Common Findings in Web Penetration Tests

A consolidated overview of real-world vulnerabilities identified across web and API assessments

binsec GmbH has consolidated the results of all web penetration tests (including connected APIs) conducted over the past twelve months. The data provides a clear picture of the vulnerability categories that appear most frequently in practice.

A significant portion of the findings relates to basic configuration weaknesses, such as insecure web server defaults, missing security headers, or inadequately configured TLS parameters. These issues are easy to identify and typically do not represent an immediate critical risk.

Session handling weaknesses continue to occur regularly. A common pattern is that logging out removes the session only in the browser, while the server-side session remains active. This allows continued use of a previously compromised session.

Most critical findings stem from incomplete or faulty access control mechanisms. This includes privilege escalation paths, missing object- or tenant-level isolation, and insufficient protection of API endpoints. Modern applications with extensive background API communication are particularly affected, as access controls often need to be implemented manually.

SQL injection and cross-site scripting (XSS) are less common today but still appear in practice – especially in areas where safeguards such as ORMs, input validation, or prepared statements are bypassed or not applied consistently.

Business logic vulnerabilities occur infrequently, but when identified, they typically have a significant impact because they directly affect critical application workflows.