Overview of vulnerabilities in web applications(lchsk.com)
lchsk.com
Overview of vulnerabilities in web applications
https://lchsk.com/stay-paranoid-and-trust-no-one-overview-of-common-security-vulnerabilities-in-web-applications.html
6 comments
Interested in data on real world impact from these attack vectors? Hackerone has public data on how often they reward each type: https://www.hackerone.com/blog/hackerone-top-10-most-impactf... . You can also browse through findings in Hackerone's hacktivity: https://hackerone.com/hacktivity . I run a project where we try and connect the dots between breaches and the how and why they happened: https://ericalexander.org/SecurityBreach/
Since this uses Django for examples and mentions Bandit as an automated option for finding vulnerabilities, are there any others that people would recommend?
I always thought a lot of the biggest hacks were done by insiders, or with insider information. I know there's a lot you can hunt for out there. But being part of the team that built something of interest, knowing what is exploitable, could be a big temptation.
Depends on what you mean by "biggest", but in my experience the most common cause is lax security practices, mainly not performing security updates quickly enough. A business doesn't want to spend extra on website maintenance, so sites get neglected, sometimes for years.
Another resource I’d recommend is OWASP’s lists, their top 10 is a good starting place:
https://owasp.org/www-project-top-ten/
https://owasp.org/www-project-top-ten/
Great info, I'm especially stoked Django was used for the examples.