Penetration tests are the primary method for identifying and revealing security vulnerabilities within an organisation’s security posture. By simulating real world attacks and uncovering gaps that attackers can exploit, these pentests provide a comprehensive report to help secure applications, infrastructure, and achieve compliance standards with industry regulations.
Although a typical penetration test is tailored to a company’s infrastructure, we are seeing common, recurring missteps across different industries, technologies, and company sizes.
We’ve identified a pattern of frequently overlooked vulnerabilities that, while sometimes minor in isolation, can compound into serious risk when left unaddressed.
Here are some of the most common high-impact security issues that our penetration testers have discovered during penetration testing, why they appear so frequently, and how organisations can effectively defend against them.
1. Weak Access Control & Insecure Direct Object References (IDORs)
Why it’s common:
Developers often focus on authentication (who you are) but neglect authorisation (what you’re allowed to do). Access control requires an understanding of complex business logic and user relationships that vary across different applications.
Risk:
Attackers can easily gain access to other users’ sensitive data, modify critical records, or escalate privileges to the administrator level. This is particularly devastating in multi-tenant applications.
How can organisations defend against this:
Implement robust authorisation checks at every endpoint. Maintain a clear permission matrix and test all user role boundaries during development.
2. Username and Email Enumeration
Why it’s common:
Login and password reset forms often return different responses for existing vs non-existent accounts. These subtle differences in error messages, response times, or HTTP codes are easily overlooked during development.
Risk:
Without the correct security controls, attackers can build lists of valid users for targeted attacks, credential stuffing, or social engineering campaigns. This information also aids in password spraying attacks.
How can organisations defend against this:
Standardise all authentication responses regardless of account existence. Implement consistent response times and generic error messages, such as “Invalid credentials,” for all failure scenarios. Log suspicious activity and apply MFA wherever possible.
3. Content Security Policy (CSP) Weaknesses
Why it’s common:
Configuring CSPs correctly can be complex, especially when integrating with third-party services and complex web application environments. Many applications either lack CSP headers entirely or use overly permissive policies that provide minimal protection.
Risk:
Weak CSPs fail to prevent cross-site scripting (XSS) attacks, allowing attackers to execute malicious scripts, steal session tokens, or deface websites.
How can organisations defend against this:
Start with a restrictive CSP and gradually allow necessary resources. Use CSP reporting to identify policy violations before enforcing. Regular penetration tests can validate your CSP implementation.
4. Lack of Multi-Factor Authentication (MFA)
Why it’s common:
MFA is sometimes viewed as adding friction to the user experience. Legacy systems often lack support, and implementing them can seem complex for development teams.
Risk:
Once attackers steal or guess a password, they can easily gain access with no additional verification. Password-only authentication leaves accounts vulnerable to credential stuffing, phishing, and brute force attacks. A single compromised password grants full access.
How can organisations defend against this:
Implement MFA for all user accounts, prioritising administrative and privileged access. Modern MFA solutions offer user-friendly options like push notifications and biometrics. This is a simple, effective solution to improving privacy.
5. Insufficient Rate Limiting
Why it’s common:
Rate limiting requires a careful balance between security and usability. Developers often implement it inconsistently or only on obvious endpoints, such as login forms which leaves opportunities for threat actors to identify vulnerabilities.
Risk:
Missing rate limits enable brute force attacks, denial-of-service attacks, data scraping, and API abuse. Attackers can overwhelm systems or extract large datasets.
How can organisations defend against this:
Implement rate limiting on all endpoints, not just authentication. Use progressive delays and account lockouts. Monitor for distributed attacks that may bypass per-IP limits.
6. Injection Vulnerabilities (SQL, XSS, Template Injection)
Why it’s common:
Despite being well-known, injection flaws persist because they can occur wherever user input interacts with interpreters. Developers often trust input validation or rely on frameworks incorrectly, and complex data flows make it easy to miss injection points.
Risk:
SQL injection can lead to complete database compromise and data theft. Cross-site scripting (XSS) enables attackers to hijack user sessions and compromise websites. Template injection can result in remote code execution on servers.
How can organisations defend against this:
Never trust user input. Use parameterised queries for database access, context-aware output encoding for XSS prevention, and avoid user input in template engines. Implement input validation as a defence in depth, not primary protection.
7. PDF Generation Vulnerabilities (XSS, RCE, SSRF)
Why it’s common:
PDF generation features often accept rich user input (HTML, CSS, images) and process it on the server. Developers rarely consider the security implications of rendering untrusted content, and PDF libraries may have their own parsing vulnerabilities which could lead to a security breach.
Security risk:
These features frequently lead to multiple critical vulnerabilities: XSS through JavaScript in PDFs, remote code execution via malicious payloads, and server-side request forgery (SSRF) allowing internal network access.
How can organisations defend against this:
Sanitise all HTML/CSS input before PDF rendering. Disable JavaScript in PDF generators. Implement strict URL allowlists for external resources. Run PDF generation in sandboxed environments with minimal privileges.
8. Cross-Site Request Forgery (CSRF)
Why it’s common:
Modern frameworks often include CSRF protection, but developers may disable it for convenience or fail to implement it in custom forms and AJAX requests.
Risk:
Attackers can trick authenticated users into performing unwanted actions, such as changing passwords, transferring funds, or modifying data, without their knowledge.
How can organisations defend against this:
Use anti-CSRF tokens for all state-changing operations. Implement SameSite cookie attributes and verify referrer headers. Never use GET requests for sensitive actions.
9. Insecure Session Management
Why it’s common:
Session handling involves multiple components – cookies, tokens, timeouts, and invalidation. Each presents opportunities for misconfiguration or oversight.
Risk:
Poor session management enables session hijacking, fixation attacks, and unauthorised access through stolen or reused tokens. Sessions that don’t expire leave permanent backdoors.
How can organisations defend against this:
Implement secure session practices: regenerate IDs after login, enforce appropriate timeouts, invalidate sessions on logout, and use secure cookie flags. Ensure sessions expire on the server-side, not just the client-side.
10. JavaScript Libraries Out of Date
Why it’s common:
Modern applications rely on numerous third-party JavaScript libraries. These dependencies are often forgotten after initial development, accumulating known vulnerabilities over time.
Risk:
Outdated libraries contain publicly known vulnerabilities that attackers actively exploit. A single vulnerable component can compromise the entire application.
How can organisations defend against this:
Implement automated dependency scanning in your CI/CD pipeline. Regularly update all components and monitor security advisories. Consider the security track record when selecting libraries.
Why are these vulnerabilities so common?
The most common findings occur due to:
- Complexity of modern applications with numerous integration points
- Focus on features and deadlines over security requirements
- Insufficient security training for development teams
- Lack of threat modelling during design phases
- Absence of security testing in the development lifecycle
Even organisations with security policies often struggle with consistent implementation. Regular penetration testing helps identify these issues before attackers can exploit them.
A penetration testing company like OnSecurity helps identify and prioritise such issues before they’re exploited.
With regular testing, we support businesses to stay ahead of new threats and provide clarity once these vulnerabilities are present by offering a free retesting window to ensure remediation efforts have been successful.
How to strengthen business security posture
To strengthen your security posture and minimise cyber threats:
- Test annually (or after major changes) with a reputable penetration testing company
- Integrate security into your SDLC from design through deployment
- Provide security training and attack simulations for all development team members
- Implement defence in depth rather than relying on single security controls
- Review penetration test reports for common vulnerability patterns and systemic issues
- Use retesting to confirm that vulnerabilities are properly remediated
A strong cybersecurity posture isn’t built in a day, but ignoring common vulnerabilities can lead to costly breaches that may cost millions in recovery, fines, and reputation damage.
Penetration testing provides comprehensive insight into your security gaps and actionable guidance for remediation. Whether you’re securing web applications, infrastructure, or meeting compliance requirements, professional testing provides a comprehensive report to guide action.
Don’t wait for a breach to reveal where your security falls short. Let OnSecurity’s penetration testers help you stay ahead of evolving threats and book your penetration test today.
