TechUK reveals top 10 web vulnerabilities

TechUK has published a guide on the ten most common web vulnerabilities and how to defend against the most prevalent threats

Weak passwords remain the top vulnerability for web users, according to guidance by technology association TechUK.

TechUK published the guide – entitled Securing Web Applications and Infrastructurein association with government's Cyber Crime Reduction Partnership to identify practices to reduce the impact and cost of cyber crime.

The guide reveals the ten most common web vulnerabilities and contains advice on how to defend against the most common threats.

Penetration tests conducted over the past 12 months showed that, despite the emergence of new threats, well-known vulnerabilities are understood by criminals and the most common.

“These threats may not be new, but all still pose a real risk to UK web users,” said Gordon Morrison, director of technology for government at TechUK.


“The good news for businesses and citizens is that there are well-established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime.”

Web applications provide significant benefit to consumers and businesses, and TechUK expects their importance to grow.

Educating users

“Software engineers and industry in general have a responsibility to ensure their products are developed in a manner that is as secure as possible,” the guide said.


  1. Account weaknesses, especially a weak password policy;
  2. Secure Sockets Layer (SSL) issues such as weak ciphers;
  3. Cross site scripting (XSS);
  4. Clear test protocols may lead attackers to vulnerabilities;
  5. No brute force protection;
  6. Directory listing;
  7. Lack of ‘clickjacking’ protection;
  8. Cookies - not marked HTTP only or not marked as secure;
  9. Host configuration issues, especially firewall issues and IP leakage;
  10. Information disclosure, and especially user enumeration.

“This is true even if software is simple or does not deliver a function that is safety critical, like the processing of personal data for example.”

Some of the examples of best practice are drawn from the Top Ten Project of the Open Web Application Security Project (Owasp).

Owasp is a non-profit, volunteer organisation set up in 2001 to make web applications secure by educating users, developers, governments and business leaders.


  1. Avoid hardcoded, weak cryptography and plain text passwords;
  2. Use THE most up-to-date SSL version, test and verify its operation and monitor for SSL vulnerabilities;
  3. Use the various XSS prevention rules and techniques that exist;
  4. Remove all test code, harnesses and data from an application in release builds;
  5. Ensure your web application is securely hosted and protected via an up to date firewall, deploy application logging and routinely analyse it to detect brute force attack attempts, and capture and report the attacking IP address to the most appropriate and relevant authority;
  6. Deploy chroot jail to protect against "clickjacking";
  7. Send the proper X-Frame-Options HTTP  response headers that instruct the browser to not allow framing from other domains, and employ defensive code in the user interface to ensure that the current frame is the most top level window;
  8. Mark all cookies used within the application as secure;
  9. Ensure application code does not directly or indirectly expose the user IP address. Test to verify this;
  10. Ensure password reset and error handling does not provide attackers with information that allows them to determine a password or user name.

“It's good to have any research like this out in public, as it can only help to raise awareness of these issues,” said Justin Clarke, Owasp London Chapter leader and director at Gotham Digital Science.

“And as they’re the most common types of issues found, sometimes they’re also the easiest to remediate, which can only benefit organisations if they look at their own applications and apply best practice before they have a security incident."

Security resources

Clarke said it was also good to see that the guide links to some of the volumes of free information resources on the Owasp site - especially the Owasp Cheat Sheet series.

“This series is designed to give a developer or security professional a single document on everything they need to understand and fix common web application vulnerabilities,” he said.

The publication of the TechUK web application guidelines follows the embarrassing hack of the US Central Command's Twitter and YouTube accounts by a group claiming to back Islamic State.

“Shared privileged accounts, which include social media credentials, are a commonly overlooked threat,” said Andrey Dulkin, senior director of cyber innovation at CyberArk.

“This is compounded by the fact that many enterprises have numerous social media accounts on Twitter, Facebook, YouTube and LinkedIn – often with unique accounts for different product lines, languages, countries and stakeholders.”

 Dulkin said that, with passwords for these accounts being shared among teams, it makes for an easy target – not least because there is no record or accountability for each individual post. 

“To make matters worse, the same password is frequently used across multiple accounts, and the passwords are often rarely changed,” he said.

Dulkin warned that lax security opens the door for malicious hackers, as well as rogue current or former employees, or disgruntled social media agency members.

Read more on Web application security