Editing Vulnerability (computer security) (section)

===Web applications===
[[Web applications]] run on many websites. Because they are inherently less secure than other applications, they are a leading source of [[data breach]]es and other security incidents.{{sfn |Strout |2023|p=13}}{{sfn|Haber |Hibbert|2018|p=129}} They can include: 
*[[Authentication]] and [[authorization]] failures enable attackers to access data that should be restricted to trusted users.{{sfn |Strout |2023|p=13}}
*[[Business logic vulnerability]] occurs when programmers do not consider unexpected cases arising in [[business logic]].

Attacks used against vulnerabilities in web applications include: 
*[[Cross-site scripting]] (XSS) enables attackers to [[code injection|inject]] and run [[JavaScript]]-based [[malware]] when [[input checking]] is insufficient to reject the injected code.{{sfn |Strout |2023|p=13}} XSS can be persistent, when attackers save the malware in a data field and run it when the data is loaded; it can also be loaded using a malicious [[URL]] link (reflected XSS).{{sfn |Strout |2023|p=13}} Attackers can also insert malicious code into the [[domain object model]].{{sfn |Strout |2023|p=14}}
*[[SQL injection]] and similar attacks manipulate [[database queries]] to gain unauthorized access to data.{{sfn |Strout |2023|p=14}}
*[[Command injection]] is a form of code injection where the attacker places the malware in data fields or [[process]]es. The attacker might be able to take over the entire server.{{sfn |Strout |2023|p=14}}
*[[Cross-site request forgery]] (CSRF) is creating client requests that do malicious actions, such as an attacker changing a user's credentials.{{sfn |Strout |2023|p=14}}
*[[Server-side request forgery]] is similar to CSRF, but the request is forged from the server side and often exploits the enhanced privilege of the server.{{sfn |Strout |2023|p=14}}
*[[Business logic vulnerability]] occurs when programmers do not consider unexpected cases arising in [[business logic]].{{sfn |Strout |2023|pp=14-15}}