An Analysis and Classification of Vulnerabilities in
Web-Based Application Development
Shekhar Disawal
School of Computer Science & IT
Devi Ahilya University
Indore, M.P., India
2021 8th International Conference on Computing for Sustainable Global Development (INDIACom) | 978-93-80544-43-4/21/$31.00 ©202110.1109/INDIACom51348.2021.00140
[email protected]
Abstract—Nowadays, web vulnerability is a critical issue in web
applications. Web developers develop web applications, but
sometimes they are not very well-versed with security concerns,
thereby creating loopholes for the vulnerabilities. If a web
application is developed without considering security, it is
harmful for the client and the company. Different types of
vulnerabilities encounter during the web application
development process. Therefore, vulnerability identification is a
crucial and critical task from a web application development
perspective. It is vigorous to secure them from the earliest
development life cycle process. In this paper, we have analyzed
and classified vulnerabilities related to web application security
during the development phases. Here, the concern is to identify
a weakness, countermeasure, confidentiality impact, access
complexity, and severity level, which affect the web application
security.
Keywords—Web application vulnerability; Vulnerability
classification; Taxonomy; Web application security.
I. INTRODUCTION
Web services play a prominent role and are an integral
part of our life. It may be education, banking, and other web
applications. The availability and simplicity of web-based
applications have attracted people to use it; on the other
hand, security concerns are still unaddressed. Organizations
try to maintain secrecy, probity, and authenticity as all these
factors help to maintain a competitive edge and practicability
[1].
Web-related applications are open to all web users,
irrespective of whether they are genuine or malicious. There
is always a threat of cyber-attacks looming large. The
fundamental nature of web-related applications and their
interconnectivity enables it easier for hackers to access
information of users and organizations and their personal
data. Today web applications are an easy and prime target
for hackers to gain financial benefit [2].
Web application vulnerabilities are the primary goal for
hackers. Notorious minds manipulate and use these flaws
and loopholes to capture data and inject malicious codes into
internal systems. Vulnerability is a weakness or error in an
application at the time of design and coding that can allow
an attacker to exploit our web application. Some common
web vulnerabilities examples are SQL injection, cross-site
scripting flaws, security misconfiguration, and broken
access.
There are innumerous web applications available on the
internet which are highly unsafe. According to acunetix 2019
978-93-80544-43-4/21/$31.00 2021
c IEEE
Authorized licensed use limited to: Tunku Abdul Rahman University College. Downloaded on March 09,2022 at 07:27:18 UTC from IEEE Xplore. Restrictions apply.
Ugrasen Suman
School of Computer Science & IT
Devi Ahilya University
Indore, M.P., India
[email protected]
web application vulnerability report, 46% of the web have
high, and 86% of websites have medium security
vulnerability [3]. It becomes significant to assess the
vulnerability of a web application before it deploys on the
internet. A definite format or strategy needs to be employed
by organizations with complete safety and assurance to
reduce the risk.
The solution for ensuring security issues is to identify the
probable fragile areas of the web application. Mitigation
techniques should be practically used in areas where many
vulnerabilities arise, as monetary and time constraints are
also crucial. The root causes of the weaknesses can be
recognized with the help of vulnerability classification.
Vulnerabilities have similar properties and available
features, such as causes, effects, locations [4].
Vulnerabilities are classified according to severity levels,
such as high, medium, and low. The impact of the
vulnerability is different according to severity level. The
high severity level is more insecure for the web application.
Arranging vulnerabilities according to severity level and
categorizing them can be useful to design an ideal security
solution. An appropriate vulnerability classification scheme
plays an important role in increasing vulnerability coverage
[5]. The vulnerability classification describes the
categorization of vulnerabilities in a proper structure to
achieve generalization [6].
There are many different types of vulnerability databases
available, which provide a list of known vulnerabilities. The
task of a database is to collect and maintain different values
and abilities that store vulnerabilities and characterize them
by numerous characteristics. These databases help to provide
the up to date collection of vulnerability data helpful for
research. Some of the widely used databases are National
Vulnerability Database (NVD) [7], The Open Source
Vulnerability Database (OSVDB) [8], Common
Vulnerability Enumeration (CWE) [9], and The Open Web
Application Security Project (OWASP), is a foundation that
works for security. It provides the Top Ten recent critical
web application vulnerabilities [10]. The different database
uses different classification schemes, but there is a lack of
the standard classification scheme.
In software development, fault identification plays a
crucial role for the successful operation of software and its
development. It may help the developer save time, cost, and
effort at the development phase [11]. To secure web
application, vulnerability must be checked from the initial
782
 stage to the final stage. Early detection of vulnerability is the
best option for the security team to detect, block, and
mitigate during every development life cycle phase. Security
of web applications is the most crucial concern. Developers
must care about quality attributes at the development phase
[12].
In this paper, we have analyzed and classified
vulnerabilities related to web application security during the
development phases. Here, the concern is to identify a
weakness, countermeasure, confidentiality impact, access
complexity, and severity level affecting web application
security.
Section II describes the classification of web
vulnerability according to different phases of the life cycle,
section III is the discussion part, and section IV concludes
that how we can improve the security of web applications at
the development phase.
II. CLASSIFICATION OF WEB APPLICATION VULNERABILITIES
The web application vulnerability is classified according
to the different development phases of the life cycle.
A. Requirement Analysis
The requirement analysis phase is understanding and
defining what resources are expected from the system and
defining restrictions on the implementation and growth. It is
a critical stage of the development process as errors certainly
lead to later problems in the application design and
implementation. During the requirement analysis, if web
requirement is not appropriately analyzed and security is not
taken care, vulnerabilities are expected to occur. There exist
three vulnerabilities, i.e., broken access control, abuse of
functionality, and improper error handling attacks in this
phase. In a broken access control attack, the criminal
conducts unwanted activities. If the access control is not
mentioned correctly in the application, the attacker can act
outside of the limit. It can misuse information, modifies the
data in websites, or destroys data. If an unauthorized user
can access the admin page, it means an access control flaw.
Abuse of functionality is an attack method that uses
website features and functions to attack itself or others.
Abuse of functionality is an application’s expected
functionality to achieve an unwanted result. The probability
and level of exploitation vary from web site to web site and
application to application. Improper error handling attack
occurs when web applications share an access amount of
information to their users. Sensitive information might be
revealed due to this [13].
B. Design Phase
The design phase interprets requirements into an
illustration of the application that can be evaluated for
quality before coding begins. It is documented and becomes
a part of the application configuration. In this phase,
vulnerability occurs due to poorly defined designs or lack of
security checks in the web design. Four vulnerabilities are
identified in this phase; brute force, cross-site request
forgery, information leakage, and insufficient authentication.
Brute force vulnerability is used to monitor an unknown
value using an automatic method to evaluate different
characteristics. In that, attackers can modify privilege and
crack the password.
2021 8th International Conference on Computing for Sustainable Global Development (INDIACom 2021)
Authorized licensed use limited to: Tunku Abdul Rahman University College. Downloaded on March 09,2022 at 07:27:18 UTC from IEEE Xplore. Restrictions apply.
Cross-site request forgery is an assault requiring a victim
to send an HTTP request to a target endpoint without their
consent or intent to behave as a victim. The underlying cause
is application functionality using predictable URL/ Form
actions in a repeatable way. Information leakage
vulnerability occurs when a web site discloses sensitive data,
such as developer remarks or error messages display, which
may support an attacker in exploiting the system. The
insufficient authentication attack permits hackers to access
personal and sensitive features of web applications without
authenticating correctly [13].
C. Implementation Phase
The implementation phase is based on the success of the
design phase. In this phase, the developer starts the
implementation process according to design. The
vulnerability occurs due to bad design decisions and poor
coding. There are eight types of such vulnerabilities; buffer
overflow, content spoofing, credential/session prediction,
cross-site scripting, denial of service, injecting operating
system command, path traversal, and SQL injection. A
buffer is used to store and transfer data from one location to
another. If the storage capacity of memory is over-limit, then
a buffer overflow attack occurred. The attacker sends new
instruction, destroy files, and modify the execution path.
Content Spoofing is an attack tactic that enables an
attacker to insert a malicious payload that is then distorted as
web applications genuine content. Credential/session
prediction is a means of hijacking or impersonating a user of
a website. Deducting or guessing a particular attribute that
distinguishes a single session or individual executes an
attack.
Cross-site scripting is a widespread web vulnerability
attack for web applications. If a web application accepts a
malicious input script through the application, it is due to a
cross-site scripting attack. Denial of service (DoS) is an
attack tactic intended to block a website from serving usual
user behavior. DoS attacks, which are easily generally
applied to the network layer, are also possible at the
application layer. Injecting operating system commands
through the application is the source of command injection
attacks. The path traversal attack technique lets attackers
access directories and commands that potentially reside in
the web documents source directory.
SQL injection vulnerability allows attackers to access
and modify the database information and other sensitive
data, such as banking information and other personal
information. It allows an attacker to delete and update the
database's record by manipulating SQL command logic [13].
D. Deployment Phase
Vulnerabilities at the deployment phase occur due to
flaws that are likely to be implemented because of lousy
implementation practices or standard application
configurations. Three vulnerabilities are identified at this
phase, i.e., insufficient session expiration, application
misconfiguration, and session fixation. Insufficient session
expiration occurs when an intruder can recycle old session
IDs for a web application authorization. Insufficient session
expiration increases web application exposure to attacks that
steal or reprocess user session identifiers. Application
misconfiguration vulnerability exploits web application if
783
 weakness is found in configuration related. Session fixation
is an attack strategy that drives the user session ID to an
explicit value [13].
We have analyzed different web vulnerability impacts in
development phases with confidentiality impact, access
complexity, source of the attack, and severity level.
Confidentiality impact examines the effect of regulating
access and disclosure of information to unauthorized users
on confidentiality. Impact measure values are complete,
partial, and none. Access complexity tests the difficulty of
the attack needed to exploit the vulnerability to access the
application. The comparison metric values are small,
TABLE I.
medium, and high. The source of attack represents the attack
pattern local or remote. Severity level provides the ranking
to vulnerability attack. We use NVD ranks vulnerabilities
scores CVSS v3.0 ranges 0.0, 0.1-3.9, 4.0-6.9, 7.0-8.9, and
9.0-10.0 by assigning one out of five severity levels for
None, Low, Medium, High, and Critical [7].
In Table I, we have found that many web application
vulnerabilities occur in different web development phases.
We have analyzed different web vulnerability impacts in
development phases concerning confidentiality impact,
access complexity, source of the attack, and severity level
[7-9][13].
CATEGORIZATION OF VULNERABILITIES

Classification Phases Vulnerability Confidentiality Impact Access Complexity Source of attack Severity level

Requirement Analysis Broken Access Control Complete Low Remote Critical

Abuse of Functionality None Medium Remote Low
Improper Error Handling Partial Low Remote Medium
Attacks
Design Brute Force Partial Low Remote Medium
Cross-Site Request Forgery Partial Medium Remote Medium
Information Leakage Partial Medium Remote Medium
Insufficient Authentication Complete Low Remote High
Implementation Buffer Overflow Complete Low Remote Critical
Content Spoofing None Medium Remote Medium
Credential/ Session Prediction None Low Remote Medium
Cross-Site Scripting None Medium Remote Medium
Denial of Service None Low Remote Medium
Injecting OS Command Partial Low Remote High
Path Traversal None Low Remote Medium
SQL Injections Complete Low Remote Critical
Deployment Insufficient Session Expiration Partial Medium Remote Medium
Application Miscon- Partial Low Remote Medium
figuration
Session Partial Low Remote High
Fixation

III. DISCUSSION At the implementation phase, two crucial vulnerabilities

From Table I, we have analyzed that in the requirement
analysis phase, different vulnerabilities occur, but the broken
access control vulnerability has the highest severity level,
and the confidentiality impact also very high. During the
analysis phase, the developer should be aware of this
vulnerability, and if it occurs, the proper measures should be
taken to mitigate this type of vulnerability, so its impact can
be minimized. Improper error handling attack has the
medium severity level, and the confidentiality impact has
partial. The access complexity level is better from broken
access. The abuse of functionality vulnerability has none
impact on security. We have identified that insufficient
authentication vulnerability is critical for the design phase
because of a high severity level and affects the
confidentiality of web applications completely at the design
level. If appropriate measures are taken during the beginning
of the design phase, the impact of vulnerabilities and related
risks can be reduced. Also, brute force, cross-site request
forgery, and information leakage are similar in the analysis.
They may be harmful to clients and the organization.
buffer overflow and SQL injection are identified. Both have
a severe impact on the implementation phase. Buffer
overflow can exploit targeted web application and modify its
content. SQL injection can inject the backend database, and
the attacker takes advantage of the loophole. During
implementation, developers should keep a security
perspective in mind. Three vulnerabilities have identified
insufficient session expiration, application misconfiguration,
and session fixation at the deployment phase. The severity
level of session fixation is the highest, and access complexity
is very low. Because of this, the details are revealed to the
hacker. Lastly, if the developer takes care of security in early
development phases, then the probability of occurrence of
vulnerability becomes very low at the deployment phase.
IV. CONCLUSION
Security issues are rarely discussed in the time of web
development; also, it is a particular milestone. It should
begin at application inception and be on every developer's
mind during requirements analysis, design, implementation,

784 2021 8th International Conference on Computing for Sustainable Global Development (INDIACom 2021)

Authorized licensed use limited to: Tunku Abdul Rahman University College. Downloaded on March 09,2022 at 07:27:18 UTC from IEEE Xplore. Restrictions apply.
 and deployment. This is the only way that protection can be
consistently enhanced in any web product. Here, we have
observed that many web application vulnerabilities can be
removed at the requirement analysis phase, so the system
analyst provides correct and accurate information to the
developer. Similarly, at the design level of web-based
applications, if we have proper fields and records, we can
avoid maximum vulnerabilities at this level.
At the implementation stage, we have found that many
vulnerabilities are occurred due to improper implementation
of mitigation techniques in the previous phases. Due to this,
end-users security is at stake, which directly impacts the
reputation of the organizations. According to web
development phases, we have provided vulnerability
classification, which arranges and generalizes web
vulnerabilities in a well-defined structure, and weaknesses
can be identified in different phases. This classification helps
the web developers and the organization take appropriate
measures to mitigate the vulnerabilities at the initial web
development phase. Therefore, practitioners need to be
vigilant about security at all phases of web development.
Future work can be done in the direction to prevent and
mitigate web vulnerabilities at the earliest. We can design a
secure framework for developers and organizations.
REFERENCES
[1] F. K. Andoh-Baidoo, “Explaining investors’ reaction to internet
security”, International Journal Electronic Finance, Vol. 7, No. 1,
2013.
[2] V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna, “Toward
automated detection of logic vulnerabilities in web applications”, In
proc. of the 19th USENIX conference on security, Washington, DC,
August 11 - 13, 2010, pp. 10-10.
[3] Acunetix, “Web Application Vulnerability Report”,
https://www.acunetix.com/acunetix-web- application-vulnerability-
report/, 2019.
[4] Z. Chen, Y. Zhang, and Z. Chen, “A categorization framework for
common vulnerabilities and exposures”, In the computer journal
advance access published online, May 7, 2009.
[5] O. Alhazmi, S. W. Woo, and Y. Malaiya, “Security vulnerability
categories in major software systems”, In proc. of the third IASTED
international conference on communication, network, and information
security, Cambridge, MA, USA, 2006.
[6] T. Aslam, I. Krsul, and E. H. Spafford, “Use of a taxonomy of security
faults”, In proc. of the 19th national information systems security
Conf., Baltimore, USA., 1996, pp. 551– 560.
[7] Govt. of USA, “National Vulnerability Database (NVD)”,
https://nvd.nist.gov/.
[8] J. Kouhns, “Open Source Vulnerability Database (OSVDB)”,
http://osvdb.org/.
[9] Mitre, ”Common Vulnerability Enumeration (CWE)”,
https://cwe.mitre.org/.
[10] OWASP (Open Web Application Security Project), “The Top 10 Most
Critical Web Application Security Risks”, https://owasp.org/www-
project-top-ten/, 2017.
[11] D. Sharma and P. Chandra, “A comparative analysis of soft computing
techniques in software fault prediction model development”,
Internation journals of information technology (BJIT), July 10, 2018.
[12] N. Pathak, B. M. Singh and G. Sharma, “UML 2.0 based framework
for the development of secure web application”, Internation journals of
information technology (BJIT), pp. 101-109, February 22, 2017.
[13] R. Auger, “Web Application Security Consortium version 2.0.0”,
http://www.webappsec.org/.

2021 8th International Conference on Computing for Sustainable Global Development (INDIACom 2021) 785

Authorized licensed use limited to: Tunku Abdul Rahman University College. Downloaded on March 09,2022 at 07:27:18 UTC from IEEE Xplore. Restrictions apply.