or holes in a plugin that can be exploited by an attacker to gain unauthorized access to the plugin, the website it manages or even the underlying server.
Extension Vulnerabilities
Extension vulnerabilities refer to security weaknesses or holes in a browser extension that can be exploited by an attacker to gain unauthorized access to the browser, the computer, or the user's personal information.
Broken access control refers to a vulnerability in which an attacker is able to bypass or circumvent the system's controls that are in place to restrict access to sensitive data or resources. This can be caused by a variety of issues, such as weak authentication and authorization mechanisms, flawed access controls on the system or application, or failure to properly validate user input.
The CVE has cataloged over 200.000 known vulnerabilities. That is an astounding number, but with the help of VScanner to identify them, and a little prioritization, is manageable even for a company without a huge cybersecurity team.
Last updated