Web Security

The Web Vulnerability Encyclopedia

Most breaches are not exotic. They are the same handful of vulnerability classes in a new application. Here is the field reference - twelve classes, each with what it is, why it hurts, and how to shut it down.

UUnnbugify Security Team January 22, 2026 15 min read

Most breaches are not exotic zero-days - they are the same handful of vulnerability classes, over and over, in new applications. This is a field reference to the twelve that matter most, mapped loosely to the OWASP Top 10. Each entry: what it is, why it hurts, and how to shut it down. Four of them have full deep dives linked inline.

1. Broken Access Control (IDOR / BOLA) High

What it is: The application does not properly check that the logged-in user is allowed to act on the object they requested. Change an ID, read someone else's record.

Impact: Cross-tenant data theft, privilege escalation, account takeover. OWASP's #1 web risk.

Fix: Enforce authorization on every request, server-side, scoped to the current user. Deny by default. Full write-up: IDOR & Broken Access Control.

2. SQL Injection Critical

What it is: Untrusted input is concatenated into a database query, letting an attacker change the query's logic.

Impact: Full read/write of the database, authentication bypass, and sometimes command execution on the DB host.

Fix: Use parameterized queries / prepared statements everywhere. Never build SQL by string concatenation. Full write-up: SQL Injection, end to end.

3. Cross-Site Scripting (XSS) High

What it is: The app reflects attacker-controlled input into a page without encoding it, so the browser runs it as script.

Impact: Session hijacking, credential theft, and full account takeover in the victim's browser.

Fix: Context-aware output encoding, a strict Content-Security-Policy, and framework auto-escaping. Full write-up: XSS explained.

4. Server-Side Request Forgery (SSRF) High

What it is: The server can be tricked into making HTTP requests to attacker-chosen destinations, including internal ones.

Impact: Theft of cloud metadata credentials, access to internal-only services, and network pivoting.

Fix: Allowlist outbound destinations, block link-local/private ranges, and enforce IMDSv2. Full write-up: SSRF: the server attacks itself.

5. Cross-Site Request Forgery (CSRF) Medium

What it is: A malicious site forces a logged-in victim's browser to submit a state-changing request to your app using their cookies.

Impact: Unwanted actions performed as the victim: changing email, transferring funds, altering settings.

Fix: Anti-CSRF tokens on state-changing requests and SameSite=Lax/Strict cookies. Prefer non-cookie auth for APIs.

6. Broken Authentication & Sessions High

What it is: Weak login, predictable tokens, missing lockout, or poor session handling let attackers assume identities.

Impact: Account takeover at scale via credential stuffing, brute force, or session fixation.

Fix: Strong password policy, MFA, rate limiting and lockout, rotate session IDs on login, short-lived tokens.

7. Security Misconfiguration Medium

What it is: Default credentials, verbose errors, open cloud storage, unnecessary features, or missing security headers.

Impact: Anything from information disclosure to full compromise, depending on what was left open.

Fix: Harden by default, remove unused features, disable stack traces in production, and scan configuration continuously.

8. Sensitive Data Exposure High

What it is: Sensitive data is stored or transmitted without adequate protection - plaintext passwords, no TLS, weak hashing.

Impact: Mass credential and PII disclosure when a system is breached or traffic is intercepted.

Fix: TLS everywhere, encrypt at rest, hash passwords with bcrypt/argon2, and never log secrets.

9. XML External Entities (XXE) High

What it is: An XML parser processes external entity references in attacker-supplied XML.

Impact: Local file disclosure, SSRF, and denial of service via a crafted document.

Fix: Disable external entity and DTD processing in every XML parser. Prefer JSON where possible.

10. Insecure Deserialization Critical

What it is: The app deserializes attacker-controlled data into objects without validation.

Impact: Frequently leads to remote code execution.

Fix: Never deserialize untrusted input. Use data-only formats (JSON) and strict type allowlists.

11. Server-Side Template Injection (SSTI) Critical

What it is: User input is embedded into a server-side template that is then evaluated.

Impact: Often remote code execution on the server.

Fix: Never concatenate user input into templates. Use logic-less templates and sandboxed engines.

12. File Upload & Path Traversal High

What it is: Unrestricted uploads or unsanitised file paths let attackers write or read arbitrary files.

Impact: Web-shell upload leading to RCE, or reading files like /etc/passwd and app secrets.

Fix: Validate type and content, store outside the web root, randomise names, and canonicalise/deny ../ in paths.


Different names, one pattern: the application trusted something the attacker controlled. Fix the class, not just the instance - a single parameterized-query standard kills SQL injection across your whole codebase, and one central authorization layer ends most access-control bugs.

Key takeaways

  • A dozen classes explain the vast majority of real-world breaches.
  • Broken access control and injection sit at the top for a reason.
  • Validate input, encode output, and authorize every request - server-side.
  • Remediate at the class level with shared, reusable controls.
Need professional assistance?

Unnbugify provides consent-based VAPT, red teaming, cloud and API security testing, and secure code review for organisations of every size.

Explore our services
U
Unnbugify Security Team
Offensive Security Research, Unnbugify Technologies

The Unnbugify team delivers VAPT, red teaming, and continuous security testing for organisations worldwide. We publish field notes from real engagements to help defenders stay ahead of attackers.