Skip to main content

Go

Available solutions

  1. Asymmetric denial of service
  2. Symmetric denial of service
  3. Remote command execution
  4. Privilege escalation
  5. Authentication mechanism absence or evasion
  6. Cross-site request forgery
  7. Reflected cross-site scripting (XSS)
  8. Sensitive information in source code
  9. Stored cross-site scripting (XSS)
  10. Use of software with known vulnerabilities
  11. Insecure object reference
  12. Insecure functionality
  13. Insecure authentication method - Basic
  14. Insecure encryption algorithm - SSL/TLS
  15. Sensitive information sent insecurely
  16. Administrative credentials stored in cache memory
  17. Non-encrypted confidential information
  18. XPath injection
  19. Use of an insecure channel
  20. Uncontrolled external site redirect - Host Header Injection
  21. User enumeration
  22. Insecure file upload
  23. Insecure temporary files
  24. Inadequate file size control
  25. Sensitive information sent via URL parameters
  26. Password change without identity check
  27. Insecure generation of random numbers
  28. Weak credential policy
  29. Technical information leak
  30. Business information leak
  31. Improper authorization control for web services
  32. Enabled default credentials
  33. Insecurely generated cookies
  34. Insecure or unset HTTP headers - Content-Security-Policy
  35. Insecure HTTP methods enabled
  36. Automatic information enumeration
  37. Guessed weak credentials
  38. Cracked weak credentials
  39. Insecure encryption algorithm
  40. Lack of protection against brute force attacks
  41. Anonymous connection
  42. Asymmetric denial of service - Content length
  43. Sensitive information stored in logs
  44. Remote File Inclusion
  45. Concurrent sessions
  46. Lack of data validation - Path Traversal
  47. Traceability loss - Server's clock
  48. Technical information leak - Console functions
  49. Improper resource allocation
  50. Insecure session expiration time
  51. Weak CAPTCHA
  52. Insecure or unset HTTP headers - Referrer-Policy
  53. Improper authorization control for web services - RDS
  54. Insecure session management
  55. Insecurely generated token
  56. Non-upgradable dependencies
  57. Business information leak - Customers or providers
  58. Lack of multi-factor authentication
  59. Insecurely deleted files
  60. XML injection (XXE)
  61. Account lockout
  62. Privacy violation
  63. Lack of data validation - Trust boundary violation
  64. CSV injection
  65. Log injection
  66. Insecure encryption algorithm - Anonymous cipher suites
  67. Hidden fields manipulation
  68. Insecure encryption algorithm - Cipher Block Chaining
  69. Data uniqueness not properly verified
  70. Insecure deserialization
  71. External control of file name or path
  72. Server-side request forgery (SSRF)
  73. Lack of protection against deletion
  74. Email uniqueness not properly verified
  75. NoSQL injection
  76. LDAP injection
  77. Improper control of interaction frequency
  78. HTTP request smuggling
  79. Out-of-bounds read
  80. Improper type assignation
  81. Phishing
  82. Security controls bypass or absence
  83. Unverifiable files
  84. Regulation infringement
  85. Metadata with sensitive information
  86. Improper dependency pinning
  87. HTTP parameter pollution
  88. Email flooding
  89. Local file inclusion
  90. Race condition
  91. Directory listing
  92. Lack of isolation methods
  93. Lack of data validation - Type confusion
  94. Insecurely generated cookies - HttpOnly
  95. Insecurely generated cookies - SameSite
  96. Insecurely generated cookies - Secure
  97. Insecure or unset HTTP headers - Strict Transport Security
  98. Insecure or unset HTTP headers - X-Content-Type-Options
  99. Insecure encryption algorithm - Perfect Forward Secrecy
  100. Insecure or unset HTTP headers - CORS
  101. Insecure or unset HTTP headers - X-XSS Protection
  102. Insecure or unset HTTP headers - Cache Control
  103. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
  104. Inappropriate coding practices
  105. Insecure exceptions - Empty or no catch
  106. Lack of data validation - URL
  107. Sensitive information in source code - API Key
  108. Inappropriate coding practices - Eval function
  109. Inappropriate coding practices - Cyclomatic complexity
  110. SQL injection
  111. Insecure encryption algorithm - SSLContext
  112. Use of an insecure channel - FTP
  113. Use of an insecure channel - SMTP
  114. Use of an insecure channel - Telnet
  115. Insecure or unset HTTP headers - X-Frame Options
  116. Insecure or unset HTTP headers - Accept
  117. Time-based SQL Injection
  118. SQL Injection - Headers
  119. Uncontrolled external site redirect
  120. Unrestricted access between network segments
  121. Excessive privileges
  122. Excessive privileges - Temporary Files
  123. Email spoofing
  124. Debugging enabled in production
  125. Lack of data validation
  126. Lack of data validation - Header x-amzn-RequestId
  127. Lack of data validation - Web Service
  128. Lack of data validation - Source Code
  129. Lack of data validation - Content Spoofing
  130. Lack of data validation - Session Cookie
  131. Lack of data validation - Responses
  132. Lack of data validation - Reflected Parameters
  133. Lack of data validation - Host Header Injection
  134. Lack of data validation - Input Length
  135. Lack of data validation - Headers
  136. Lack of data validation - Dates
  137. Lack of data validation - Numbers
  138. Lack of data validation - Out of range
  139. Lack of data validation - Emails
  140. Traceability loss
  141. Unauthorized access to files
  142. Unauthorized access to files - S3 Bucket
  143. Insufficient data authenticity validation
  144. Security controls bypass or absence - Antivirus
  145. Security controls bypass or absence - Facial Recognition
  146. Asymmetric denial of service - ReDoS
  147. Security controls bypass or absence - Cloudflare
  148. Business information leak - JWT
  149. Business information leak - Credentials
  150. Business information leak - Source Code
  151. Business information leak - Credit Cards
  152. Business information leak - Network Unit
  153. Business information leak - Token
  154. Business information leak - Users
  155. Business information leak - DB
  156. Business information leak - Personal Information
  157. Business information leak - Analytics
  158. Message flooding
  159. Incomplete funcional code
  160. Technical information leak - Stacktrace
  161. Technical information leak - Headers
  162. Technical information leak - SourceMap
  163. Technical information leak - Print Functions
  164. Technical information leak - API
  165. Technical information leak - Errors
  166. Authentication mechanism absence or evasion - OTP
  167. Authentication mechanism absence or evasion - Admin Console
  168. Non-encrypted confidential information - Credit Cards
  169. Non-encrypted confidential information - DB
  170. Non-encrypted confidential information - LDAP
  171. Non-encrypted confidential information - Credentials
  172. Non-encrypted hard drives
  173. Automatic information enumeration - Open ports
  174. Automatic information enumeration - Credit Cards
  175. Insecure functionality - Pass the hash
  176. Insecure encryption algorithm - DSA
  177. Insecure encryption algorithm - SHA1
  178. Insecure encryption algorithm - MD5
  179. Insecure encryption algorithm - TripleDES
  180. Insecure encryption algorithm - AES
  181. Insecure encryption algorithm - Blowfish
  182. Insecure functionality - File Creation
  183. Insecure functionality - Password management
  184. Insecure functionality - Masking
  185. Insecure functionality - Fingerprint
  186. Restricted fields manipulation
  187. Sensitive information sent via URL parameters - Session
  188. Weak credential policy - Password Expiration
  189. Session Fixation
  190. Insecure encryption algorithm - ECB
  191. Automatic information enumeration - Personal Information
  192. Non-encrypted confidential information - Base 64
  193. Insecure object reference - Personal information
  194. Insecure object reference - Corporate information
  195. Insecure object reference - Financial information
  196. Technical information leak - Logs
  197. Technical information leak - IPs
  198. Business information leak - Financial Information
  199. Insecure session management - Change Password
  200. Weak credential policy - Password Change Limit
  201. SQL injection - Code
  202. Authentication mechanism absence or evasion - Redirect
  203. Concurrent sessions control bypass
  204. Insecure functionality - Session management
  205. Security controls bypass or absence - Data creation
  206. Insecure object reference - Files
  207. Insecure object reference - Data
  208. Enabled default configuration
  209. Insecurely generated token - JWT
  210. Improper resource allocation - Memory leak
  211. Insecurely generated token - Validation
  212. Lack of data validation - HTML code
  213. Insecurely generated token - Lifespan
  214. Insecure functionality - User management
  215. Insecure object reference - Session management
  216. Insecure or unset HTTP headers - Content-Type
  217. Lack of protection against brute force attacks - Credentials
  218. Use of insecure channel - Source code
  219. Business information leak - Corporate information
  220. Insecure session management - CSRF Fixation
  221. Lack of data validation - Special Characters
  222. Lack of data validation - OTP
  223. Lack of data validation - Non Sanitized Variables
  224. Security controls bypass or absence - Session Invalidation
  225. Technical information leak - Credentials
  226. Lack of data validation - Token
  227. Insecure file upload - Files Limit
  228. Insufficient data authenticity validation - Checksum verification
  229. Sensitive information in source code - Credentials
  230. Technical information leak - Content response
  231. Weak credential policy - Password strength
  232. Weak credential policy - Temporary passwords
  233. Authentication mechanism absence or evasion - Response tampering
  234. Insecure object reference - User deletion
  235. DOM-Based cross-site scripting (XSS)
  236. Use of an insecure channel - HTTP
  237. Security controls bypass or absence - Tampering Protection
  238. Non-encrypted confidential information - Hexadecimal
  239. Insecurely generated token - OTP
  240. Inappropriate coding practices - Wildcard export
  241. Insecure authentication method - NTLM
  242. Inappropriate coding practices - Unused properties
  243. Use of software with known vulnerabilities in development
  244. Insecure generation of random numbers - Static IV
  245. Insecure authentication method - LDAP
  246. OS Command Injection
  247. Excessive privileges - Access Mode
  248. Insecure encryption algorithm - Default encryption
  249. Account Takeover
  250. Password reset poisoning
  251. Insecure encryption algorithm - Insecure Elliptic Curve
  252. Server side template injection
  253. Server side cross-site scripting
  254. Inappropriate coding practices - invalid file
  255. Inappropriate coding practices - relative path command
  256. Use of software with known vulnerabilities in environments
  257. Security controls bypass or absence - Fingerprint