2. Broken Authentication. Functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions. This can lead to stolen user identity, data, and more.

• Example: A web application allows the use of weak or well-known passwords (i.e. “password1”).
• Solution: Multi-factor authentication can help reduce the risk of compromised accounts. Implement password weakness check, regular password changes, and use a server-side, secure, built-in session manager that generates a new random session ID.

3. Sensitive Data Exposure. Sensitive data exposure is when important stored or transmitted data (such as credit cards) is compromised.

• Example: Companies that fail to adequately protect their sensitive data can be easy targets for credit card fraud and identity theft.
• Solution: Classify and identify which data is sensitive according to privacy laws, regulatory requirements, or business needs, and apply adequate controls. Do not store sensitive data if not necessary. Encrypt all data in transit with security protocols such as TLS with perfect forward secrecy (PFS) ciphers.

4. XML External Entities (XXE). Attackers are able to take advantage of web applications that use vulnerable component processing XML’s. Attackers are able to upload XML or include hostile commands or content within an XML document.

• Example: An application allows untrusted sources to perform XML uploads.
• Solution: Use less complex data formats such as JSON and avoiding serialization of sensitive data. Implement positive (“whitelisting”) server-side input validation. Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar