
Overview of vulnerabilities in web applications - lchsk
https://lchsk.com/stay-paranoid-and-trust-no-one-overview-of-common-security-vulnerabilities-in-web-applications.html
======
ericalexander3
Interested in data on real world impact from these attack vectors? Hackerone
has public data on how often they reward each type:
[https://www.hackerone.com/blog/hackerone-top-10-most-
impactf...](https://www.hackerone.com/blog/hackerone-top-10-most-impactful-
and-rewarded-vulnerability-types) . You can also browse through findings in
Hackerone's hacktivity:
[https://hackerone.com/hacktivity](https://hackerone.com/hacktivity) . I run a
project where we try and connect the dots between breaches and the how and why
they happened:
[https://ericalexander.org/SecurityBreach/](https://ericalexander.org/SecurityBreach/)

------
brightball
Since this uses Django for examples and mentions Bandit as an automated option
for finding vulnerabilities, are there any others that people would recommend?

------
Pigo
I always thought a lot of the biggest hacks were done by insiders, or with
insider information. I know there's a lot you can hunt for out there. But
being part of the team that built something of interest, knowing what is
exploitable, could be a big temptation.

~~~
calibas
Depends on what you mean by "biggest", but in my experience the most common
cause is lax security practices, mainly not performing security updates
quickly enough. A business doesn't want to spend extra on website maintenance,
so sites get neglected, sometimes for years.

------
bdibs
Another resource I’d recommend is OWASP’s lists, their top 10 is a good
starting place:

[https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-
ten/)

------
aldoushuxley001
Great info, I'm especially stoked Django was used for the examples.

