From Indusface’s study on the State of Application Security in India, related to an analysis of vulnerabilities data collected by Indusface WAS, Indusface’s web application security solution, the top 3 critical vulnerabilities faced by web applications are SQL Injection, Invalid TLS/SSL Certificate and HTTP Basic Authentication Enabled.


  1. The top types of critical vulnerabilities, increasing the risk exposure of websites
  2. The time taken to patch these vulnerabilities
  3. The number of critical vulnerabilities which remain un-patched

92.37% 4.56% 2.75%
SQL Injection Invalid TLS/SSL Certificate HTTP Basic Authentication Enabled
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. The server’s TLS/SSL certificate signature is invalid. This could indicate an attacker is actively attempting to eavesdrop on the connection. The invalid signature needs to be investigated. If the signature is valid, then investigate who/what is tampering with the TLS/SSL connection, which is resulting in this vulnerability. Basic access authentication, in the context of an HTTP transaction, is a method for an HTTP user agent to provide a user name and password when making a request. It is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifier and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation. The HTTP Basic Authentication scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as TLS/SSL), as the user name and password are passed over the network as clear text.

Source: OWASP, Wikipedia, Industry Sources

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.

Instant Website Protection
Free Forever Security Scans | OWASP Top 10 Protection | Stop DDoS | Continuous Management