Common Threats

What You Need to Know About Phishing Scams

This article gives you detailed information on how to keep yourself safe from phishing scams.

Insecure Cryptographic Storage

Websites that need to store sensitive information, such as usernames, passwords or other personal details, must use strong encryption to secure the data. Insecure cryptographic storage means sensitive data isn’t stored securely. If malicious users can access insecurely stored data, they can view it with little effort.

Strong, standard encryption algorithms, [...]

Injection Flaws

Injection vulnerabilities let visitor-provided input, such as text in a search or contact form, interact with important website files or databases. Injection flaws affect multiple languages or protocols, such as LDAP, SQL, and XML.

Malicious users can exploit injection flaws if a site isn’t configured to validate input. Attackers might [...]

Insecure Direct Object References

Direct object references expose website or account-specific details, such as account numbers, file names, directories, or database keys, in the URL or other accessible sources. Displaying sensitive information in the URL might be a security vulnerability if your website is not configured to verify access for every account-specific page or [...]

Cross-Site Scripting

Cross-site scripting (XSS) vulnerabilities let visitor-provided input, such as text in a search or form, influence how a website functions or displays for another visitor.

Attackers use XSS to exploit the trust between visitors and websites by entering text, usually browser-executable scripts such as JavaScript®, Adobe® Flash, or HTML, to perform [...]

Insufficient Transport Layer Protection

Sensitive data, such as credit card numbers or other personal information, must be secured with strong encryption during transit from a visitor’s browser to the Web server. If the data isn’t encrypted, a malicious user might intercept and view the information.

SSL certificates help prevent insufficient transport layer protection by encrypting [...]

Cross-Site Request Forgery

Cross-site request forgery (CSRF) is an attack that takes advantage of a website’s predictable access-restricted actions, such as updating the email address or password for an account.

If malicious users can predict the details for a particular action, they can trick logged-in users into clicking a forged link, typically through a [...]

Authentication and Session Management Flaws

Authentication and session management are the parts of a website that handle a visitor’s interaction with a website, such as logging in, saving preferences, or timing out due to inactivity. If any authentication or session management functions have a flaw, individual accounts or possibly the entire user group could be [...]

Unvalidated Redirects and Forwards

Common website functions, such as search results or account logins, frequently use redirects or forwards to send visitors to another destination. The web address often references the destination, which is displayed after url=. For example:

http://www.coolexample.com/search?q=yellow&url=coolexample.net

If the website doesn’t verify the destination, redirects or forwards might be vulnerable to modification. An [...]

Unrestricted URL Access

Restricting URL access helps prevent visitors who are not logged in from accessing administrative or other restricted pages in a website. If visitors attempt to view restricted pages, they should be prompted to log in.

If pages in a restricted area are not configured to only allow authorized users to view [...]