Website Development

10 Common Web Security Issues You Might Face In 2020

October 01, 2020

In November, 2019, Hieu Minh Ngo – or notoriously known as HieuPC, a used-to-be Vietnamese hacker – was released after seven years in US jail. In a recent interview with Kreb On Security, Hieu shared the story of his criminal path. Starting with hacking Unitec website after exploring a vulnerability there, he continued to operate other international attacks on websites of MicroBilt, Court Ventures and Experian. Those companies suffered severe damage by his activity of reselling stolen consumer or financial data. But, he is not the only black-hat hacker in the world. 

This incident is seriously a wake-up call for the importance of web security particularly. To raise awareness of web application security issues that businesses and individuals may face today, this article uses OWASP (Open Source Foundation for Application Security) as a reference to list top vulnerabilities on webs.

1. Injection flaws

Injection flaws occur when untrustworthy input data fail to be filtered and then sent to an interpreter as a command or query. Attackers can easily detect the vulnerability when testing codes manually or using fuzzing technique. They then might use that weakness to inject malicious codes and steal business and client data, or more seriously take over the host server. 

Among all types of injection vulnerabilities, SQL Injection is more common with the very high probability of successfully hijacking websites. Besides, other injection flaws can be found in LDAP server, XPath or NoSQL queries. 

SQL Injection (Source: Port Swigger)

Prevention of this web security issue:

Simply speaking, to secure websites from injection vulnerabilities, you have to filter input data correctly, and more importantly those data need to come from a whitelist. But you hardly ensure to properly filter all input without letting no hostile data in.

Gergely Kalman, a Spain-based security specialist, advised to use filtering functions of your existing framework as they work well in scrutinizing suspect data. Meanwhile, OWASP suggests using Object Relational Mapping Tools (ORMs) or a safe Application Programming Interface (API) as, in part, a subtitle for an interpreter because an API can provide a certain parameterised interface. So this act will reduce the risk of your websites being hacked.

2. Broken Authentication

Authentication is a process of determining a user’s identity. Accordingly, this act fails when any app functions regarding authentication or session management are improperly executed. Like Injection Flaws, this vulnerability is very common. Hackers can identify it by manual means and then use automated tools to access username and password lists, consequently change the ownership of users temporarily or permanently. Apart from identity theft, this mistake can result in money laundering, social security fraud or loss of confidential information.

web security issue
Broken Authentication (Source: Medium)

Prevention of this web security issue:

To thwart unexpected attacks, users should:

  • set up multi-factor authentication, typically two-factor authentication for Apple ID or Google Account;
  • do not give default credentials to others, especially admin users;
  • ensure their passwords (or called memorized secrets) are not weak;
  • immediately delay failed login attempts from suspects and report this issue to administrators;
  • use a secure and built-in session manager on a server side that creates a new random session ID with high entropy (unpredictable and random identity for attackers not to guess easily).

3. Sensitive Data Exposure

As the name states, the mistake occurs when sensitive data, especially regarding finance or healthcare are not properly protected, thus easily attacked. Such information should have been encrypted at rest or in transit. But it does not, in fact. Consequently, hackers can manually carry out man-in-the-middle attacks where they can secretly intercept and change the communication of two parties without their knowing, or illegally take clear-text (or unencrypted) data out of the server.

September T1.4
Sensitive Data Exposure – the most serious web security type over years (Source: Medium)

Prevention of this web security issue:

To minimize this flaw, Gergely Kalman suggests using “HTTPS with a proper certificate and PFS (Perfect Forward Secrecy)” and stop receiving data from non-HTTPS connections if you do not want your session keys to be compromised when delivering data over systems. 

It is advisable to classify which data are sensitive before they are processed, stored or transmitted by an app, and then to use controls based on the classification. Also, as mentioned, all sensitive data ought to be encrypted at rest, but unnecessary data needs removing.

4. XML External Entities (XXE)

XML External Entities are custom entities that have values defined outside the DOCTYPE declaration. To execute XTML data, an app requires an XML processor (or XML parser). However, when such processors are poorly configured or too old-fashioned, attackers may use this gap to send hostile XML external files, which allows them to perform various attacks such as disclosure of internal files or SSRF (Server-side Request Forgery).

web security issue
XXE Attack Flow (Source: Packet Labs)

Prevention of this web security issue:

As many web apps now use XML format to storage and transfer data, developers should: 

  • be trained to identify and mitigate XXE;
  • use less complex data formats (i.e. JSON) and avoid serializing sensitive data;
  • upgrade all XML parsers and libraries. 

5. Broken Access Control

This flaw arises when authenticated users can access to some unauthorized functionality. For example, when a malicious user logs in his own account on a banking app, he can change the account ID parameter to gain access to account details of other users, or craft a request to perform admin-level activity, like searching the user database. Accordingly, consumer data are unintentionally revealed, modified or even compromised.

Broken Access Control (Source: Port Swigger)

Prevention of this web security issue:

Developers should choose appropriate access control models since the design and development of web apps, and concurrently implement access control in trusted server-side code or server-less API.

6. Security Misconfiguration

web security issue
Abstract illustration of Security Misconfiguration (Source:

To understand how the vulnerability occurs, just look at the picture. Imagine the ladder is the system; the girl is a user; the boy is an attacker, while books and football are configurations. When the boy hits the ball, the ladder will fail, involving the girl in an unexpected accident. This is obviously an inevitable result of using unsuitable ladder mounting (the football) or having “misconfigured structure”. Similarly, like the ball, configurations of many traditional web servers still remain out-of-date and insecure, while hybrid or cloud environments change so quickly that it is challenging to build right, secure configurations. Consequently, the flaw can allow hackers to illegally control or even compromise a system.

Prevention of this web security issue:

The most possible solution to fix the mistake is having a secure development and deployment process.

7. Cross-Site Scripting (XSS)

The flaw appears when web apps receive HTML or JavaScript input tags that are not sanitized (or inspected) after victims click on script-injected links. Hijackers can use such hostile files to execute codes on the user’s browser remotely, steal their credentials and sessions. OWASP reports this problem in two thirds of modern apps, even on three XSS forms as Reflected XSS, Stored XSS and DOM XSS.

XSS flow (Source: Cloudflare)

Prevention of this web security issue:

Simply speaking, this issue can be prevented by trying not to return HTML or JavaScript tags to users. Besides, developers can use frameworks (e.g. Ruby on Rails or React.js) that automatically avoid the injection. 

8. Insecure Deserialization

Serialization is the act of converting an object to a format for later restoring, whereas deserialization is the opposite which turning data obtained from files or networks into an object. When deserialization is insecure, attackers can abuse this vulnerability to inject hostile objects to a web app and implement remote code attacks to business data.

web security issue
Insecure Deserialization (Source: Port Swigger)

Prevention of this web security issue:

According to OWASP, the safest solution to the issue is not accepting serialized objects from unknown or unreliable sources. Furthermore, developers should strictly monitor the deserialization process and use use a firewall to help determine the flaw.

9. Using Components with Known Vulnerabilities

Apparently, vulnerable components (e.g. frameworks, libraries or software modules) can get exploited by attackers for bad purposes. Depending on different database and applications, impacts of the vulnerability can vary, from purloining private data to taking over the server.

September T1.9

Prevention of this web security issue:

Developers should follow some essential principles to minimize the risk of having the flaw, particularly: 

  • carefully check codes they write for software;
  • remove unused features, files or documents;
  • only get components from official or trustworthy sources.

10. Insufficient Logging & Monitoring

Logging means managing logs that are event records related to a system, hence ensuring the collection of useful data. Meanwhile, monitoring helps supervising server performance and detecting any intrusions. Therefore, when those actions are insufficiently implemented, they fail to record and detect unknown attacks to database.

web security issue
Sufficient logging and monitoring are required (Source: Site24x7)

Prevention of this web security issue:

Organizations should effectively monitor and alert suspicious activities. Similarly, any login or access control failures should be adequately recorded to identify suspects in time.

Final thought of common web security issues

Web application security issues are an unavoidable outcome of Internet development. So not only cybersecurity engineers but also non-experts should take a web security course to protect their assets from unanticipated attacks in the future. 

For more articles like this, let’s follow our Facebook, Twitter and LinkedIn! And last but not least, these are some other blog posts you might like:

Also published on

Share post on

Get in touch

Simply register below to receive our weekly newsletters with the newest blog posts