OWASP (Open Web Application Security Project) reports on the most critical security vulnerabilities found on websites. Knowing what’s on the list can help you be aware of potential risks in your own systems and aid in establishing strategies to protect from those attacks.
SQL injection attacks occur when an attack tries to get your application to execute malicious code designed to perform CRUD operations on your database. Areas of your site that accept user input and store it in the database are targets for SQL injection. That’s why you should always use prepared statements for your SQL.
A common security problem, is improperly implemented security. This can include broken user authentication that allows an attacker to gain access to another account.
Sensitive Data Exposure
This may include unencrypted passwords, credit card numbers, social security number, etc. Sensitive data should always be encrypted in flight and at rest.
XML External Entities (XEE)
This is caused by XML parsers processing malicious XML. The exploit can gain information about the internal system or even execute remote code.
Broken Access Control
Systems generally limit what users can and can’t do. But if that system is broken, the sky is the limit.
You may be getting the idea by now that a false sense of security is worse than an awareness of existing insecurity. So you thought you did everything right to secure your server. But, whoops, you let IPV6 wide open; even though you secured IPV4 like Fort Knox.
Cross Site Scripting (XSS)
This would be along the lines of deserializing a JSON object on the backend. The recommended solution is, don’t accept serialized objects from untrusted sources.
Using Components with Known Vulnerabilities
So this would mean you have to check for known vulnerabilities and either get the security patches or stop using the vulnerable software. There are websites dedicated to reporting vulnerabilities.
Insufficient Logging and Monitoring
Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident
You should have good logging and monitoring in place so attacks are caught before an exploit actually takes place.
In the security world there is the concept of defense in depth . You can use this methodology to help secure your system.