Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Topic Hub

Web Application Security

Everything you need to understand web application vulnerabilities — from injection attacks and cross-site scripting to broken access control and business logic flaws.

18 knowledge articles10 case studies56 glossary terms

Understanding Web Application Security

VulnerabilityCWE-79

Cross-Site Scripting (XSS): How It Works and How to Prevent It

Cross-site scripting remains one of the most prevalent web vulnerabilities, allowing attackers to inject malicious scripts into trusted websites and compromise user sessions, steal credentials, and deface applications.

9 min readRead article
VulnerabilityCWE-639

Insecure Direct Object References: The Most Common Access Control Flaw

Insecure direct object references occur when an application exposes internal object identifiers without verifying that the requesting user is authorized to access them, enabling attackers to access or modify other users' data by simply changing a parameter.

9 min readRead article
VulnerabilityCWE-644

Host Header Injection: How Trusted Headers Become Attack Vectors

Host header injection exploits applications that trust the HTTP Host header for critical operations like password reset links, cache keys, and redirects — allowing attackers to poison caches, steal reset tokens, and redirect users to malicious sites.

9 min readRead article
VulnerabilityCWE-706

Path Normalization Attacks: When a Slash Breaks Authentication

Path normalization attacks exploit inconsistencies in how different components of a web stack interpret URL paths, allowing attackers to bypass authentication middleware, access control rules, and WAF protections with techniques as simple as adding a trailing slash.

10 min readRead article
VulnerabilityCWE-284

Broken Access Control: OWASP's #1 Web Application Vulnerability

Broken access control is the most prevalent web application vulnerability class. It lets attackers bypass authorization to view, modify, or delete resources they should never reach. Here's how it works, why scanners miss it, and how to fix it.

10 min readRead article
Vulnerability

Business Logic Vulnerabilities: What Scanners Can't Find

Business logic vulnerabilities exploit the intended functionality of an application in unintended ways. They don't trigger signatures, don't match patterns, and don't show up in automated scans. Finding them requires understanding how the application is supposed to work — and then breaking that assumption.

11 min readRead article
Services

What We Test: Applications, APIs, Authentication, Infrastructure

A detailed breakdown of what Raijuna tests during security assessments — web applications, REST and GraphQL APIs, authentication and SSO flows, cloud infrastructure, and mobile backends. For each target type: what we look for, common findings, and why it matters.

11 min readRead article
VulnerabilityCWE-352

Cross-Site Request Forgery: Forcing Actions on Behalf of Authenticated Users

Cross-site request forgery exploits the browser's automatic inclusion of credentials to trick authenticated users into performing unintended actions. By forging requests that ride on existing sessions, attackers can change passwords, transfer funds, and modify account settings without the user's knowledge.

10 min readRead article
VulnerabilityCWE-345

JWT Security: When Tokens Become Attack Vectors

JSON Web Tokens are the dominant authentication mechanism for modern APIs, but implementation flaws turn them into attack vectors. Algorithm confusion, weak secrets, and missing validation allow attackers to forge tokens, escalate privileges, and bypass authentication entirely.

10 min readRead article
VulnerabilityCWE-601

Open Redirects: The Underestimated Phishing Amplifier

Open redirect vulnerabilities let attackers hijack trusted domains to route users to malicious destinations. Often dismissed as low-severity, they become critical when chained with OAuth flows, SSO implementations, and server-side request forgery.

9 min readRead article
VulnerabilityCWE-200

GraphQL Security: Introspection, Batching, and Authorization Pitfalls

GraphQL APIs expose powerful capabilities by default — full schema introspection, query batching, and deeply nested queries. When authorization is implemented at the wrong layer or introspection is left enabled in production, attackers gain a complete blueprint of your API and the tools to exploit it.

10 min readRead article
VulnerabilityCWE-1336

Server-Side Template Injection: From Template Engines to Code Execution

Server-side template injection occurs when user-controlled input is concatenated directly into a template string rather than passed as a variable. The template engine evaluates the injected syntax as code, turning a text formatting feature into a remote code execution primitive.

11 min readRead article
VulnerabilityCWE-611

XXE: XML External Entity Injection Explained

XML External Entity (XXE) injection exploits the way XML parsers resolve external references embedded in document markup. An attacker who can supply XML to a vulnerable endpoint can read arbitrary files from the server, perform server-side request forgery, and in specific configurations achieve remote code execution — all through a feature that exists in the XML specification itself.

9 min readRead article
VulnerabilityCWE-915

Mass Assignment: How Auto-Binding Overwrites Protected Fields

Mass assignment vulnerabilities occur when web frameworks automatically bind HTTP request parameters to object properties without filtering which fields users are allowed to modify. A single extra key in a JSON body can silently overwrite a role, credit balance, or administrative flag — with no error and no warning.

8 min readRead article
VulnerabilityCWE-502

Insecure Deserialization: Remote Code Execution Through Object Manipulation

Insecure deserialization occurs when an application reconstructs objects from untrusted serialized data without validating what is being instantiated. In languages like Java and PHP, the deserialization process itself triggers method execution — no secondary injection step required — making this one of the few vulnerability classes where parsing user input is enough to achieve remote code execution.

10 min readRead article
VulnerabilityCWE-863

OAuth 2.0 Security: Common Implementation Flaws and How to Exploit Them

OAuth 2.0 is a widely implemented authorization framework, but its flexibility creates a large surface for implementation mistakes. Missing state parameter validation, unrestricted redirect URIs, leaking authorization codes through Referer headers, and improper token storage each represent exploitable pathways that bypass the security the protocol was designed to provide.

11 min readRead article
VulnerabilityCWE-1385

WebSocket Security: Hijacking, Injection, and Cross-Site Attacks

WebSocket connections upgrade from HTTP and inherit none of HTTP's same-origin protections. Without explicit origin validation, any website can initiate a WebSocket connection to any server that accepts the protocol upgrade — and that server will receive the connection carrying the victim's cookies. This is the foundation for cross-site WebSocket hijacking, one of several attack classes specific to persistent bidirectional connections.

10 min readRead article
Methodology

Password Reset Security: Common Flaws in Account Recovery Flows

Password reset flows are one of the most consistently misconfigured parts of authentication systems. Predictable tokens, missing expiry, host header injection, absent rate limiting, and information leakage through differential responses each represent exploitable weaknesses. Because account recovery is treated as an edge case rather than a critical path, it frequently receives less security scrutiny than the primary login flow — despite being a direct path to account takeover.

9 min readRead article

Real-World Cases

API SecurityCVSS 7.5high

Nine Hosts, One Wildcard, Zero Access Control

During an external attack surface assessment against a media infrastructure company, systematic enumeration of API subdomains revealed a consistent CORS misconfiguration across nine separate hosts. Every host returned Access-Control-Allow-Origin: * alongside authenticated API responses. Any external page could read responses from any of these nine endpoints — authentication tokens, broadcast configuration data, and internal account details included.

Read case
Access ControlCVSS 9.1critical

Enterprise GitLab With the Front Door Wide Open

An enterprise GitLab installation used by a global media technology company to host proprietary infrastructure code, deployment configurations, and CI/CD pipelines was configured with open user registration enabled. Any external party could create an account, browse internal repositories, clone source code, and read environment files containing credentials for production systems — no invitation required.

Read case
API SecurityCVSS 8.1high

Chaining a Subdomain XSS Into API Token Theft

A cross-site scripting vulnerability on a help-center subdomain of a cryptocurrency exchange seemed low-risk in isolation. The exchange's main trading API disagreed: its CORS configuration trusted that subdomain as an allowed origin, turning reflected XSS into a mechanism for making credentialed requests to every authenticated trading endpoint.

Read case
Info DisclosureCVSS 6.5high

The Staging Server No One Password-Protected

During a web application assessment of a digital asset trading platform, subdomain enumeration surfaced a staging blog environment with no authentication. Every unpublished post, internal announcement, and draft disclosure was readable by anyone with a browser and the subdomain name.

Read case
Access ControlCVSS 6.1medium

Poisoning Analytics Through an Open Endpoint

During an assessment of a cryptocurrency exchange's infrastructure, an unauthenticated API endpoint intended to proxy third-party analytics events accepted arbitrary payloads with no validation. An attacker could inject synthetic events into the platform's analytics pipeline, manipulating conversion tracking, corrupting behavioral data, and potentially influencing automated systems that acted on those signals.

Read case
Business LogicCVSS 7.8high

The Silent Seat That Disappeared

During a security assessment of an election management platform, a business logic error in the seat allocation algorithm caused one legislative seat to silently disappear under specific vote distribution conditions. No error was thrown. No warning was logged. The software produced a result, and the result was wrong.

Read case
Access ControlCVSS 8.8critical

The iframe That Could Rewrite Ballot Templates

A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.

Read case
OtherCVSS 8.5high

Searching for Every Voter With a Single Percent Sign

A search field on a civic technology platform accepted SQL LIKE wildcards without sanitization. Entering a single percent sign returned the entire database — every record, every row, no authentication escalation required. Just one character in a search box.

Read case
Auth BypassCVSS 9.0critical

The Login Link That Let Anyone In

The platform sent login links by email. Each link contained a token. The problem was the application accepted that token from the URL and bound it to whoever authenticated next — which meant an attacker who knew the token could wait for any user to log in and immediately inherit their session.

Read case
Auth BypassCVSS 9.1critical

The Trusted Email That Wasn't

A legitimate password reset email — SPF passed, DKIM valid, sender verified. But the link inside pointed to an attacker's domain. One HTTP header turned a routine email into a full account takeover.

Read case

Key Terms

Access Control

Security mechanisms that regulate who or what can view, use, or modify resources in a system.

Account Takeover

An attack where a malicious actor gains unauthorized access to a legitimate user's account.

Allowlist

A security mechanism that permits only explicitly approved entities while blocking everything else.

API Key

A unique identifier used to authenticate requests to an API and track usage.

API Security

The practice of protecting application programming interfaces from threats and vulnerabilities.

Attack Surface

The total number of points where an unauthorized user can attempt to enter or extract data from a system.

Audit Trail

A chronological record of system activities that provides evidence of who did what and when.

Authentication

The process of verifying the identity of a user, device, or system before granting access.

Authorization

The process of determining what actions or resources an authenticated user is permitted to access.

bcrypt

A password hashing function designed to be computationally expensive, making brute-force attacks impractical.

Bearer Token

An access token that grants the holder (bearer) access to protected resources without additional proof of identity.

Blocklist

A security mechanism that denies access to explicitly prohibited entities while allowing everything else.

Brute Force

An attack method that systematically tries all possible combinations to guess passwords, keys, or other secrets.

Business Logic

The rules and workflows that govern how an application processes data and handles transactions.

Bypass

A technique that circumvents or evades a security control to gain unauthorized access or perform restricted actions.

CIA Triad

The three core principles of information security: confidentiality, integrity, and availability.

Cloud Security

The set of policies, controls, and technologies used to protect data, applications, and infrastructure in cloud environments.

Cookie

A small piece of data stored in the browser by a website, commonly used for session management and user tracking.

Defense in Depth

A security strategy that layers multiple defensive mechanisms so that if one fails, others continue to provide protection.

Deserialization

The process of converting serialized data back into objects, which can be exploited if the input is untrusted.

Endpoint Security

The practice of securing individual devices and API endpoints that connect to a network or application.

Exfiltration

The unauthorized transfer of data from a system to an external destination controlled by an attacker.

Exploit

A piece of code, technique, or sequence of actions that takes advantage of a vulnerability to achieve an unintended outcome.

Framework

A pre-built software structure that provides foundational components for developing applications, with its own security characteristics.

Fuzzing

An automated testing technique that sends unexpected, random, or malformed data to an application to discover bugs and vulnerabilities.

GraphQL Security

The practice of securing GraphQL APIs against vulnerabilities unique to their query-based architecture.

gRPC Security

The practice of securing gRPC services against vulnerabilities related to their binary protocol and service-oriented architecture.

Host Header

An HTTP request header that specifies the target domain, frequently exploited when servers trust its value without validation.

IDOR

Insecure Direct Object Reference, a vulnerability where an application exposes internal object identifiers without proper authorization checks.

Injection

A class of vulnerabilities where untrusted data is sent to an interpreter as part of a command or query, enabling unintended execution.

Input Validation

The process of verifying that user-supplied data meets expected formats and constraints before the application processes it.

Insecure Design

A category of vulnerabilities rooted in flawed architectural decisions that cannot be fixed by correct implementation alone.

Null Byte Injection

An attack that uses null byte characters to truncate strings and bypass security filters in applications that handle strings inconsistently.

OAuth

An authorization framework that allows third-party applications to access resources on behalf of a user without exposing their credentials.

Open Redirect

A vulnerability where an application redirects users to arbitrary external URLs based on user-controlled input without proper validation.

Origin

A combination of scheme, hostname, and port that defines the security boundary for web content under the same-origin policy.

Parameter Pollution

An attack that manipulates how applications handle duplicate HTTP parameters to bypass security controls or alter application behavior.

Password Reset

A mechanism that allows users to regain access to their account by verifying their identity and setting a new password.

Path Traversal

A vulnerability that allows attackers to access files and directories outside the intended scope by manipulating file path inputs.

Permissions

Controls that define what actions a user, process, or system component is authorized to perform on a given resource.

Privilege Escalation

An attack where a user gains higher access rights than they are authorized to have, either vertically or horizontally.

Query Injection

A class of vulnerabilities where attacker-controlled input is incorporated into a query language statement, altering its intended logic.

Race Condition

A vulnerability that occurs when the outcome of an operation depends on the timing or sequence of uncontrolled events, allowing attackers to exploit the gap.

Rate Limiting

A defensive mechanism that restricts the number of requests a user or client can make within a specified time period.

RBAC (Role-Based Access Control)

An access control model that assigns permissions to roles rather than individual users, simplifying authorization management.

SAML (Security Assertion Markup Language)

An XML-based standard for exchanging authentication and authorization data between identity providers and service providers.

Session Fixation

An attack where an adversary sets a user's session identifier to a known value, then hijacks the session after the user authenticates.

Session Hijacking

An attack where an adversary steals or predicts a valid session token to impersonate an authenticated user.

Session Management

The process of securely creating, maintaining, and terminating user sessions that track authenticated state across multiple requests.

Shell Injection

A vulnerability where an attacker injects operating system commands through an application that passes user input to a system shell.

SQL Injection

A vulnerability where attacker-controlled input is inserted into SQL queries, allowing unauthorized database access and manipulation.

Template Injection

A vulnerability where user input is embedded into a template engine, allowing attackers to execute arbitrary code on the server or client.

WebSocket Security

The set of security considerations and protections specific to WebSocket connections, which maintain persistent bidirectional communication channels.

X-Frame-Options

An HTTP response header that controls whether a browser allows a page to be embedded in frames, protecting against clickjacking attacks.

XML External Entity (XXE)

A vulnerability in XML parsers that allows attackers to include external entities, leading to file disclosure, SSRF, or denial of service.

XSS (Cross-Site Scripting)

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, compromising their browser sessions.

Need your application tested?

Our security assessments cover the full range of web application security vulnerabilities with methodology built from real-world research.

Request an Assessment