Top 10 Web App Vulnerabilities We Find in Small & Medium Businesses (With Examples)

We've tested hundreds of web applications for small and medium businesses over the past few years. Different industries, different technologies, different budgets. But the vulnerabilities we find follow patterns. Not because developers are careless, but because certain security issues are genuinely difficult to spot without specific knowledge. Here's what we see most often, with real examples from actual assessments.

Broken Access Control

This shows up in almost every assessment. A customer portal where changing the account ID in the URL displays someone else's invoices. An admin dashboard accessible to regular users who know the direct URL. A document management system that doesn't verify file ownership before allowing downloads. The application implements authentication successfully but fails to verify authorization for specific resources. Example: a restaurant reservation system where modifying the booking ID parameter lets customers view and cancel other people's reservations, complete with names and contact information.

Broken Authentication

Weak password requirements accepting "password123" for business applications. Session tokens that never expire, remaining valid months after login. Password reset flows that email new credentials in plain text. Account lockout mechanisms that don't exist, allowing unlimited login attempts. Multi-factor authentication offered but not enforced. Example: a healthcare appointment system where successful password reset requires only knowing the patient's date of birth, information often publicly available or easily guessed.

SQL Injection

User input concatenated directly into database queries without sanitization. Search forms, filter options, and sorting parameters that accept SQL commands. Dynamic query construction that trusts client-side data. Example: an e-commerce site where the product search function accepts SQL commands, allowing extraction of the entire customer database including hashed passwords, shipping addresses, and order histories through a single manipulated search query.

Cross-Site Scripting

Comment sections, review forms, and user profile fields that don't sanitize HTML input. Application echoes user-supplied data back to other visitors without encoding. Stored XSS where malicious scripts persist in the database. Example: a real estate listing platform where property descriptions accept JavaScript, enabling attackers to inject code that steals session cookies from prospective buyers browsing listings.

Insecure File Upload

Upload functions that accept any file type without validation. Profile picture uploads that allow PHP files. Document management systems that store uploaded files in publicly accessible directories with execution permissions enabled. No file type verification, size limits, or content inspection. Example: a job application portal where resume uploads accept executable files, and the uploaded files are stored in a web-accessible directory allowing direct execution.

Security Misconfiguration

Default credentials still active on admin accounts. Directory listing enabled exposing file structure. Error messages displaying stack traces and database connection strings. Debug mode active in production. Unnecessary features and endpoints left enabled. Example: a booking system where the /admin path uses "admin/admin" credentials that were never changed, and the publicly accessible /config directory contains database credentials in plain text files.

Sensitive Data Exposure

Customer information transmitted without encryption over internal networks. Passwords stored in plain text or using weak hashing. API responses containing more data than necessary. Credit card numbers logged in application logs. Backup files containing sensitive information stored in web-accessible locations. Example: a membership management system where password reset tokens are visible in the browser's network tab and remain valid indefinitely.

Missing Rate Limiting

Login forms accepting unlimited attempts. API endpoints with no request throttling. Contact forms exploitable for spam. Password reset functions that can be abused to flood user inboxes. Resource-intensive operations without limits. Example: an online appointment scheduler where the availability check API has no rate limiting, allowing competitors to make millions of requests to map out booking patterns and business volumes.

Insufficient Logging

Failed login attempts not recorded. Security-relevant events not logged. No alerting for suspicious activity patterns. Logs that don't capture enough detail for incident investigation. Example: a payment processing integration where successful and failed transactions aren't logged separately, making it impossible to detect patterns of fraudulent payment attempts or identify when a compromise occurred.

Business Logic Vulnerabilities

Discount codes applicable multiple times when intended for single use. Negative quantity values in shopping carts resulting in credits instead of charges. Refund processes that don't verify original payment. Account credit systems allowing transfers between users without approval. Example: an online course platform where applying multiple promotional codes to the same purchase isn't prevented, allowing students to reduce course prices to zero through code stacking.

Why These Issues Persist

These vulnerabilities aren't secret. OWASP publishes them. Security blogs discuss them. Yet they appear in assessment after assessment because developers face competing priorities. Time pressure favors shipping features over security review. Testing focuses on functionality rather than abuse cases. Security knowledge isn't uniformly distributed across development teams. Many of these issues are invisible during normal usage and only reveal themselves under adversarial testing.

Professional security assessment finds these vulnerabilities through systematic testing that covers both common attack patterns and application-specific logic flaws. It provides specific remediation guidance tailored to your technology stack and business requirements. More importantly, it finds these issues before customers or attackers do.