Common Security Findings

SQL Injection is a code injection vulnerability where attackers insert malicious SQL code into input fields, allowing them to execute unintended database queries. This can lead to unauthorized data access, modification, or deletion.

Business Impact: Complete database compromise, exposure of customer PII, financial data theft, regulatory fines (GDPR, CCPA), reputational damage, and business interruption.

Risk: Attackers can extract entire databases, modify records, or create backdoors for persistent access.

• • Manual input validation testing on all user-facing forms
• • Parameterized query verification in source code review
• • Database response analysis for injection payloads
• • Time-based blind SQL injection detection
• • Error message analysis for information disclosure

XSS occurs when attackers inject malicious scripts into web pages viewed by other users. Stored XSS persists in the database, reflected XSS attacks via URL parameters, and DOM-based XSS exploits client-side JavaScript vulnerabilities.

Business Impact: Session hijacking, credential theft, malware distribution, defacement, user data exfiltration, phishing attacks against your users.

Risk: Compromises user trust, enables identity theft, distributes malware, and damages brand reputation.

• • Input validation bypass attempts with HTML/JS payloads
• • Output encoding verification in page source
• • DOM-based XSS exploitation via JavaScript execution
• • Context-specific encoding testing (HTML, attribute, URL, CSS)
• • Browser dev tools analysis for DOM manipulation

IDOR is an authorization vulnerability where applications don't properly verify user permissions before granting access to resources. Attackers can access objects by manipulating identifiers (IDs) in URLs or API calls without ownership verification.

Business Impact: Unauthorized access to customer data, financial records, private documents, and confidential business information. Compliance violations and legal liability.

Risk: One of the most common vulnerabilities in APIs and web applications, enabling large-scale data breaches with minimal effort.

• • ID enumeration and sequential testing
• • Cross-user resource access attempts
• • API endpoint authorization validation
• • Token/session manipulation testing
• • Direct object reference manipulation in requests

Applications missing critical HTTP security headers like Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and others that provide defense-in-depth protection against common web vulnerabilities.

Business Impact: Enables clickjacking attacks, XSS exploitation, MIME-type sniffing attacks, and downgrade attacks. Increases severity of other vulnerabilities.

Risk: Low-cost mitigation that significantly reduces attack surface. Missing headers indicate security program immaturity.

• • HTTP response header inspection
• • CSP policy analysis and bypass testing
• • Clickjacking vulnerability verification
• • HSTS and secure transport validation
• • Header compliance against OWASP guidelines

CSRF tricks authenticated users into performing unwanted actions by making them visit a malicious site while logged into your application. The application performs the action because the user is authenticated, without verifying the user intended it.

Business Impact: Unauthorized fund transfers, account modifications, password changes, sensitive data access, and user impersonation attacks.

Risk: Affects high-privilege actions. Easily exploitable with minimal complexity required from attacker.

• • CSRF token validation testing
• • Token generation and verification analysis
• • Cross-origin request execution attempts
• • SameSite cookie attribute verification
• • State-changing action protection validation

Applications, devices, or services deployed with unchanged manufacturer or software default credentials (default usernames/passwords, API keys, SSH keys, or access tokens). These are publicly documented and trivial to discover.

Business Impact: Complete system compromise, unauthorized administrative access, data exfiltration, malware deployment, lateral movement into internal networks.

Risk: Trivial for attackers to exploit. No specialized tools required. Often found during external reconnaissance.

• • Default credential dictionary testing
• • Service enumeration and identification
• • Authentication bypass attempts
• • Configuration review for hardening verification
• • API key and token exposure scanning

Systems configured with deprecated TLS versions (1.0, 1.1), weak cipher suites, missing forward secrecy, or inadequate certificate validation. These reduce encryption strength and enable cryptographic attacks.

Business Impact: Man-in-the-middle attacks, session hijacking, credential theft, data interception, regulatory non-compliance (PCI-DSS, GDPR).

Risk: Modern browsers warn users. Indicates infrastructure age and lack of security investment.

• • SSL/TLS version enumeration
• • Cipher suite strength analysis
• • Certificate validation testing
• • Perfect forward secrecy verification
• • Cryptographic strength assessment

Administrative interfaces (control panels, management dashboards, debugging ports, API endpoints) exposed on public networks without proper authentication or access restrictions. Examples include Tomcat manager, Jenkins, Docker API, Kubernetes dashboards.

Business Impact: Complete infrastructure compromise, application deployment, system configuration changes, data access, code execution, lateral movement to internal systems.

Risk: Immediate compromise. Requires only network connectivity to exploit.

• • Port scanning and service enumeration
• • Common admin interface discovery
• • Authentication bypass attempts
• • Unauthenticated access testing
• • Default credential attempts on admin panels

Networks lacking logical separation between security zones, allowing unrestricted lateral movement. Devices in different trust levels (DMZ, workstations, servers, databases) can communicate without controls.

Business Impact: Enables lateral movement after initial compromise, increases breach impact, compromises database servers from web server, accesses financial systems from compromised workstation.

Risk: Converts single device compromise into full network compromise.

• • Network reachability testing across zones
• • Firewall rule validation
• • Lateral movement attempts
• • VLAN isolation verification
• • Network traffic analysis

API keys, authentication tokens, cloud service credentials, or encryption keys embedded directly in application source code, resources, or configuration files. Easily extracted via decompilation, reverse engineering, or static analysis.

Business Impact: Backend service compromise, cloud account takeover, unauthorized API usage (billing), data exfiltration, service disruption, cryptocurrency theft.

Risk: Keys persist in app stores, GitHub, build artifacts. Every installation is a potential breach.

• • Binary decompilation and disassembly
• • Resource file extraction and analysis
• • Configuration file review
• • Strings extraction searching for credentials
• • Network traffic interception for API keys

Sensitive data (passwords, tokens, PII) stored unencrypted in application memory, shared preferences, databases, or local files. Data accessible to attackers with device access, rooted phones, or malicious apps.

Business Impact: Account takeover, privilege escalation, session hijacking, unauthorized API access, credential theft, PII exposure.

Risk: Phone theft or malware instantly compromises user accounts. No device PIN protects app data.

• • Shared preferences and database inspection
• • File system permissions analysis
• • Memory dump analysis for credentials
• • Data encryption verification
• • Keychain/secure storage usage review

Mobile applications lacking certificate pinning accept any valid SSL certificate from trusted CAs. Attackers on compromised networks or corporate proxies can intercept HTTPS traffic and bypass standard certificate validation.

Business Impact: Man-in-the-middle attacks, session hijacking, credential theft, sensitive data interception, malware injection into app responses.

Risk: Effective on compromised networks, airport WiFi, corporate proxies. Easy for attackers with network access.

• • Certificate pinning implementation review
• • Proxy interception testing (Burp, Charles)
• • Custom certificate acceptance testing
• • HTTPS traffic analysis
• • Network penetration testing