Scribd
Upload
1K views4 pages

Overview of Web Vulnerabilities

This document categorizes 100 common web vulnerabilities into various types including injection vulnerabilities, broken authentication and session management, sensitive data exposure, security misconfiguration, XML-related vulnerabilities, broken access control, insecure deserialization, API security issues, insecure communication, client-side vulnerabilities, denial of service, other web vulnerabilities, mobile web vulnerabilities, IoT web vulnerabilities, web of things vulnerabilities, authentication bypass, server-side request forgery, content spoofing, business logic flaws, and zero-day vulnerabilities. The document provides examples of specific vulnerabilities within each category.

Uploaded by

Huzaifa Top
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • Time-Based Blind SSRF,
  • Data Leakage,
  • Cross-Site Scripting,
  • Brute Force Attack,
  • Sensitive Data Exposure,
  • Insufficient Transport Layer S…,
  • MIME Sniffing,
  • Open Ports,
  • Blind SQL Injection,
  • XML Injection
1K views4 pages

Overview of Web Vulnerabilities

This document categorizes 100 common web vulnerabilities into various types including injection vulnerabilities, broken authentication and session management, sensitive data exposure, security misconfiguration, XML-related vulnerabilities, broken access control, insecure deserialization, API security issues, insecure communication, client-side vulnerabilities, denial of service, other web vulnerabilities, mobile web vulnerabilities, IoT web vulnerabilities, web of things vulnerabilities, authentication bypass, server-side request forgery, content spoofing, business logic flaws, and zero-day vulnerabilities. The document provides examples of specific vulnerabilities within each category.

Uploaded by

Huzaifa Top
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • Time-Based Blind SSRF,
  • Data Leakage,
  • Cross-Site Scripting,
  • Brute Force Attack,
  • Sensitive Data Exposure,
  • Insufficient Transport Layer S…,
  • MIME Sniffing,
  • Open Ports,
  • Blind SQL Injection,
  • XML Injection
  • Security Misconfiguration: Describes vulnerabilities that arise from incorrect configurations in the security settings of web applications.
  • Sensitive Data Exposure: Explains how sensitive data can be exposed due to improper encryption and insufficient data protection mechanisms.
  • Broken Authentication and Session Management: Details vulnerabilities related to authentication processes and session handling, compromising user security.
  • Injection Vulnerabilities: Lists various types of injection vulnerabilities, including SQL and LDAP injections that affect web security.
  • Insecure Communication: Highlights how inadequate transport layer security can lead to data interception or modification.
  • API Security Issues: Lists vulnerabilities specific to API security that can result in unintended resource access.
  • Broken Access Control: Outlines access control issues which lead to unauthorized access to sensitive resources.
  • Client-Side Issues: Focuses on vulnerabilities at the client side, including XSS and security misconfiguration issues.
  • XML-Related Vulnerabilities: Covers vulnerabilities in XML processing, such as XXE and XML bombs, that can affect application integrity.
  • Insecure Deserialization: Discusses vulnerabilities arising from insecure deserialization potentially leading to code execution attacks.
  • Denial of Service (DoS): Covers DoS vulnerabilities that can lead to service interruptions caused by resource depletion.
  • Authorization Bypass: Details bypass techniques that exploit insufficiently protected access permissions.
  • IoT Web Vulnerabilities: Discusses security issues linked to the integration of IoT devices with web applications.
  • Other Web Vulnerabilities: Categorizes various unsorted vulnerabilities impacting web servers, including SSRF and HPP.
  • Server-Side Request Forgery (SSRF): Examines the exploitation of server-side request handling that can lead to information disclosure.
  • Mobile Web Vulnerabilities: Identifies security flaws specifically affecting mobile web applications and their data handling.
  • Business Logic Flaws: Describes vulnerabilities in flawed business logic that attackers can exploit to bypass application rules.
  • Zero-Day Vulnerabilities: Focuses on undisclosed vulnerabilities that pose immediate security risks before patches are available.

100 web vulnerabilities, categorized into various types:

Injection Vulnerabilities:
1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Remote Code Execution (RCE)
5. Command Injection
6. XML Injection
7. LDAP Injection
8. XPath Injection
9. HTML Injection
10. Server-Side Includes (SSI) Injection
11. OS Command Injection
12. Blind SQL Injection
13. Server-Side Template Injection (SSTI)

Broken Authentication and Session Management:


14. Session Fixation
15. Brute Force Attack
16. Session Hijacking
17. Password Cracking
18. Weak Password Storage
19. Insecure Authentication
20. Cookie Theft
21. Credential Reuse

Sensitive Data Exposure:


22. Inadequate Encryption
23. Insecure Direct Object References (IDOR)
24. Data Leakage
25. Unencrypted Data Storage
26. Missing Security Headers
27. Insecure File Handling

Security Misconfiguration:
28. Default Passwords
29. Directory Listing
30. Unprotected API Endpoints
31. Open Ports and Services
32. Improper Access Controls
33. Information Disclosure
34. Unpatched Software
35. Misconfigured CORS
36. HTTP Security Headers Misconfiguration
XML-Related Vulnerabilities:
37. XML External Entity (XXE) Injection
38. XML Entity Expansion (XEE)
39. XML Bomb

Broken Access Control:


40. Inadequate Authorization
41. Privilege Escalation
42. Insecure Direct Object References
43. Forceful Browsing
44. Missing Function-Level Access Control

Insecure Deserialization:
45. Remote Code Execution via Deserialization
46. Data Tampering
47. Object Injection

API Security Issues:


48. Insecure API Endpoints
49. API Key Exposure
50. Lack of Rate Limiting
51. Inadequate Input Validation

Insecure Communication:
52. Man-in-the-Middle (MITM) Attack
53. Insufficient Transport Layer Security
54. Insecure SSL/TLS Configuration
55. Insecure Communication Protocols

Client-Side Vulnerabilities:
56. DOM-based XSS
57. Insecure Cross-Origin Communication
58. Browser Cache Poisoning
59. Clickjacking
60. HTML5 Security Issues

Denial of Service (DoS):


61. Distributed Denial of Service (DDoS)
62. Application Layer DoS
63. Resource Exhaustion
64. Slowloris Attack
65. XML Denial of Service
Other Web Vulnerabilities:
66. Server-Side Request Forgery (SSRF)
67. HTTP Parameter Pollution (HPP)
68. Insecure Redirects and Forwards
69. File Inclusion Vulnerabilities
70. Security Header Bypass
71. Clickjacking
72. Inadequate Session Timeout
73. Insufficient Logging and Monitoring
74. Business Logic Vulnerabilities
75. API Abuse

Mobile Web Vulnerabilities:


76. Insecure Data Storage on Mobile Devices
77. Insecure Data Transmission on Mobile Devices
78. Insecure Mobile API Endpoints
79. Mobile App Reverse Engineering

IoT Web Vulnerabilities:


80. Insecure IoT Device Management
81. Weak Authentication on IoT Devices
82. IoT Device Vulnerabilities

Web of Things (WoT) Vulnerabilities:


83. Unauthorized Access to Smart Homes
84. IoT Data Privacy Issues

Authentication Bypass:
85. Insecure "Remember Me" Functionality
86. CAPTCHA Bypass

Server-Side Request Forgery (SSRF):


87. Blind SSRF
88. Time-Based Blind SSRF

Content Spoofing:
89. MIME Sniffing
90. X-Content-Type-Options Bypass
91. Content Security Policy (CSP) Bypass
Business Logic Flaws:
92. Inconsistent Validation
93. Race Conditions
94. Order Processing Vulnerabilities
95. Price Manipulation
96. Account Enumeration
97. User-Based Flaws

Zero-Day Vulnerabilities:
98. Unknown Vulnerabilities
99. Unpatched Vulnerabilities
100. Day-Zero Exploits

You might also like