Top Vulnerabilities in Web Applications 2004
|
| A1 |
Unvalidated Input |
Information from web requests
is not validated before being used by a web application. Attackers
can use these flaws to attack backend components through a
web application. |
| A2 |
Broken Access Control |
Broken Access Control Restrictions on what
authenticated users are allowed to do are not properly enforced.
Attackers can exploit these flaws to access other users’ accounts,
view sensitive files, or use unauthorized functions. |
| A3 |
Broken Authentication and Session Management |
Account credentials and session tokens are
not properly protected. Attackers that can compromise passwords,
keys, session cookies, or other tokens can defeat authentication
restrictions and assume other users’ identities. |
| A4 |
Cross Site Scripting (XSS) Flaws |
The web application can be used as a mechanism
to transport an attack to an end user’s browser. A successful
attack can disclose the end user’s session token, attack the
local machine, or spoof content to fool the user. |
| A5 |
Buffer Overflows |
Web application components in some languages
that do not properly validate input can be crashed and, in
some cases, used to take control of a process. These components
can include CGI, libraries, drivers, and web application server
components. |
| A6 |
Injection Flaws |
Web applications pass parameters when they
access external systems or the local operating system. If
an attacker can embed malicious commands in these parameters,
the external system may execute those commands on behalf of
the web application. |
