From Indusface’s study on the State of Application Security in India, related to an analysis of vulnerabilities data collected by Indusface WAS, Indusface’s web application security solution, the top 3 critical vulnerabilities faced by web applications are SQL Injection, Invalid TLS/SSL Certificate, and HTTP Basic Authentication Enabled.


  1. The top types of critical vulnerabilities, increasing the risk exposure of websites
  2. The time is taken to patch these vulnerabilities
  3. The number of critical vulnerabilities which remain unpatched

92.37% 4.56% 2.75%
SQL Injection Invalid TLS/SSL Certificate HTTP Basic Authentication Enabled
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. The server’s TLS/SSL certificate signature is invalid. This could indicate an attacker is actively attempting to eavesdrop on the connection. The invalid signature needs to be investigated. If the signature is valid, then investigate who/what is tampering with the TLS/SSL connection, which is resulting in this vulnerability. Basic access authentication, in the context of an HTTP transaction, is a method for an HTTP user agent to provide a username and password when making a request. It is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, a session identifier, and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation. The HTTP Basic Authentication scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as TLS/SSL), as the username and password are passed over the network as clear text.

Source: OWASP, Wikipedia, Industry Sources

Instant Website Protection
Free Forever Security Scans | OWASP Top 10 Protection | Stop DDoS | Continuous Management