May 21, 2026
Summary:
Website security is one of the most challenging subjects for new cybersecurity learners to grasp. But it is important to understand early on the consequences if a web vulnerability gets exploited, and the impact s on a business or service. This post, introduces common vulnerabilities while leveraging standards like OWASP Top 10:2025.

Underlying infrastructure
A website depends on a web server to take requests from the web browser and responds with the information it needs.
An example of common web servers include:
- Apache (most popular) hosts simple websites and blogs.
- Nginx (pronounced engine-x), which is used for high-performance (high-traffic) web apps.
- Microsoft Internet Information Services (IIS), commonly used for enterprise environments.
The host machine is the main operating system that powers the web server and the website itself, the host operates on Linux or Microsoft OS. When you ask for something, the web server gets the info from the source code stored on the host machine.
Source code is the set of human-readable instructions written using a programming language to define how a software application should function. The programming language varies on whether it supports either backend or frontend website functionalities. A few examples of programming language include Python, C++, PHP, Javascript, SQL, and so on.
Potential vulnerabilities
Web logic flaws are demonstrated in the following instances from OWASP TOP 10:2025 web vulnerabilities.
When I think about web application vulnerabilities what mind first is Cross-Site-Scripting (XSS), although it is not explicitly mentioned in OWASP Top 10:2025. A05:2025 Injection is a flaw that allows untrusted user input to be sent to an interpreter (such as a browser, database, or command line) and causes the interpreter to execute parts of that input as commands is a security vulnerability. Malicious code injection can allow threat actors to manipulate the site’s content or steal sensitive information.
*Three types of XSS attacks (discussed in another blog for simplicity)
-Reflected
-Stored/persistent
-DOM-based
In a Stored XSS attack, the attacker injects a script (usually JavaScript) into a trusted website’s database (e.g., a comment section, a user profile, or a forum post). Because the script is stored on the server, when a victim visits that page, their browser executes the code, trusting it as part of the legitimate website.
In the development aspect, vulnerabilities arise when websites are not properly tested before deployment, insecure code pulled from repositories as indicated by A03:2025 Software Supply Chain Failures. At the time of writing, many vulnerabilities relating to insecure source code have been uncovered.
Mitigations
Significant practices to minimize risks include
-input validation and sanitization
-version management
-error handling
While web security also encompasses SQL vulnerabilities, this type of injection vulnerability will be discussed more in depth in a database security blog.
Leave a comment