Hacker News new | past | comments | ask | show | jobs | submit login
Overview of vulnerabilities in web applications (lchsk.com)
65 points by lchsk on Feb 7, 2020 | hide | past | favorite | 6 comments

Interested in data on real world impact from these attack vectors? Hackerone has public data on how often they reward each type: https://www.hackerone.com/blog/hackerone-top-10-most-impactf... . You can also browse through findings in Hackerone's hacktivity: https://hackerone.com/hacktivity . I run a project where we try and connect the dots between breaches and the how and why they happened: https://ericalexander.org/SecurityBreach/

Since this uses Django for examples and mentions Bandit as an automated option for finding vulnerabilities, are there any others that people would recommend?

I always thought a lot of the biggest hacks were done by insiders, or with insider information. I know there's a lot you can hunt for out there. But being part of the team that built something of interest, knowing what is exploitable, could be a big temptation.

Depends on what you mean by "biggest", but in my experience the most common cause is lax security practices, mainly not performing security updates quickly enough. A business doesn't want to spend extra on website maintenance, so sites get neglected, sometimes for years.

Another resource I’d recommend is OWASP’s lists, their top 10 is a good starting place:


Great info, I'm especially stoked Django was used for the examples.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact