A Comprehensive Study of Web Application Security, Vulnerabilities and Modern Defence Mechanisms

Abstract

Web applications are the backbone of the current digital ecosystem, supporting key services in e-commerce, banking, health care, education, cloud computing, and public administration. The continued rise of web-based platforms, with their shift towards distributed, API-driven, and microservices-oriented architectures, is significantly increasing the attack surface area. Traditional vulnerabilities, such as SQL Injection and Cross-Site Scripting, persist due to legacy code, improper validation, and insecure programming practices. However, in modern architectures, newer threats have come into the fore as major contributors to real-world breaches, such as Broken Access Control, Broken Object-Level Authorization, API-layer weaknesses, dependency-supply-chain vulnerabilities, cloud misconfigurations, and Cross-Channel Scripting. Academic research published in Springer, MDPI, IEEE, ACM, and arXiv shows significant advances in attack strategies and defence mechanisms. Some promising techniques include automated black-box access-control testing, deep-learning injection-attack detectors, semantic analysis engines, fuzzing-driven vulnerability discovery, and runtime protection systems (WAF, RASP). This study synthesizes the outcome of more than twenty recent scholarly works, offering a necessary holistic overview of the current stage of web application security. It examines how vulnerabilities have evolved over time, critically assesses state-of-the-art mechanisms for detection and mitigation, and identifies research challenges in cloud-native architectures, DevSecOps, and Zero Trust environments. The findings highlight that effective protection depends on layered and adaptive defences, supported by continuous automated testing, ML-powered anomaly detection, secure engineering methodologies, and robust runtime governance.