
lems? The answer, of course, is that their software—the Web applications—are just
as insecure; these companies just don’t realize it.
Web application vulnerabilities exist in many areas, and understanding those
areas is critical to understanding Web app sec.The Top 10 Web Application
Vulnerabilities list by the Open Web Application Security Project
(www.owasp.org) is perhaps the oldest and most established list of Web applica-
tion vulnerabilities. It’s often cited in papers and Web sites and is a great place to
start learning the various types of Web application threats. However, it’s not an
attempt to enumerate and classify all possible vulnerabilities; ...