Web applications interact with many different users at the same time over a network, and as such, must be easily accessible to a large number of people. This accessibility leads to attackers manipulating various components of web apps in order to steal sensitive data, compromise other users' sessions, disrupt the apps' operation, and many more.
Web apps communicate in common languages for compatibility with the HTTP/S protocol and the browsers that enable users to interact with websites. Most apps, even if they run on a web framework like AngularJS, Ruby on Rails, Django (Python), etc., will still incorporate HTML and JavaScript code. In addition, most apps require reading from and writing to a database. Structured Query Language (SQL) is the most common querying language to enable this functionality. When you add all of these components together, you tend to encounter familiar and repeated vulnerabilities. In general, those vulnerabilities include:
- Poorly implemented or non-existent security configurations.
- Failings in authentication and authorization components.
- Weaknesses to various types of code injection.
- Weaknesses to cross-site scripting (XSS) and cross-site request forgery (CSRF).
- Weaknesses to clickjacking.
- Weaknesses to file inclusion exploits.
- Weaknesses to web shells.
- Insecure coding practices.