Top 5 Web Application Vulnerabilities.


A security researcher from Israel has discovered a very basic, almost “school boy” level bug in Gmail that could have potentially compromised millions of email addresses. He notified Google, who have rectified the problem and have rewarded the honest fellow with the whooping $500.


Here is the news article that details these events:

For those technically minded, watch the embedded Youtube video that details how Oren Hafif did it.


This news has been circulating around the web causing facepalm reactions for a few days now. We are really not sure what is the bigger PR embarrassment for Google - the simplicity of the bug or the $500 amount.


As a brief background detour, in general there are five types of web application vulnerabilities:

  • Remote code execution

  • SQL injection

  • Format string vulnerabilities

  • Cross Site Scripting (XSS)

  • Username enumeration


The particular Gmail vulnerability described above can be loosely classed as “username enumeration”. 


All five of these types of attacks have been around since the very inception of the Web and despite decades of awareness, haven't diminished but in fact have grown in abundance.


Here is a good summary of these five categories of web application vulnerabilities, courtesy of Symantec.  There are code snippets, examples and further links:


Another useful resource is OWASP - worldwide not-for-profit charitable organization focused on improving the security of software:


In particular, OWASP provide a very good overview of Cross Site Scripting and measure to take to avoid it (we found that Symantec's coverage of XSS in the link above was too brief to do it proper justice) here:


As an example of a high profile XSS vulnerability – here is an article about Robert Kugler, a 17 year old from Germany, who found an XSS flaw in PayPal in 2013:   


While PayPal had followed Mozilla and Facebok in setting up a “bug bounty” program that encourages responsible bug reporting, they didn’t reward this particular bug reporter because he was under 18.


<--(Image taken from XKCD: