Common web vulnerabilities every hacker and developer should know

We’ve put together a list of the most visited Detectify blog posts on common web vulnerabilities to help anyone interested in hacking and defending:

Web applications and hosted software make up the largest attack surface for modern tech organizations. The most common web vulnerabilities being exploited go beyond the OWASP Top 10 list. At Detectify, we work in close collaboration with an invite-only community called Detectify Crowdsource to get the latest vulnerability research into the hands of security defenders. Besides knowing the vulnerabilities, you need the know how on how to mitigate them.

NGINX misconfigurations:

Nginx is one of the most commonly used web servers on the Internet – actually it’s powering one third of the world’s websites. It’s lightweight, modular, and user-friendly. It’s also easily misconfigured which may leave your servers open to lurkers and attackers. This report goes over missing root location, unsafe variable use and more.

For the advanced security nerds, check out the research from Frans Rosen on common pitfalls found in middleware today which goes beyond the Gixy project by Yandex. 

Server-side request forgery (SSRF)

If you come across a SSRF vulnerability, this means you can send requests made by the web application, often targeting internal systems behind a firewall. Due to the increasing adoption of microservices and serverless platforms, SSRF has moved up the list of common web vulnerabilities and we are seeing more and more reports in the wild. Learn how SSRF can be exploited and mitigated.

Sensitive Data Exposure

Sensitive Data Exposure, an OWASP Top 10 vulnerability that often affects smaller organizations, can put critical sensitive data at risk. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed. What is Sensitive Data Exposure?

Cross-site Scripting (XSS)

XSS is still very prevalent in web applications. The exploitation of a XSS flaw enables attackers to inject client-side scripts into web pages viewed by users. Listed as one of the OWASP Top 10 vulnerabilities, XSS is the most common web vulnerability class submitted on the Detectify Crowdsource platform. Some helpful resources:

HTTP response splitting

HTTP Response Splitting occurs when an attacker can manipulate the response headers that will be interpreted by the client. Get details on how this can be abused by an attacker to insert arbitrary headers and the impact of this type of attack. Go to HTTP response splitting explained.

Open Redirect vulnerability

The simplest explanation is that the page takes a value and then creates a redirect to it. Open redirect is commonly overlooked, however a clever hacker will be able to chain it and escalate it into something greater – sometimes an impactful 0-day! Learn more about the real impact of an open redirect.

image: Detectify web vulnerability scanner looks for open redirect amongst other common web vulnerabilities.

CORS Misconfigurations Explained

When misconfigured, CORS can be bypassed in many different ways. This article goes through the most common ways of bypassing including insufficient regular expression and third party hosts. View the full CORS list.

Spoofing emails

Missing SPF records are still a common issue, and this can be a risk for leaking sensitive information. Anyone can fall victim to spoofable emails including large Enterprises. The solutions lie in how you are configuring SPF, DMARC and DKIM. Learn more.

Bypassing Content Security Policy (CSP)

Why is CSP necessary? For one, it can prevent header exploits. It gives additional protection to help lessen the damage should one find a XSS vulnerability on your web page. Get the details on how this can be bypassed, and how you can set up a CSP for effective protection. Learn CSP.

HTTP request smuggling

HTTP request smuggling continues to be exploited in the wild by hackers of all sorts of hats – hopefully it’s the ethical ones reporting to you. In this case, the attacker can change a request to have two requests within the body. Learn more about this type of attack.

Hostile Subdomain Takeover

Detectify founders coined this term Hostile Subdomain Takeover back in 2014, and many organizations are still exposed through this vulnerability. Security researchers and bug hunters continue to discover novel ways to exploit this kind of vulnerability, and this continues to be one of the most popular articles on Detectify Labs. It’s worth getting familiar with the original research blog of hostile subdomain takeover to inspire future ways of testing.

How can Detectify help?

Detectify works with the best ethical hackers in the world to crowdsource the latest critical vulnerabilities, and put this into the hands of application engineers. The fully automated scanner simulates real hacker payloads in a safe way so you can go hack yourself before someone else does.

How do your web apps measure up to the list above? Check your web applications for active common web vulnerabilities using Detectify by starting a 2-week free trial today.

Jocelyn Chan is the Content Manager at Detectify. She is a self-proclaimed hype-girl for automated web security powered by white hat hackers and believes that the future is in the crowd. She also would like to connect more women in tech and security together which is why she is co-leading the Women in Security – Stockholm Chapter. And yes she has seen Hackers, and believes that it's so good because it's so bad.