Go
Available solutions
- Asymmetric denial of service
- Symmetric denial of service
- Remote command execution
- Privilege escalation
- Authentication mechanism absence or evasion
- Cross-site request forgery
- Reflected cross-site scripting (XSS)
- Sensitive information in source code
- Stored cross-site scripting (XSS)
- Use of software with known vulnerabilities
- Insecure object reference
- Insecure functionality
- Insecure authentication method - Basic
- Insecure encryption algorithm - SSL/TLS
- Sensitive information sent insecurely
- Administrative credentials stored in cache memory
- Non-encrypted confidential information
- XPath injection
- Use of an insecure channel
- Uncontrolled external site redirect - Host Header Injection
- User enumeration
- Insecure file upload
- Insecure temporary files
- Inadequate file size control
- Sensitive information sent via URL parameters
- Password change without identity check
- Insecure generation of random numbers
- Weak credential policy
- Technical information leak
- Business information leak
- Improper authorization control for web services
- Enabled default credentials
- Insecurely generated cookies
- Insecure or unset HTTP headers - Content-Security-Policy
- Insecure HTTP methods enabled
- Automatic information enumeration
- Guessed weak credentials
- Cracked weak credentials
- Insecure encryption algorithm
- Lack of protection against brute force attacks
- Anonymous connection
- Asymmetric denial of service - Content length
- Sensitive information stored in logs
- Remote File Inclusion
- Concurrent sessions
- Lack of data validation - Path Traversal
- Traceability loss - Server's clock
- Technical information leak - Console functions
- Improper resource allocation
- Insecure session expiration time
- Weak CAPTCHA
- Insecure or unset HTTP headers - Referrer-Policy
- Improper authorization control for web services - RDS
- Insecure session management
- Insecurely generated token
- Non-upgradable dependencies
- Business information leak - Customers or providers
- Lack of multi-factor authentication
- Insecurely deleted files
- XML injection (XXE)
- Account lockout
- Privacy violation
- Lack of data validation - Trust boundary violation
- CSV injection
- Log injection
- Insecure encryption algorithm - Anonymous cipher suites
- Hidden fields manipulation
- Insecure encryption algorithm - Cipher Block Chaining
- Data uniqueness not properly verified
- Insecure deserialization
- External control of file name or path
- Server-side request forgery (SSRF)
- Lack of protection against deletion
- Email uniqueness not properly verified
- NoSQL injection
- LDAP injection
- Improper control of interaction frequency
- HTTP request smuggling
- Out-of-bounds read
- Improper type assignation
- Phishing
- Security controls bypass or absence
- Unverifiable files
- Regulation infringement
- Metadata with sensitive information
- Improper dependency pinning
- HTTP parameter pollution
- Email flooding
- Local file inclusion
- Race condition
- Directory listing
- Lack of isolation methods
- Lack of data validation - Type confusion
- Insecurely generated cookies - HttpOnly
- Insecurely generated cookies - SameSite
- Insecurely generated cookies - Secure
- Insecure or unset HTTP headers - Strict Transport Security
- Insecure or unset HTTP headers - X-Content-Type-Options
- Insecure encryption algorithm - Perfect Forward Secrecy
- Insecure or unset HTTP headers - CORS
- Insecure or unset HTTP headers - X-XSS Protection
- Insecure or unset HTTP headers - Cache Control
- Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
- Inappropriate coding practices
- Insecure exceptions - Empty or no catch
- Lack of data validation - URL
- Sensitive information in source code - API Key
- Inappropriate coding practices - Eval function
- Inappropriate coding practices - Cyclomatic complexity
- SQL injection
- Insecure encryption algorithm - SSLContext
- Use of an insecure channel - FTP
- Use of an insecure channel - SMTP
- Use of an insecure channel - Telnet
- Insecure or unset HTTP headers - X-Frame Options
- Insecure or unset HTTP headers - Accept
- Time-based SQL Injection
- SQL Injection - Headers
- Uncontrolled external site redirect
- Unrestricted access between network segments
- Excessive privileges
- Excessive privileges - Temporary Files
- Email spoofing
- Debugging enabled in production
- Lack of data validation
- Lack of data validation - Header x-amzn-RequestId
- Lack of data validation - Web Service
- Lack of data validation - Source Code
- Lack of data validation - Content Spoofing
- Lack of data validation - Session Cookie
- Lack of data validation - Responses
- Lack of data validation - Reflected Parameters
- Lack of data validation - Host Header Injection
- Lack of data validation - Input Length
- Lack of data validation - Headers
- Lack of data validation - Dates
- Lack of data validation - Numbers
- Lack of data validation - Out of range
- Lack of data validation - Emails
- Traceability loss
- Unauthorized access to files
- Unauthorized access to files - S3 Bucket
- Insufficient data authenticity validation
- Security controls bypass or absence - Antivirus
- Security controls bypass or absence - Facial Recognition
- Asymmetric denial of service - ReDoS
- Security controls bypass or absence - Cloudflare
- Business information leak - JWT
- Business information leak - Credentials
- Business information leak - Source Code
- Business information leak - Credit Cards
- Business information leak - Network Unit
- Business information leak - Token
- Business information leak - Users
- Business information leak - DB
- Business information leak - Personal Information
- Business information leak - Analytics
- Message flooding
- Incomplete funcional code
- Technical information leak - Stacktrace
- Technical information leak - Headers
- Technical information leak - SourceMap
- Technical information leak - Print Functions
- Technical information leak - API
- Technical information leak - Errors
- Authentication mechanism absence or evasion - OTP
- Authentication mechanism absence or evasion - Admin Console
- Non-encrypted confidential information - Credit Cards
- Non-encrypted confidential information - DB
- Non-encrypted confidential information - LDAP
- Non-encrypted confidential information - Credentials
- Non-encrypted hard drives
- Automatic information enumeration - Open ports
- Automatic information enumeration - Credit Cards
- Insecure functionality - Pass the hash
- Insecure encryption algorithm - DSA
- Insecure encryption algorithm - SHA1
- Insecure encryption algorithm - MD5
- Insecure encryption algorithm - TripleDES
- Insecure encryption algorithm - AES
- Insecure encryption algorithm - Blowfish
- Insecure functionality - File Creation
- Insecure functionality - Password management
- Insecure functionality - Masking
- Insecure functionality - Fingerprint
- Restricted fields manipulation
- Sensitive information sent via URL parameters - Session
- Weak credential policy - Password Expiration
- Session Fixation
- Insecure encryption algorithm - ECB
- Automatic information enumeration - Personal Information
- Non-encrypted confidential information - Base 64
- Insecure object reference - Personal information
- Insecure object reference - Corporate information
- Insecure object reference - Financial information
- Technical information leak - Logs
- Technical information leak - IPs
- Business information leak - Financial Information
- Insecure session management - Change Password
- Weak credential policy - Password Change Limit
- SQL injection - Code
- Authentication mechanism absence or evasion - Redirect
- Concurrent sessions control bypass
- Insecure functionality - Session management
- Security controls bypass or absence - Data creation
- Insecure object reference - Files
- Insecure object reference - Data
- Enabled default configuration
- Insecurely generated token - JWT
- Improper resource allocation - Memory leak
- Insecurely generated token - Validation
- Lack of data validation - HTML code
- Insecurely generated token - Lifespan
- Insecure functionality - User management
- Insecure object reference - Session management
- Insecure or unset HTTP headers - Content-Type
- Lack of protection against brute force attacks - Credentials
- Use of insecure channel - Source code
- Business information leak - Corporate information
- Insecure session management - CSRF Fixation
- Lack of data validation - Special Characters
- Lack of data validation - OTP
- Lack of data validation - Non Sanitized Variables
- Security controls bypass or absence - Session Invalidation
- Technical information leak - Credentials
- Lack of data validation - Token
- Insecure file upload - Files Limit
- Insufficient data authenticity validation - Checksum verification
- Sensitive information in source code - Credentials
- Technical information leak - Content response
- Weak credential policy - Password strength
- Weak credential policy - Temporary passwords
- Authentication mechanism absence or evasion - Response tampering
- Insecure object reference - User deletion
- DOM-Based cross-site scripting (XSS)
- Use of an insecure channel - HTTP
- Security controls bypass or absence - Tampering Protection
- Non-encrypted confidential information - Hexadecimal
- Inappropriate coding practices - Unnecessary imports
- Insecurely generated token - OTP
- Inappropriate coding practices - Wildcard export
- Insecure authentication method - NTLM
- Inappropriate coding practices - Unused properties
- Use of software with known vulnerabilities in development
- Insecure generation of random numbers - Static IV
- Insecure authentication method - LDAP
- OS Command Injection
- Excessive privileges - Access Mode
- Insecure encryption algorithm - Default encryption
- Account Takeover
- Password reset poisoning
- Insecure encryption algorithm - Insecure Elliptic Curve
- Server side template injection
- Server side cross-site scripting
- Inappropriate coding practices - invalid file
- Inappropriate coding practices - relative path command
- Use of software with known vulnerabilities in environments
- Security controls bypass or absence - Fingerprint