- Checkmarx Documentation
- IAST Documentation
- Overview
- List of Vulnerabilities
List of Vulnerabilities
This page lists all vulnerabilities that IAST may detect.
# | Name | Severity | Description | CWE Link | Java | .Net | .Net Core | Node |
|---|---|---|---|---|---|---|---|---|
1 | Code Injection | High | The application receives and dynamically executes user-controlled code. If the data contains malicious code, the executed code could contain system-level activities engineered by an attacker, as though the attacker was running code directly on the application server. | 3.5 | 3.7 | 3.5 | 3.11 | |
2 | Command Injection | High | There is an OS (shell) command executed using an untrusted string. This untrusted string might contain malicious system-level commands engineered by an attacker, which could be executed as though the attacker were running commands directly on the application server. | 3.5 | 3.5 | 3.5 | 3.5 | |
3 | Deserialize Vulnerability | High | Object serialization and deserialization is integral to the process of remoting, wherein objects are passed between code instances over an intermediary medium, such as a network. During deserialization, a new object is constructed from a serialized object provided over the medium; however, if the object being deserialized is untrusted, an unexpected and potentially dangerous object can be provided. | 3.5 | 3.11 | 3.11 | 3.5 | |
4 | Expression Language Injection OGNL | High | User input is inserted into a string, which is evaluated as an expression language statement without being sanitized, resulting in execution of expression language code from a potentially untrusted source. | 3.5 | ||||
5 | File Inclusion | High | The application uses unfiltered user input to specify a library or code file to be imported. This causes the application to load and execute arbitrary code files. | 3.5 | 3.11 | |||
6 | LDAP Injection | High | The application communicates with an LDAP server, such as Active Directory, by sending a textual LDAP query or command and it creates the query by simply concatenating strings, including untrusted data that might be controlled by an attacker. Since the data is neither validated nor properly sanitized, the input could contain LDAP commands that would be interpreted as such by the LDAP server. | 3.5 | 3.5 | 3.5 | 3.5 | |
7 | Login Information Exposure Through Discrepancy | High | 3.5 Removed 3.11 | |||||
8 | NoSql Injection | High | The application uses tainted values from an untrusted source to craft a raw NoSQL query. This allows the attacker to modify the syntax of the query and inject new syntax, thus resulting in a NoSQL Injection. | 3.5 | 3.11 | 3.11 | 3.11 | |
9 | Second Order Command Injection | High | When a Command Injection vulnerability is caused by a stored input from a database or a file, the attack vector can be persistent. This vulnerability is also known as Stored Command Injection. | 3.5 | 3.5 | 3.5 | 3.5 | |
10 | Second Order LDAP Injection | High | When an LDAP Injection vulnerability is caused by a stored input from a database or a file, the attack vector can be persistent. This vulnerability is also known as Stored LDAP Injection. | 3.5 | 3.5 | 3.5 | 3.5 | |
11 | Second Order SQL Injection | High | When an SQL Injection vulnerability is caused by a stored input from a database or a file, the attack vector can be persistent. Its name derives from having a first SQL query returning the attacker's payload that's executed in a second query. | 3.5 | 3.5 | 3.5 | 3.5 | |
12 | Second Order XPath Injection | High | When an XPath Injection vulnerability is caused by a stored input from a database or a file, the attack vector can be persistent. This vulnerability is also known as Stored XPath Injection. | 3.5 | 3.5 | 3.5 | 3.5 | |
13 | Sensitive Data Exposure Credit Card | High | Many times, information is leaked that can compromise the security of the user. Regarding this, credit cards are a major concern. | 3.5 | 3.5 | 3.5 | 3.5 | |
14 | Session Id Disclosure | High | Many times, information is leaked that can compromise the security of the user. Once the attacker gains the victim's session identifier, the attacker can perform any action in the application that the user is permitted, including accessing the user's personal data such as reading the user's records or changing the user account. | 3.5 | 3.5 | |||
15 | SQL Injection | High | When an application creates an SQL query by string concatenation using untrusted data, neither ensuring a safe data type nor using correct sanitization, the untrusted data could contain SQL commands, modifying the intended query structure or behavior. The database would interpret the altered query and commands as if they originated from the application, and execute them accordingly. | 3.5 | 3.5 | 3.5 | 3.5 | |
16 | Stored XSS | High | When a Cross-Site Scripting is caused by a stored input from a database or a file, the attack vector can be persistent. This vulnerability is also known as Persistent XSS. | 3.5 | 3.5 | 3.5 | 3.5 | |
17 | XPath Injection | High | An attacker that can modify an XPath query with an arbitrary expression will be able to control which nodes from the XML document will be selected, and thus what data the application will process. This can have different effects depending on the type of XML document and its usage, including retrieval of secret information, control of application flow, modification of sensitive data, reading arbitrary files, or even authentication bypass, impersonation, and privilege escalation. | 3.5 | 3.5 | 3.5 | 3.5 | |
18 | XSS | High | Cross-Site Scripting (XSS) If the application uses untrusted data to embed directly in the request's body, causing the browser to display it as part of the web page, an attacker can include HTML fragments or JavaScript code in it, potentially using it to steal users' passwords, collect personal data such as credit card details, provide false information or run malware. | 3.5 | 3.5 | 3.5 | 3.5 | |
19 | App DoS Database Connections | Medium | 3.5 | 3.5 | ||||
20 | Blind SQL Injection | Medium | SQL Injection vulnerabilities can be distinguished by the way the attacker retrieves information from the SQL query execution - normal SQL Injection vulnerabilities can be detected because query execution errors and results are sent to the user, but Blind SQL Injection attacks need to rely on other kinds of output in order to retrieve information. | 3.5 | 3.5 | 3.5 | 3.5 | |
21 | CSRF | Medium | Cross-Site Request Forgery (CSRF) The application performs some action that modifies database contents based purely on HTTP request content and does not require per-request renewed authentication (such as transaction authentication or a synchronizer token), instead relying solely on session authentication. This means that an attacker could use social engineering to cause a victim to browse to a link in the vulnerable application, submitting a request with the user's session. Once the application receives the request, it would perform an action without verifying the request intent. | 3.5 | 3.5 | 3.5 | 3.5 | |
22 | Failed Login Without Audit | Medium | An attacker can attempt and fail at logging into the application, without the application logging this suspicious activity. Insufficient logging will reduce the chance of detecting an attack within a reasonable time. | 3.5 | 3.5 | 3.5 | ||
23 | Insufficient Session Expiration | Medium | An active session that does not properly expire will remain in the system for a prolonged amount of time, if not indefinitely. This situation could unnecessarily increase the session exposure, allowing attackers the opportunity to obtain the session tokens, and impersonate authenticated users. | 3.5 | 3.5 | 3.5 | ||
24 | Mail Header Injection/ Email Content Forgery | Medium | Email headers that include data added to the email messages received from users, could allow attackers to inject additional commands to the mail server, such as adding or removing recipient addresses, changing the sender's address, modifying the body of the message, or sending the email to a different server. The improper neutralization of the “new line” allows the header injection for emails. Note: Mail Header Injection is a subset of SMTP Header Injection. | 3.5 | 3.8 | 3.8 | ||
25 | Parameter Pollution | Medium | 3.5 | |||||
26 | Parameter Tampering | Medium | The user can access or modify a resource based on a request parameter, without a proper authorization check. This behavior allows for malicious users to access or modify unauthorized information, such as bank accounts, user information, and shopping orders from other customers. | 3.5 | ||||
27 | Path Traversal | Medium | The application uses user input in the file path for accessing files on the application server’s local disk. An attacker could define arbitrary file paths for the application to use, potentially leading to the deletion, modification or access of sensitive files. | 3.5 | 3.5 | 3.5 | 3.5 | |
28 | Second Order Path Traversal | Medium | When a Path Traversal vulnerability is caused by a stored input from a database or a file, the attack vector can be persistent. This vulnerability is also known as Stored Path Traversal. | 3.5 | 3.5 | 3.5 | 3.5 | |
29 | Sensitive Data Exposure Email | Medium | An e-mail address is identified to be written to a log or file, which could potentially allow attackers to successfully retrieve it. E-mail addresses becoming exposed might allow attackers to retrieve this information, and use it in further attacks against these account owners, or against the application itself. | 3.5 | 3.5 | 3.5 | 3.5 | |
30 | SSRF | Medium | Server-side Request Forgery (SSRF) The application accepts a URL (or other data) from the user, and uses this to make a request to another remote server. However, the attacker can inject an arbitrary URL into the request, causing the application to connect to any server the attacker wants. Thus, the attacker can abuse the application to gain access to services that would not otherwise be accessible, and cause the request to ostensibly originate from the application server. | 3.5 | 3.8 | 3.8 | ||
31 | Trust Boundary Violation | Medium | Server-side Session variables, or objects, are values assigned to a specific session, which is associated with a specific user. Code that reads from these session variables might trust them as server-side variables, but they might have been tainted by user inputs. Tainted Session variables offer an additional attack surface against the application. If untrusted data taints a session variable, which is then used elsewhere without sanitization, as if it were trusted, it could lead to further attacks, such as Cross-Site Scripting and SQL Injection. | 3.5 | 3.5 | 3.5 | ||
32 | Unrestricted Upload of File with Dangerous Size | Medium | Allowing users to save files of unrestricted size might allow attackers to fill file storage with junk, or conduct long writing operations which would strain systems conducting the saving operation. Exhausting this storage space or constraining it to the point where it is unavailable will result in denial of service. | 3.5 | ||||
33 | XXE | Medium | XML External Entity (XXE) An application that parses user-controlled XML documents can allow an attacker to craft an XML document to read arbitrary server files through DTD entity references. This XML document could contain an entity referring to an embedded DTD entity definition that points to any local file, enabling the attacker to retrieve arbitrary system files on the server. | 3.5 | 3.5 | 3.5 | 3.5 | |
34 | Unsafe Object Binding | Medium | Using object binding methods (built into MVC controllers and ORMs) exposes all public setters to allow easily wiring values submitted by users in forms, to the objects and attributes they are intended to create or alter. This might pose a significant risk to application logic and flow - naively mass binding objects in such a manner might also accidentally expose unintended objects or attributes, which could then be tampered with by an attacker. | 3.6 | ||||
35 | Missing HSTS Header | Medium | Many users browse to websites by simply typing the domain name into the address bar, without the protocol prefix. The browser will automatically assume that the user's intended protocol is HTTP, instead of the encrypted HTTPS protocol. Once a browser that supports the HSTS feature has visited a web-site and the header was set, it will no longer allow communicating with the domain over an HTTP connection. Failure to set an HSTS header and provide it with a reasonable "max-age" value of at least one year might leave users vulnerable to Man-in-the-Middle attacks. | 3.6 | 3.6 | 3.7 | ||
36 | Insufficient Key Size | Medium | When the key used to encrypt data is of insufficient size, it reduces the total number of possible keys an attacker must try before finding the actual key for a captured ciphertext. Depending on how small the key used is, it might even be trivial for an attacker to break it. When there is a flaw in a cryptographic implementation, it might compromise the integrity, authenticity or confidentiality of the application's data. | 3.6 | ||||
37 | ReDoS From Regex Injection | Medium | The application uses user input in a regular expression, allowing an attacker to inject dangerous patterns that cause the application to spend a significant amount of computation time processing a regular expression over a data-set. | 3.6 | ||||
38 | Improper_Redirection | Medium | The application is sending private information to the user although the 'Location' header and a redirect status code are being sent in the response by @DestinationElement in @DestinationFile at line @DestinationLine. | 3.11 | 3.11 | 3.11 | ||
39 | Log Forging | Low | When the audit log of an application includes user input that is neither checked for a safe data type nor correctly sanitized, that input could contain false information made to look like a different, legitimate audit log data. | 3.5 | 3.5 | 3.5 | 3.5 | |
40 | Open Redirect | Low | The application redirects the user’s browser to a URL provided by a tainted input, without first ensuring that URL leads to a trusted destination, and without warning users that they are being redirected outside of the current site. An attacker could use social engineering to get a victim to click a link to the application that redirects the user’s browser to an untrusted website without the awareness of the user. | 3.5 | 3.5 | 3.5 | 3.5 | |
41 | File Upload To Unprotected Directory | Low | The application allows users to upload files to the application, which are saved in the web site's directory. If thorough validation checks are not applied to the uploaded files, especially with regards to the file type or contents, attackers can upload executable files, in particular web server code, such as .ASP, .PHP, and .JSP files. | 3.5 | 3.5 | 3.5 | ||
42 | Improper HTTP Get Usage | Low | 3.5 | 3.5 | ||||
43 | Insecure Cookie | Low | Cookies can be passed by either encrypted or unencrypted channels. Setting the secure cookie attribute indicates to the browser never to submit the cookie over unencrypted channels channel. | 3.5 | 3.5 | 3.5 | 3.5 | |
44 | Insecure Outgoing Communication | Low | The app handles various forms of sensitive data, and communicates with the remote application server. However, the app connects using an "http://" URL, which causes the underlying channel to use straight HTTP, without securing it with SSL/TLS. Without this protection, an attacker could steal any personal or secret data sent over unencrypted HTTP, such as passwords, credit card details, social security numbers, and other forms of Personally Identifiable Information (PII), leading to identity theft and other forms of fraud. | 3.5 | 3.5 | 3.5 | 3.5 | |
45 | Least Privilege Violation | Low | The application runs with privileges that are higher than necessary. According to the concept of Defense in Depth, software must be developed and deployed based on a policy where privileges are restricted as much as possible, to the point of just allowing enough for performing the required actions. Then if a vulnerability is ever found, adhering to the policy will limit the damages done by an attacker. For example, if the application does not require administrator permissions, the user must not be included in the administrator group. | 3.5 | 3.5 | 3.5 | 3.5 | |
46 | Null Byte Injection | Low | 3.5 Removed 3.11 | |||||
47 | Outgoing Connection Discovery | Low | 3.5 | 3.5 | 3.5 | 3.5 | ||
48 | Sensitive Cookie Without HttpOnly | Low | Cookies that contain the user's session identifier, and other sensitive application cookies, are typically accessible by client-side scripts, such as JavaScript. Unless the web application explicitly prevents this using the "httpOnly" cookie flag, these cookies could be read and accessed by malicious client scripts, such as Cross-Site Scripting (XSS). This flag would mitigate the damage done in case XSS vulnerabilities are discovered, according to Defense in Depth. | 3.5 | ||||
49 | Successful Login Without Audit | Low | If an attacker succeeds in logging on to an application where successful logons are not audited, it will be difficult to detect his attack within a reasonable amount of time. | 3.5 | 3.5 | 3.5 | ||
50 | Weak Cryptography | Low | Applications depend on cryptography in order to protect secrets and other sensitive or personally identifiable data. When there is a flaw in a cryptographic implementation, it might compromise the integrity, authenticity or confidentiality of the application's data. | 3.5 | 3.5 | 3.5 | 3.5 | |
51 | Weak DB Password | Low | Weak passwords can be easily discovered by techniques as dictionary attacks or brute force. An attacker can use these attacks on the password if external connections to the database are allowed, or another vulnerability is discovered on the application. | 3.5 | 3.5 | 3.5 | 3.5 | |
52 | Weak Hashing | Low | When applications rely on weak or broken hash functions to perform cryptographic operations for providing integrity or authentication features, attackers can leverage their known attacks against them to break signatures or password hashes. This could result in loss of confidentiality, integrity and authenticity of data. | 3.5 | 3.5 | 3.5 | 3.5 | |
53 | Weak Random | Low | Non-cryptographically-secure pseudo-random number generators, while providing uniform output, are predictable, rendering them useless in certain cryptographic scenarios. For most non-cryptographic applications, there is only the requirement of uniform output of equal probability for each byte taken out of the pseudo-random number generator. However, cryptographically-secure pseudo-random number generators (PRNGs) have an additional requirement of unpredictability, so that an attacker cannot predict future output or the internal state of the PRNG by looking at previously generated values. | 3.5 | 3.5 | 3.5 | 3.5 | |
54 | Missing Content Security Policy | Low | The Content-Security-Policy header enforces that the source of content, such as the origin of a script, embedded (child) frame, embedding (parent) frame or image, are trusted and allowed by the current web-page; if, within the web-page, a content's source does not adhere to a strict Content Security Policy, it is promptly rejected by the browser. Failure to define a policy might leave the application's users exposed to Cross-Site Scripting (XSS) attacks, clickjacking attacks, content forgery and other attacks. | 3.6 | 3.6 | 3.7 | ||
55 | Permissive Content Security Policy | Low | The Content-Security-Policy header enforces that the source of content, such as the origin of a script, embedded (child) frame, embedding (parent) frame or image, are trusted and allowed by the current web-page; if, within the web-page, a content's source does not adhere to a strict Content Security Policy, it is promptly rejected by the browser. Failure to define a policy might leave the application's users exposed to Cross-Site Scripting (XSS) attacks, clickjacking attacks, content forgery and other attacks. | 3.6 | ||||
56 | Missing Expect CT Header | Low | Declaring Expect-CT header ensures that the supported browsers use Certificate Transparency to detect compromises to the CA's integrity and, as defined in the header parameters, to report and/or enforce secure connections. Using Certificate Transparency with Expect-CT and the right parameters, it's possible to avoid man-in-the-middle attacks. | 3.6 | 3.6 | 3.7 | ||
57 | RSA Public Exponent | Low | An attack query looks for low public exponent values on RSA algorithms. This is a known attack on the algorithm where, if a set of circumstances are met, an attacker can easily recover an encrypted message. | 3.6 | ||||
58 | Backend_Information_Disclosure | Low | There are traits in the response that can be used to identify technologies used in the backend server. | 3.11 | 3.11 | 3.11 | ||
59 | Cross_Site_History_Manipulation | Low | Method @SourceMethod at line @SourceLine of @SourceFile may leak server-side conditional values, enabling user tracking from another website. This may constitute a Privacy Violation. Not provided | 3.11 | 3.11 | 3.11 | ||
60 | Application Entry Point | Info | 3.5 | 3.5 | 3.5 | 3.5 | ||
61 | Click Jacking | Info | The X-Frame-Options header indicates to the browser to avoid embedding the web-page within a frame, mitigating the risk of clickjacking. The X-Frame-Options header can prevent an attacker from embedding a web-page inside a frame within a malicious web-page, with the goal of convincing users to unknowingly click inside the frame, causing unintended malicious actions. | 3.5 | 3.5 | 3.5 | ||
62 | CORS | Info | Modern browsers, by default, disallow resource sharing between different domains. Thus web applications cannot access one another's DOM contents, cookie jars and other resources. A misconfigured Cross-Origin Resource Sharing (CORS) header might allow scripts from other web sites to access and manipulate resources on the affected web application. Using these resources, such as page contents and tokens, attackers might initiate Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks, perform actions on a user's behalf, such as changing their passwords, or breach user privacy. | 3.5 | 3.5 | |||
63 | Debug Mode Enabled | Info | It’s possible to introspect and influence the app’s state when running it with the debugger connected. This feature is intended to help developers, but it can be abused by attackers, letting them steal confidential data and expose sensitive information. Some functionalities might even ignore security constraints that would otherwise be enforced in release mode. | 3.5 | 3.5 | |||
64 | Missing X Content Type Options Header | Info | Modern browsers have the capability of sniffing Content Types. That functionality is used even when the Content-Type header is set. Enabling the X-Content-Type-Options response header with the nosnoff flag ensures that browsers will follow the assigned Content-Type, leaving users less susceptible to MIME Sniffing attacks, which could result in Cross-Site Scripting (XSS) attacks. | 3.5 | 3.5 | 3.5 | ||
65 | Missing X XSS Protection Header | Info | Many modern browsers have the capability of detecting potentially dangerous reflected Cross-Site Scripting (XSS) payloads. Enabling the X-XSS-Protection response header ensures that browsers that support the header will use the protection, serving as another line of defense against XSS attacks. | 3.5 | 3.5 | 3.5 | ||
66 | Sensitive Data Exposure Long Number | Info | A long number, heuristically presumed to have sensitive and meaningful contents, was exposed or stored in an unsecure manner, potentially allowing its contents to be retrieved by attackers. | 3.5 | 3.11 | 3.11 | 3.5 |
XSS
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin query.
Additional information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
SQL Injection
Code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g., to dump the database contents to the attacker).
Additional information: https://www.owasp.org/index.php/SQL_Injection
Command Injection
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
Additional information: https://www.owasp.org/index.php/Command_Injection
XPath Injection
An attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
Additional information: https://www.owasp.org/index.php/XPATH_Injection
LDAP Injection
An attack technique used to exploit web sites that construct LDAP statements from user-supplied input. Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services.
Additional information: https://www.owasp.org/index.php/XPATH_Injection
Deserialization Vulnerability
An unsafe deserialization call of unauthenticated Java objects. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialization occurs.
Additional information: https://cwe.mitre.org/data/definitions/502.html
Second Order LDAP Injection
Second Order LDAP Injection arises when user-supplied data is stored by the application and later incorporated into LDAP queries in an unsafe way.
Additional information: https://www.owasp.org/index.php/LDAP_injection
Second Order Command Injection
Second Order OS Command Injection arises when user supplied data is stored by the application and later incorporated into OS command in an unsafe way.
Additional information: https://www.owasp.org/index.php/Command_Injection
Second Order SQL Injection
Second Order SQL Injection arises when user supplied data is stored by the application and later incorporated into SQL queries in an unsafe way.
Additional information: https://www.owasp.org/index.php/SQL_Injection
Second Order XPath Injection
Second Order XPath Injection arises when user-supplied data is stored by the application and later incorporated into XPATH queries in an unsafe way.
Additional information: https://www.owasp.org/index.php/XPATH_Injection
Sensitive Data Exposure - Credit Card
Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. In this case credit card numbers can be exposed as is to DB, logs, File system or directly to the user.
Additional information: https://www.owasp.org/index.php/Top_10_2017-A6-Sensitive_Data_Exposure
Stored XSS
Stored XSS attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.
Additional information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Stored_XSS_Attacks
Session ID Disclosure
Session ID disclosure happens when an application runs under SSL but the “Secure” cookie has not been set for cookies.
Additional information: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
Parameter Tampering
The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
Additional information: https://www.owasp.org/index.php/Web_Parameter_Tampering
Path Traversal
A HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory. Web servers provide two main levels of security mechanisms. Access Control Lists (ACLs) Root directory. (This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”).
Additional information: https://www.owasp.org/index.php/Path_Traversal
Open Redirect
Invalidated redirects are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Additional information: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Trust Boundary Violation
A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust invalidated data.
Additional information: https://cwe.mitre.org/data/definitions/501.html
CSRF
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
Additional Information: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Application DoS Database Connections
When database connection pool entries are not properly restricted and if the number or size of the resources is not controlled, an attacker could cause a denial of service that consumes all available database connections.
Additional information: https://www.owasp.org/index.php/Application_Denial_of_Service
Log Forging
Writing un-validated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.
Additional information: https://www.owasp.org/index.php/Log_Injection
Insufficient Session Expiration
Insufficient Session Expiration occurs when a Web application permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a Web site's exposure to attacks that steal or reuse user's session identifiers. The best practice is to use short session idle timeout. Recommended idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.
Additional information: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Insufficient_Session_Expiration
Second Order Path Traversal
Second Order Path Traversal arises when user-supplied data is stored by the application and later incorporated into a path in an unsafe way.
Additional information: https://www.owasp.org/index.php/Path_Traversal
Sensitive Data Exposure – Email
Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. In this case emails are written to the logs or to the File system.
Additional information: https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
Blind SQL Injection
Blind SQLI happens when the database does not output data to the web page, and an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.
Additional information: https://www.owasp.org/index.php/Blind_SQL_Injection
Parameter Pollution
HTTP Parameter Pollution (HPP) vulnerabilities allow attackers to exploit web applications by manipulating the query parameters in the URL and requested body which causes the Cross Site Scripting or Privilege Escalation or bypass Authorization.
Log Forging
Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.
Additional information: https://www.owasp.org/index.php/Log_Injection
XXE
XXE injection occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Additional information: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Weak Crypto
Usage of encryption algorithms that are considered weak. For example: DES, MD5, MD2, SHA, SHA1, SHA0 or Blowfish.
Additional Information: https://www.owasp.org/index.php/Testing_for_weak_Cryptography
Weak Hashing
Usage of hashing algorithms that are considered weak. For example: MD5, MD2 or SHA1.
Additional Information: https://www.sans.org/reading-room/whitepapers/authentication/dangers-weak-hashes-34412
Insecure Cookie
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.
Additional Information: https://www.owasp.org/index.php/SecureFlag
Weak Random
Standard pseudo-random number generators cannot withstand cryptographic attacks. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. Computers are deterministic machines, and as such are unable to produce true randomness.
Additional Information: https://www.owasp.org/index.php/Insecure_Randomness
File Uploaded to Unprotected Directory
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
Additional Information: https://www.owasp.org/index.php/Unrestricted_File_Upload
Weak DB Password
Generally products don't require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. An authentication mechanism is only as strong as its credentials. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.
Additional Information: https://cwe.mitre.org/data/definitions/521.html
Outgoing Connection Discovery
Any http or https connection start.
Insecure Outgoing Communication
Any http connection start.
Least Privilege Violation
Application runs from user with administrator privileges.
Login Without Audit
Login attempt without proper audit allows attackers to achieve their goals without being detected.
Improper_HTTP_Get_Usage
A GET request identified as changing data on the server. As best practice GET should never change data on the server.
Clickjacking
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Additional Information: https://www.owasp.org/index.php/Clickjacking
X-Content-Type-Options
The X-Content-Type-Option is an HTTP header used to increase the security of your website. The X-Content-Type-Options header is used to protect against MIME sniffing vulnerabilities. These vulnerabilities can occur when a website allows users to upload content to a website however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
Additional Information: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
CORS
In order to keep a website and its users secure from the security risks involved with sharing resources across multiple domains the use of CORS is recommended, CORS, also known as Cross-Origin Resource Sharing, allows resources such as JavaScript and web fonts to be loaded from domains other than the origin parent domain.
Additional Information: http://blog.securelayer7.net/owasp-top-10-security-misconfiguration-5-cors-vulnerability-patch/
X-XSS-Protection
Implementing HTTP security headers are an important way to keep your site and your visitors safe from attacks and hackers. The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.
Additional Information: https://www.keycdn.com/blog/x-xss-protection/
Application Entry Point
Any http or https inbound opened connection.
Sensitive Data Exposure - Long Number
Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. In this case long numbers that can potentially include sensitive data such as social number or telephone numbers are written to the logs or to the File system.
Debug Mode Enabled
Debug mode is enabled. Custom error massages may expose sensitive information to untrusted parties.
Additional Information: https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure