Common web vulnerabilities and how to avoid them
You don't need to be a security researcher to protect a web app — but you do need to know the common ways things go wrong. Most attacks aren't novel; they exploit the same recurring weaknesses. Here are the big ones and how to defend against them.
The usual suspects
- Injection (e.g. SQL injection). Untrusted input is treated as a command. Defence: never trust input; use parameterised queries and validation.
- Broken access control. Users reaching data or actions they shouldn't. Defence: check permissions on every request, server-side, by default.
- Cross-site scripting (XSS). Malicious scripts injected into pages other users see. Defence: escape and sanitise anything shown in the browser.
- Authentication flaws. Weak login, sessions and password handling. Defence: proven libraries, hashing, and multi-factor authentication.
- Vulnerable dependencies. Known holes in outdated libraries. Defence: keep dependencies updated and scanned.
The common thread
Notice the pattern: most defences come down to a few habits — never trust input, check permissions everywhere, keep software updated, and use proven tools rather than rolling your own. Get those right and you've closed the doors most attackers try first.
Attackers rarely need a clever new trick — they rely on the basics being missed.
- Most breaches exploit a handful of well-known vulnerabilities.
- Never trust input, enforce access control everywhere, update dependencies.
- Use proven libraries and standards rather than building security yourself.
Frequently asked questions
How do I know if my app is vulnerable?
Automated scanners catch many issues, and a professional security review (or penetration test) catches more. Keeping dependencies updated closes a large share of known holes.
Is my small app really a target?
Yes — most attacks are automated and indiscriminate, scanning the whole web for known weaknesses. Small apps are hit precisely because they often skip the basics.
What's the single most important defence?
Never trusting input — validating and sanitising everything from outside. It's the root cause behind several of the most common and damaging vulnerabilities.
ZIVARA builds web apps with these defences in place from the start. Let's talk security. Related: application security basics.