The Web Vulnerability Encyclopedia
Most breaches are not exotic. They are the same handful of vulnerability classes in a new application. Here is the field reference - twelve classes, each with what it is, why it hurts, and how to shut it down.
Most breaches are not exotic zero-days - they are the same handful of vulnerability classes, over and over, in new applications. This is a field reference to the twelve that matter most, mapped loosely to the OWASP Top 10. Each entry: what it is, why it hurts, and how to shut it down. Four of them have full deep dives linked inline.
1. Broken Access Control (IDOR / BOLA) High
What it is: The application does not properly check that the logged-in user is allowed to act on the object they requested. Change an ID, read someone else's record.
Impact: Cross-tenant data theft, privilege escalation, account takeover. OWASP's #1 web risk.
Fix: Enforce authorization on every request, server-side, scoped to the current user. Deny by default. Full write-up: IDOR & Broken Access Control.
2. SQL Injection Critical
What it is: Untrusted input is concatenated into a database query, letting an attacker change the query's logic.
Impact: Full read/write of the database, authentication bypass, and sometimes command execution on the DB host.
Fix: Use parameterized queries / prepared statements everywhere. Never build SQL by string concatenation. Full write-up: SQL Injection, end to end.
3. Cross-Site Scripting (XSS) High
What it is: The app reflects attacker-controlled input into a page without encoding it, so the browser runs it as script.
Impact: Session hijacking, credential theft, and full account takeover in the victim's browser.
Fix: Context-aware output encoding, a strict Content-Security-Policy, and framework auto-escaping. Full write-up: XSS explained.
4. Server-Side Request Forgery (SSRF) High
What it is: The server can be tricked into making HTTP requests to attacker-chosen destinations, including internal ones.
Impact: Theft of cloud metadata credentials, access to internal-only services, and network pivoting.
Fix: Allowlist outbound destinations, block link-local/private ranges, and enforce IMDSv2. Full write-up: SSRF: the server attacks itself.
5. Cross-Site Request Forgery (CSRF) Medium
What it is: A malicious site forces a logged-in victim's browser to submit a state-changing request to your app using their cookies.
Impact: Unwanted actions performed as the victim: changing email, transferring funds, altering settings.
Fix: Anti-CSRF tokens on state-changing requests and SameSite=Lax/Strict cookies. Prefer non-cookie auth for APIs.
6. Broken Authentication & Sessions High
What it is: Weak login, predictable tokens, missing lockout, or poor session handling let attackers assume identities.
Impact: Account takeover at scale via credential stuffing, brute force, or session fixation.
Fix: Strong password policy, MFA, rate limiting and lockout, rotate session IDs on login, short-lived tokens.
7. Security Misconfiguration Medium
What it is: Default credentials, verbose errors, open cloud storage, unnecessary features, or missing security headers.
Impact: Anything from information disclosure to full compromise, depending on what was left open.
Fix: Harden by default, remove unused features, disable stack traces in production, and scan configuration continuously.
8. Sensitive Data Exposure High
What it is: Sensitive data is stored or transmitted without adequate protection - plaintext passwords, no TLS, weak hashing.
Impact: Mass credential and PII disclosure when a system is breached or traffic is intercepted.
Fix: TLS everywhere, encrypt at rest, hash passwords with bcrypt/argon2, and never log secrets.
9. XML External Entities (XXE) High
What it is: An XML parser processes external entity references in attacker-supplied XML.
Impact: Local file disclosure, SSRF, and denial of service via a crafted document.
Fix: Disable external entity and DTD processing in every XML parser. Prefer JSON where possible.
10. Insecure Deserialization Critical
What it is: The app deserializes attacker-controlled data into objects without validation.
Impact: Frequently leads to remote code execution.
Fix: Never deserialize untrusted input. Use data-only formats (JSON) and strict type allowlists.
11. Server-Side Template Injection (SSTI) Critical
What it is: User input is embedded into a server-side template that is then evaluated.
Impact: Often remote code execution on the server.
Fix: Never concatenate user input into templates. Use logic-less templates and sandboxed engines.
12. File Upload & Path Traversal High
What it is: Unrestricted uploads or unsanitised file paths let attackers write or read arbitrary files.
Impact: Web-shell upload leading to RCE, or reading files like /etc/passwd and app secrets.
Fix: Validate type and content, store outside the web root, randomise names, and canonicalise/deny ../ in paths.
Different names, one pattern: the application trusted something the attacker controlled. Fix the class, not just the instance - a single parameterized-query standard kills SQL injection across your whole codebase, and one central authorization layer ends most access-control bugs.
Key takeaways
- A dozen classes explain the vast majority of real-world breaches.
- Broken access control and injection sit at the top for a reason.
- Validate input, encode output, and authorize every request - server-side.
- Remediate at the class level with shared, reusable controls.
Unnbugify provides consent-based VAPT, red teaming, cloud and API security testing, and secure code review for organisations of every size.