Security 5 min read

Top 5 security threats in application security

Different types of security threats
Table of Contents


Application security is a growing concern, and for good reason. XSS and Injection vulnerabilities are a great starting point for understanding the most common and dangerous vulnerabilities in web applications. The following are some examples of these threats and how they can be mitigated:

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a type of injection attack that allows an attacker to run code on a victim’s machine or web server. XSS attacks occur when users are tricked into executing malicious scripts in their browsers, which can then be used to steal information and perform other nefarious tasks.

The most common way that attackers use XSS is by injecting malicious scripts into websites, like this: When you visit this page in your browser, your browser will execute the script it finds between tags in place of what should have been there originally–in this case “victimdomain/accounts/edit?name=hacker”. This means that if you’re logged into Gmail or Facebook while visiting this page then any cookies associated with those sites will also be sent along with any requests made by your browser while using the fake account created by our hacker friend.

Injection vulnerabilities

Injection vulnerabilities occur when an application accepts data from a user but fails to validate that the input is valid. This can lead to unexpected code execution and data modification, which can be used by an attacker to gain access or control of your application.
Injection attacks are one of the most common security vulnerabilities because they’re easy to find and exploit in many different programming languages:

  • SQL Injection attacks allow attackers to execute SQL statements on vulnerable database servers (e.g., Microsoft SQL Server). This includes both injections via user-supplied input (e.g., username), as well as through database queries themselves (e.g., SELECT Name FROM Users WHERE ID = 1).
  • LDAP Injection attacks allow attackers to bypass authentication mechanisms by sending specially crafted packets over TCP port 389/636 (LDAP) or UDP port 636(LDAP over TLS) in order to execute arbitrary commands on the target machine. These include OS command injection via shell metacharacters such as pipes (“|”), semicolons (“;”) or backslashes (“\\”), command separators like ampersands (&) and quotation marks (“””) within strings; PHP Code Injection through unquoted variables/arguments passed into system() calls; Cross Site Scripting vulnerabilities occur when untrusted client-side javascript code executes within your web application’s domain context due to insufficient sanitization before being returned back up onto another page within same origin – e.g., if you’re using jQuery(‘a’).attr(‘href’).replace(/(\w+)$/, “$1”);

Unvalidated Redirects and Forwards

In application security, a redirect is a client-side redirection to a different URL. A forward is a server-side redirection to a different URL. Both types of redirection are vulnerable to attacks if not validated by the developer. For example, when an attacker injects code into the URL in an attempt to change its destination (for example, using Javascript), this can lead to XSS attacks that allow them access to sensitive data or execute malicious code on your site without your knowledge.

CSRF – Cross-Site Request Forgery

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. The attacker tricks the victim into executing an unwanted action, without the victim’s knowledge.
A successful CSRF exploit can allow attackers to perform actions that they are otherwise not authorized for, such as transferring funds from their account or changing their password.

Security Misconfiguration

The number one security threat in application security is a configuration mistake. Security misconfiguration happens when an application is not configured correctly, which can result in the following:

  • Misconfigured security controls, such as firewalls and intrusion detection systems (IDS)
  • Default configuration settings that are too weak or insecure for the environment they are placed in, such as weak password policies or insecure protocols like HTTP vs HTTPS

The best way to prevent this type of threat is by performing regular audits on your applications and reviewing their configuration settings on a regular basis. You should also make sure that you’re using secure protocols like TLS/SSL wherever possible so that sensitive data isn’t sent over unencrypted channels


As you can see, there are many different types of security threats that developers need to keep in mind when writing their code. The best way to stay up-to-date on the latest threats is by reading security blogs, and security whitepapers and attending webinars with experienced practitioners in the field.

Need help with technology
for your digital platform?

Get to know how technology can be leveraged to turn your idea into a reality.
Schedule a call with our experts

unthinkable ideas