Top 100 Web Vulnerabilities Reference
Purpose
Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.
Prerequisites
Basic understanding of web application architecture (client-server model, HTTP protocol)Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)Understanding of authentication and authorization conceptsAccess to web application security testing tools (Burp Suite, OWASP ZAP)Knowledge of secure coding principles recommendedOutputs and Deliverables
Complete vulnerability catalog with definitions, root causes, impacts, and mitigationsCategory-based vulnerability groupings for systematic assessmentQuick reference for security testing and remediationFoundation for vulnerability assessment checklists and security policies
Core Workflow
Phase 1: Injection Vulnerabilities Assessment
Evaluate injection attack vectors targeting data processing components:
SQL Injection (1)
Definition: Malicious SQL code inserted into input fields to manipulate database queriesRoot Cause: Lack of input validation, improper use of parameterized queriesImpact: Unauthorized data access, data manipulation, database compromiseMitigation: Use parameterized queries/prepared statements, input validation, least privilege database accountsCross-Site Scripting - XSS (2)
Definition: Injection of malicious scripts into web pages viewed by other usersRoot Cause: Insufficient output encoding, lack of input sanitizationImpact: Session hijacking, credential theft, website defacementMitigation: Output encoding, Content Security Policy (CSP), input sanitizationCommand Injection (5, 11)
Definition: Execution of arbitrary system commands through vulnerable applicationsRoot Cause: Unsanitized user input passed to system shellsImpact: Full system compromise, data exfiltration, lateral movementMitigation: Avoid shell execution, whitelist valid commands, strict input validationXML Injection (6), LDAP Injection (7), XPath Injection (8)
Definition: Manipulation of XML/LDAP/XPath queries through malicious inputRoot Cause: Improper input handling in query constructionImpact: Data exposure, authentication bypass, information disclosureMitigation: Input validation, parameterized queries, escape special charactersServer-Side Template Injection - SSTI (13)
Definition: Injection of malicious code into template enginesRoot Cause: User input embedded directly in template expressionsImpact: Remote code execution, server compromiseMitigation: Sandbox template engines, avoid user input in templates, strict input validationPhase 2: Authentication and Session Security
Assess authentication mechanism weaknesses:
Session Fixation (14)
Definition: Attacker sets victim's session ID before authenticationRoot Cause: Session ID not regenerated after loginImpact: Session hijacking, unauthorized account accessMitigation: Regenerate session ID on authentication, use secure session managementBrute Force Attack (15)
Definition: Systematic password guessing using automated toolsRoot Cause: Lack of account lockout, rate limiting, or CAPTCHAImpact: Unauthorized access, credential compromiseMitigation: Account lockout policies, rate limiting, MFA, CAPTCHASession Hijacking (16)
Definition: Attacker steals or predicts valid session tokensRoot Cause: Weak session token generation, insecure transmissionImpact: Account takeover, unauthorized accessMitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flagsCredential Stuffing and Reuse (22)
Definition: Using leaked credentials to access accounts across servicesRoot Cause: Users reusing passwords, no breach detectionImpact: Mass account compromise, data breachesMitigation: MFA, breach password checks, unique credential requirementsInsecure "Remember Me" Functionality (85)
Definition: Weak persistent authentication token implementationRoot Cause: Predictable tokens, inadequate expiration controlsImpact: Unauthorized persistent access, session compromiseMitigation: Strong token generation, proper expiration, secure storageCAPTCHA Bypass (86)
Definition: Circumventing bot detection mechanismsRoot Cause: Weak CAPTCHA algorithms, improper validationImpact: Automated attacks, credential stuffing, spamMitigation: reCAPTCHA v3, layered bot detection, rate limitingPhase 3: Sensitive Data Exposure
Identify data protection failures:
IDOR - Insecure Direct Object References (23, 42)
Definition: Direct access to internal objects via user-supplied referencesRoot Cause: Missing authorization checks on object accessImpact: Unauthorized data access, privacy breachesMitigation: Access control validation, indirect reference maps, authorization checksData Leakage (24)
Definition: Inadvertent disclosure of sensitive informationRoot Cause: Inadequate data protection, weak access controlsImpact: Privacy breaches, regulatory penalties, reputation damageMitigation: DLP solutions, encryption, access controls, security trainingUnencrypted Data Storage (25)
Definition: Storing sensitive data without encryptionRoot Cause: Failure to implement encryption at restImpact: Data breaches if storage compromisedMitigation: Full-disk encryption, database encryption, secure key managementInformation Disclosure (33)
Definition: Exposure of system details through error messages or responsesRoot Cause: Verbose error handling, debug information in productionImpact: Reconnaissance for further attacks, credential exposureMitigation: Generic error messages, disable debug mode, secure loggingPhase 4: Security Misconfiguration
Assess configuration weaknesses:
Missing Security Headers (26)
Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)Root Cause: Inadequate server configurationImpact: XSS attacks, clickjacking, protocol downgradeMitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTSDefault Passwords (28)
Definition: Unchanged default credentials on systems/applicationsRoot Cause: Failure to change vendor defaultsImpact: Unauthorized access, system compromiseMitigation: Mandatory password changes, strong password policiesDirectory Listing (29)
Definition: Web server exposes directory contentsRoot Cause: Improper server configurationImpact: Information disclosure, sensitive file exposureMitigation: Disable directory indexing, use default index filesUnprotected API Endpoints (30)
Definition: APIs lacking authentication or authorizationRoot Cause: Missing security controls on API routesImpact: Unauthorized data access, API abuseMitigation: OAuth/API keys, access controls, rate limitingOpen Ports and Services (31)
Definition: Unnecessary network services exposedRoot Cause: Failure to minimize attack surfaceImpact: Exploitation of vulnerable servicesMitigation: Port scanning audits, firewall rules, service minimizationMisconfigured CORS (35)
Definition: Overly permissive Cross-Origin Resource Sharing policiesRoot Cause: Wildcard origins, improper CORS configurationImpact: Cross-site request attacks, data theftMitigation: Whitelist trusted origins, validate CORS headersUnpatched Software (34)
Definition: Systems running outdated vulnerable softwareRoot Cause: Neglected patch managementImpact: Exploitation of known vulnerabilitiesMitigation: Patch management program, vulnerability scanning, automated updatesPhase 5: XML-Related Vulnerabilities
Evaluate XML processing security:
XXE - XML External Entity Injection (37)
Definition: Exploitation of XML parsers to access files or internal systemsRoot Cause: External entity processing enabledImpact: File disclosure, SSRF, denial of serviceMitigation: Disable external entities, use safe XML parsersXEE - XML Entity Expansion (38)
Definition: Excessive entity expansion causing resource exhaustionRoot Cause: Unlimited entity expansion allowedImpact: Denial of service, parser crashesMitigation: Limit entity expansion, configure parser restrictionsXML Bomb (Billion Laughs) (39)
Definition: Crafted XML with nested entities consuming resourcesRoot Cause: Recursive entity definitionsImpact: Memory exhaustion, denial of serviceMitigation: Entity expansion limits, input size restrictionsXML Denial of Service (65)
Definition: Specially crafted XML causing excessive processingRoot Cause: Complex document structures without limitsImpact: CPU/memory exhaustion, service unavailabilityMitigation: Schema validation, size limits, processing timeoutsPhase 6: Broken Access Control
Assess authorization enforcement:
Inadequate Authorization (40)
Definition: Failure to properly enforce access controlsRoot Cause: Weak authorization policies, missing checksImpact: Unauthorized access to sensitive resourcesMitigation: RBAC, centralized IAM, regular access reviewsPrivilege Escalation (41)
Definition: Gaining elevated access beyond intended permissionsRoot Cause: Misconfigured permissions, system vulnerabilitiesImpact: Full system compromise, data manipulationMitigation: Least privilege, regular patching, privilege monitoringForceful Browsing (43)
Definition: Direct URL manipulation to access restricted resourcesRoot Cause: Weak access controls, predictable URLsImpact: Unauthorized file/directory accessMitigation: Server-side access controls, unpredictable resource pathsMissing Function-Level Access Control (44)
Definition: Unprotected administrative or privileged functionsRoot Cause: Authorization only at UI levelImpact: Unauthorized function executionMitigation: Server-side authorization for all functions, RBACPhase 7: Insecure Deserialization
Evaluate object serialization security:
Remote Code Execution via Deserialization (45)
Definition: Arbitrary code execution through malicious serialized objectsRoot Cause: Untrusted data deserialized without validationImpact: Complete system compromise, code executionMitigation: Avoid deserializing untrusted data, integrity checks, type validationData Tampering (46)
Definition: Unauthorized modification of serialized dataRoot Cause: Missing integrity verificationImpact: Data corruption, privilege manipulationMitigation: Digital signatures, HMAC validation, encryptionObject Injection (47)
Definition: Malicious object instantiation during deserializationRoot Cause: Unsafe deserialization practicesImpact: Code execution, unauthorized accessMitigation: Type restrictions, class whitelisting, secure librariesPhase 8: API Security Assessment
Evaluate API-specific vulnerabilities:
Insecure API Endpoints (48)
Definition: APIs without proper security controlsRoot Cause: Poor API design, missing authenticationImpact: Data breaches, unauthorized accessMitigation: OAuth/JWT, HTTPS, input validation, rate limitingAPI Key Exposure (49)
Definition: Leaked or exposed API credentialsRoot Cause: Hardcoded keys, insecure storageImpact: Unauthorized API access, abuseMitigation: Secure key storage, rotation, environment variablesLack of Rate Limiting (50)
Definition: No controls on API request frequencyRoot Cause: Missing throttling mechanismsImpact: DoS, API abuse, resource exhaustionMitigation: Rate limits per user/IP, throttling, DDoS protectionInadequate Input Validation (51)
Definition: APIs accepting unvalidated user inputRoot Cause: Missing server-side validationImpact: Injection attacks, data corruptionMitigation: Strict validation, parameterized queries, WAFAPI Abuse (75)
Definition: Exploiting API functionality for malicious purposesRoot Cause: Excessive trust in client inputImpact: Data theft, account takeover, service abuseMitigation: Strong authentication, behavior analysis, anomaly detectionPhase 9: Communication Security
Assess transport layer protections:
Man-in-the-Middle Attack (52)
Definition: Interception of communication between partiesRoot Cause: Unencrypted channels, compromised networksImpact: Data theft, session hijacking, impersonationMitigation: TLS/SSL, certificate pinning, mutual authenticationInsufficient Transport Layer Security (53)
Definition: Weak or outdated encryption for data in transitRoot Cause: Outdated protocols (SSLv2/3), weak ciphersImpact: Traffic interception, credential theftMitigation: TLS 1.2+, strong cipher suites, HSTSInsecure SSL/TLS Configuration (54)
Definition: Improperly configured encryption settingsRoot Cause: Weak ciphers, missing forward secrecyImpact: Traffic decryption, MITM attacksMitigation: Modern cipher suites, PFS, certificate validationInsecure Communication Protocols (55)
Definition: Use of unencrypted protocols (HTTP, Telnet, FTP)Root Cause: Legacy systems, security unawarenessImpact: Traffic sniffing, credential exposureMitigation: HTTPS, SSH, SFTP, VPN tunnelsPhase 10: Client-Side Vulnerabilities
Evaluate browser-side security:
DOM-based XSS (56)
Definition: XSS through client-side JavaScript manipulationRoot Cause: Unsafe DOM manipulation with user inputImpact: Session theft, credential harvestingMitigation: Safe DOM APIs, CSP, input sanitizationInsecure Cross-Origin Communication (57)
Definition: Improper handling of cross-origin requestsRoot Cause: Relaxed CORS/SOP policiesImpact: Data leakage, CSRF attacksMitigation: Strict CORS, CSRF tokens, origin validationBrowser Cache Poisoning (58)
Definition: Manipulation of cached contentRoot Cause: Weak cache validationImpact: Malicious content deliveryMitigation: Cache-Control headers, HTTPS, integrity checksClickjacking (59, 71)
Definition: UI redress attack tricking users into clicking hidden elementsRoot Cause: Missing frame protectionImpact: Unintended actions, credential theftMitigation: X-Frame-Options, CSP frame-ancestors, frame-bustingHTML5 Security Issues (60)
Definition: Vulnerabilities in HTML5 APIs (WebSockets, Storage, Geolocation)Root Cause: Improper API usage, insufficient validationImpact: Data leakage, XSS, privacy violationsMitigation: Secure API usage, input validation, sandboxingPhase 11: Denial of Service Assessment
Evaluate availability threats:
DDoS - Distributed Denial of Service (61)
Definition: Overwhelming systems with traffic from multiple sourcesRoot Cause: Botnets, amplification attacksImpact: Service unavailability, revenue lossMitigation: DDoS protection services, rate limiting, CDNApplication Layer DoS (62)
Definition: Targeting application logic to exhaust resourcesRoot Cause: Inefficient code, resource-intensive operationsImpact: Application unavailability, degraded performanceMitigation: Rate limiting, caching, WAF, code optimizationResource Exhaustion (63)
Definition: Depleting CPU, memory, disk, or network resourcesRoot Cause: Inefficient resource managementImpact: System crashes, service degradationMitigation: Resource quotas, monitoring, load balancingSlowloris Attack (64)
Definition: Keeping connections open with partial HTTP requestsRoot Cause: No connection timeoutsImpact: Web server resource exhaustionMitigation: Connection timeouts, request limits, reverse proxyPhase 12: Server-Side Request Forgery
Assess SSRF vulnerabilities:
SSRF - Server-Side Request Forgery (66)
Definition: Manipulating server to make requests to internal resourcesRoot Cause: Unvalidated user-controlled URLsImpact: Internal network access, data theft, cloud metadata accessMitigation: URL whitelisting, network segmentation, egress filteringBlind SSRF (87)
Definition: SSRF without direct response visibilityRoot Cause: Similar to SSRF, harder to detectImpact: Data exfiltration, internal reconnaissanceMitigation: Allowlists, WAF, network restrictionsTime-Based Blind SSRF (88)
Definition: Inferring SSRF success through response timingRoot Cause: Processing delays indicating request outcomesImpact: Prolonged exploitation, detection evasionMitigation: Request timeouts, anomaly detection, timing monitoringPhase 13: Additional Web Vulnerabilities
| # | Vulnerability | Root Cause | Impact | Mitigation |
|---|
| 67 | HTTP Parameter Pollution | Inconsistent parsing | Injection, ACL bypass | Strict parsing, validation |
| 68 | Insecure Redirects | Unvalidated targets | Phishing, malware | Whitelist destinations |
| 69 | File Inclusion (LFI/RFI) | Unvalidated paths | Code exec, disclosure | Whitelist files, disable RFI |
| 70 | Security Header Bypass | Misconfigured headers | XSS, clickjacking | Proper headers, audits |
| 72 | Inadequate Session Timeout | Excessive timeouts | Session hijacking | Idle termination, timeouts |
| 73 | Insufficient Logging | Missing infrastructure | Detection gaps | SIEM, alerting |
| 74 | Business Logic Flaws | Insecure design | Fraud, unauthorized ops | Threat modeling, testing |
Phase 14: Mobile and IoT Security
| # | Vulnerability | Root Cause | Impact | Mitigation |
|---|
| 76 | Insecure Mobile Storage | Plain text, weak crypto | Data theft | Keychain/Keystore, encrypt |
| 77 | Insecure Mobile Transmission | HTTP, cert failures | Traffic interception | TLS, cert pinning |
| 78 | Insecure Mobile APIs | Missing auth/validation | Data exposure | OAuth/JWT, validation |
| 79 | App Reverse Engineering | Hardcoded creds | Credential theft | Obfuscation, RASP |
| 80 | IoT Management Issues | Weak auth, no TLS | Device takeover | Strong auth, TLS |
| 81 | Weak IoT Authentication | Default passwords | Unauthorized access | Unique creds, MFA |
| 82 | IoT Vulnerabilities | Design flaws, old firmware | Botnet recruitment | Updates, segmentation |
| 83 | Smart Home Access | Insecure defaults | Privacy invasion | MFA, segmentation |
| 84 | IoT Privacy Issues | Excessive collection | Surveillance | Data minimization |
Phase 15: Advanced and Zero-Day Threats
| # | Vulnerability | Root Cause | Impact | Mitigation |
|---|
| 89 | MIME Sniffing | Missing headers | XSS, spoofing | X-Content-Type-Options |
| 91 | CSP Bypass | Weak config | XSS despite CSP | Strict CSP, nonces |
| 92 | Inconsistent Validation | Decentralized logic | Control bypass | Centralized validation |
| 93 | Race Conditions | Missing sync | Privilege escalation | Proper locking |
| 94-95 | Business Logic Flaws | Missing validation | Financial fraud | Server-side validation |
| 96 | Account Enumeration | Different responses | Targeted attacks | Uniform responses |
| 98-99 | Unpatched Vulnerabilities | Patch delays | Zero-day exploitation | Patch management |
| 100 | Zero-Day Exploits | Unknown vulns | Unmitigated attacks | Defense in depth |
Quick Reference
Vulnerability Categories Summary
| Category | Vulnerability Numbers | Key Controls |
|---|
| Injection | 1-13 | Parameterized queries, input validation, output encoding |
| Authentication | 14-23, 85-86 | MFA, session management, account lockout |
| Data Exposure | 24-27 | Encryption at rest/transit, access controls, DLP |
| Misconfiguration | 28-36 | Secure defaults, hardening, patching |
| XML | 37-39, 65 | Disable external entities, limit expansion |
| Access Control | 40-44 | RBAC, least privilege, authorization checks |
| Deserialization | 45-47 | Avoid untrusted data, integrity validation |
| API Security | 48-51, 75 | OAuth, rate limiting, input validation |
| Communication | 52-55 | TLS 1.2+, certificate validation, HTTPS |
| Client-Side | 56-60 | CSP, X-Frame-Options, safe DOM |
| DoS | 61-65 | Rate limiting, DDoS protection, resource limits |
| SSRF | 66, 87-88 | URL whitelisting, egress filtering |
| Mobile/IoT | 76-84 | Encryption, authentication, secure storage |
| Business Logic | 74, 92-97 | Threat modeling, logic testing |
| Zero-Day | 98-100 | Defense in depth, threat intelligence |
Critical Security Headers
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()
OWASP Top 10 Mapping
| OWASP 2021 | Related Vulnerabilities |
|---|
| A01: Broken Access Control | 40-44, 23, 74 |
| A02: Cryptographic Failures | 24-25, 53-55 |
| A03: Injection | 1-13, 37-39 |
| A04: Insecure Design | 74, 92-97 |
| A05: Security Misconfiguration | 26-36 |
| A06: Vulnerable Components | 34, 98-100 |
| A07: Auth Failures | 14-23, 85-86 |
| A08: Data Integrity | 45-47 |
| A09: Logging Failures | 73 |
| A10: SSRF | 66, 87-88 |
Constraints and Limitations
Vulnerability definitions represent common patterns; specific implementations varyMitigations must be adapted to technology stack and architectureNew vulnerabilities emerge continuously; reference should be updatedSome vulnerabilities overlap across categories (e.g., IDOR appears in multiple contexts)Effectiveness of mitigations depends on proper implementationAutomated scanners cannot detect all vulnerability types (especially business logic)
Troubleshooting
Common Assessment Challenges
| Challenge | Solution |
|---|
| False positives in scanning | Manual verification, contextual analysis |
| Business logic flaws missed | Manual testing, threat modeling, abuse case analysis |
| Encrypted traffic analysis | Proxy configuration, certificate installation |
| WAF blocking tests | Rate adjustment, IP rotation, payload encoding |
| Session handling issues | Cookie management, authentication state tracking |
| API discovery | Swagger/OpenAPI enumeration, traffic analysis |
Vulnerability Verification Techniques
| Vulnerability Type | Verification Approach |
|---|
| Injection | Payload testing with encoded variants |
| XSS | Alert boxes, cookie access, DOM inspection |
| CSRF | Cross-origin form submission testing |
| SSRF | Out-of-band DNS/HTTP callbacks |
| XXE | External entity with controlled server |
| Access Control | Horizontal/vertical privilege testing |
| Authentication | Credential rotation, session analysis |
References
OWASP Top 10 Web Application Security RisksCWE/SANS Top 25 Most Dangerous Software ErrorsOWASP Testing GuideOWASP Application Security Verification Standard (ASVS)NIST Cybersecurity FrameworkSource: Kumar MS - Top 100 Web Vulnerabilities