Topic Hub

Web Application Security

Everything you need to understand web application vulnerabilities — from injection attacks and cross-site scripting to broken access control and business logic flaws.

11 knowledge articles4 case studies56 glossary terms

Understanding Web Application Security

VulnerabilityCWE-79

Cross-Site Scripting (XSS): How It Works and How to Prevent It

Cross-site scripting remains one of the most prevalent web vulnerabilities, allowing attackers to inject malicious scripts into trusted websites and compromise user sessions, steal credentials, and deface applications.

9 min readRead article

VulnerabilityCWE-639

Insecure Direct Object References: The Most Common Access Control Flaw

Insecure direct object references occur when an application exposes internal object identifiers without verifying that the requesting user is authorized to access them, enabling attackers to access or modify other users' data by simply changing a parameter.

9 min readRead article

VulnerabilityCWE-644

Host Header Injection: How Trusted Headers Become Attack Vectors

Host header injection exploits applications that trust the HTTP Host header for critical operations like password reset links, cache keys, and redirects — allowing attackers to poison caches, steal reset tokens, and redirect users to malicious sites.

9 min readRead article

VulnerabilityCWE-706

Path Normalization Attacks: When a Slash Breaks Authentication

Path normalization attacks exploit inconsistencies in how different components of a web stack interpret URL paths, allowing attackers to bypass authentication middleware, access control rules, and WAF protections with techniques as simple as adding a trailing slash.

10 min readRead article

VulnerabilityCWE-284

Broken Access Control: OWASP's #1 Web Application Vulnerability

Broken access control is the most prevalent web application vulnerability class. It lets attackers bypass authorization to view, modify, or delete resources they should never reach. Here's how it works, why scanners miss it, and how to fix it.

10 min readRead article

Vulnerability

Business Logic Vulnerabilities: What Scanners Can't Find

Business logic vulnerabilities exploit the intended functionality of an application in unintended ways. They don't trigger signatures, don't match patterns, and don't show up in automated scans. Finding them requires understanding how the application is supposed to work — and then breaking that assumption.

11 min readRead article

Services

What We Test: Applications, APIs, Authentication, Infrastructure

A detailed breakdown of what Raijuna tests during security assessments — web applications, REST and GraphQL APIs, authentication and SSO flows, cloud infrastructure, and mobile backends. For each target type: what we look for, common findings, and why it matters.

11 min readRead article

VulnerabilityCWE-352

Cross-Site Request Forgery: Forcing Actions on Behalf of Authenticated Users

Cross-site request forgery exploits the browser's automatic inclusion of credentials to trick authenticated users into performing unintended actions. By forging requests that ride on existing sessions, attackers can change passwords, transfer funds, and modify account settings without the user's knowledge.

10 min readRead article

VulnerabilityCWE-345

JWT Security: When Tokens Become Attack Vectors

JSON Web Tokens are the dominant authentication mechanism for modern APIs, but implementation flaws turn them into attack vectors. Algorithm confusion, weak secrets, and missing validation allow attackers to forge tokens, escalate privileges, and bypass authentication entirely.

10 min readRead article

VulnerabilityCWE-601

Open Redirects: The Underestimated Phishing Amplifier

Open redirect vulnerabilities let attackers hijack trusted domains to route users to malicious destinations. Often dismissed as low-severity, they become critical when chained with OAuth flows, SSO implementations, and server-side request forgery.

9 min readRead article

VulnerabilityCWE-200

GraphQL Security: Introspection, Batching, and Authorization Pitfalls

GraphQL APIs expose powerful capabilities by default — full schema introspection, query batching, and deeply nested queries. When authorization is implemented at the wrong layer or introspection is left enabled in production, attackers gain a complete blueprint of your API and the tools to exploit it.

10 min readRead article

Real-World Cases

Access ControlCVSS 8.8critical

The iframe That Could Rewrite Ballot Templates

A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.

Read case

OtherCVSS 8.5high

Searching for Every Voter With a Single Percent Sign

A search field on a civic technology platform accepted SQL LIKE wildcards without sanitization. Entering a single percent sign returned the entire database — every record, every row, no authentication escalation required. Just one character in a search box.

Read case

Auth BypassCVSS 9.0critical

The Login Link That Let Anyone In

The platform sent login links by email. Each link contained a token. The problem was the application accepted that token from the URL and bound it to whoever authenticated next — which meant an attacker who knew the token could wait for any user to log in and immediately inherit their session.

Read case

Auth BypassCVSS 9.1critical

The Trusted Email That Wasn't

A legitimate password reset email — SPF passed, DKIM valid, sender verified. But the link inside pointed to an attacker's domain. One HTTP header turned a routine email into a full account takeover.

Read case

Key Terms

Access Control

Security mechanisms that regulate who or what can view, use, or modify resources in a system.

Account Takeover

An attack where a malicious actor gains unauthorized access to a legitimate user's account.

Allowlist

A security mechanism that permits only explicitly approved entities while blocking everything else.

API Key

A unique identifier used to authenticate requests to an API and track usage.

API Security

The practice of protecting application programming interfaces from threats and vulnerabilities.

Attack Surface

The total number of points where an unauthorized user can attempt to enter or extract data from a system.

Audit Trail

A chronological record of system activities that provides evidence of who did what and when.

Authentication

The process of verifying the identity of a user, device, or system before granting access.

Authorization

The process of determining what actions or resources an authenticated user is permitted to access.

bcrypt

A password hashing function designed to be computationally expensive, making brute-force attacks impractical.

Bearer Token

An access token that grants the holder (bearer) access to protected resources without additional proof of identity.

Blocklist

A security mechanism that denies access to explicitly prohibited entities while allowing everything else.

Brute Force

An attack method that systematically tries all possible combinations to guess passwords, keys, or other secrets.

Business Logic

The rules and workflows that govern how an application processes data and handles transactions.

Bypass

A technique that circumvents or evades a security control to gain unauthorized access or perform restricted actions.

CIA Triad

The three core principles of information security: confidentiality, integrity, and availability.

Cloud Security

The set of policies, controls, and technologies used to protect data, applications, and infrastructure in cloud environments.

Cookie

A small piece of data stored in the browser by a website, commonly used for session management and user tracking.

Defense in Depth

A security strategy that layers multiple defensive mechanisms so that if one fails, others continue to provide protection.

Deserialization

The process of converting serialized data back into objects, which can be exploited if the input is untrusted.

Endpoint Security

The practice of securing individual devices and API endpoints that connect to a network or application.

Exfiltration

The unauthorized transfer of data from a system to an external destination controlled by an attacker.

Exploit

A piece of code, technique, or sequence of actions that takes advantage of a vulnerability to achieve an unintended outcome.

Framework

A pre-built software structure that provides foundational components for developing applications, with its own security characteristics.

Fuzzing

An automated testing technique that sends unexpected, random, or malformed data to an application to discover bugs and vulnerabilities.

GraphQL Security

The practice of securing GraphQL APIs against vulnerabilities unique to their query-based architecture.

gRPC Security

The practice of securing gRPC services against vulnerabilities related to their binary protocol and service-oriented architecture.

Host Header

An HTTP request header that specifies the target domain, frequently exploited when servers trust its value without validation.

IDOR

Insecure Direct Object Reference, a vulnerability where an application exposes internal object identifiers without proper authorization checks.

Injection

A class of vulnerabilities where untrusted data is sent to an interpreter as part of a command or query, enabling unintended execution.

Input Validation

The process of verifying that user-supplied data meets expected formats and constraints before the application processes it.

Insecure Design

A category of vulnerabilities rooted in flawed architectural decisions that cannot be fixed by correct implementation alone.

Null Byte Injection

An attack that uses null byte characters to truncate strings and bypass security filters in applications that handle strings inconsistently.

OAuth

An authorization framework that allows third-party applications to access resources on behalf of a user without exposing their credentials.

Open Redirect

A vulnerability where an application redirects users to arbitrary external URLs based on user-controlled input without proper validation.

Origin

A combination of scheme, hostname, and port that defines the security boundary for web content under the same-origin policy.

Parameter Pollution

An attack that manipulates how applications handle duplicate HTTP parameters to bypass security controls or alter application behavior.

Password Reset

A mechanism that allows users to regain access to their account by verifying their identity and setting a new password.

Path Traversal

A vulnerability that allows attackers to access files and directories outside the intended scope by manipulating file path inputs.

Permissions

Controls that define what actions a user, process, or system component is authorized to perform on a given resource.

Privilege Escalation

An attack where a user gains higher access rights than they are authorized to have, either vertically or horizontally.

Query Injection

A class of vulnerabilities where attacker-controlled input is incorporated into a query language statement, altering its intended logic.

Race Condition

A vulnerability that occurs when the outcome of an operation depends on the timing or sequence of uncontrolled events, allowing attackers to exploit the gap.

Rate Limiting

A defensive mechanism that restricts the number of requests a user or client can make within a specified time period.

RBAC (Role-Based Access Control)

An access control model that assigns permissions to roles rather than individual users, simplifying authorization management.

SAML (Security Assertion Markup Language)

An XML-based standard for exchanging authentication and authorization data between identity providers and service providers.

Session Fixation

An attack where an adversary sets a user's session identifier to a known value, then hijacks the session after the user authenticates.

Session Hijacking

An attack where an adversary steals or predicts a valid session token to impersonate an authenticated user.

Session Management

The process of securely creating, maintaining, and terminating user sessions that track authenticated state across multiple requests.

Shell Injection

A vulnerability where an attacker injects operating system commands through an application that passes user input to a system shell.

SQL Injection

A vulnerability where attacker-controlled input is inserted into SQL queries, allowing unauthorized database access and manipulation.

Template Injection

A vulnerability where user input is embedded into a template engine, allowing attackers to execute arbitrary code on the server or client.

WebSocket Security

The set of security considerations and protections specific to WebSocket connections, which maintain persistent bidirectional communication channels.

X-Frame-Options

An HTTP response header that controls whether a browser allows a page to be embedded in frames, protecting against clickjacking attacks.

XML External Entity (XXE)

A vulnerability in XML parsers that allows attackers to include external entities, leading to file disclosure, SSRF, or denial of service.

XSS (Cross-Site Scripting)

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, compromising their browser sessions.

Need your application tested?

Our security assessments cover the full range of web application security vulnerabilities with methodology built from real-world research.

Request an Assessment