PHP
Available solutions
- Asymmetric denial of service
- Symmetric denial of service
- Remote command execution
- Cross-site request forgery
- Reflected cross-site scripting (XSS)
- Stored cross-site scripting (XSS)
- Insecure functionality
- Insecure authentication method - Basic
- Insecure encryption algorithm - SSL/TLS
- Sensitive information sent insecurely
- Administrative credentials stored in cache memory
- XPath injection
- Use of an insecure channel
- User enumeration
- Insecure file upload
- Inadequate file size control
- Sensitive information sent via URL parameters
- Spoofing
- Password change without identity check
- Insecure generation of random numbers
- ViewState not encrypted
- Technical information leak
- Business information leak
- Insecurely generated cookies
- HTML code injection
- Cracked weak credentials
- Insecure encryption algorithm
- Sensitive information stored in logs
- Remote File Inclusion
- Concurrent sessions
- Lack of data validation - Path Traversal
- Improper resource allocation
- Insecure session expiration time
- Weak CAPTCHA
- Insecurely generated token
- Business information leak - Customers or providers
- Privacy violation
- Lack of data validation - Trust boundary violation
- Log injection
- Insecure encryption algorithm - Anonymous cipher suites
- Hidden fields manipulation
- Insecure encryption algorithm - Cipher Block Chaining
- Data uniqueness not properly verified
- Insecure deserialization
- External control of file name or path
- Email uniqueness not properly verified
- NoSQL injection
- LDAP injection
- Improper control of interaction frequency
- Out-of-bounds read
- Improper type assignation
- Security controls bypass or absence
- HTTP parameter pollution
- Email flooding
- Local file inclusion
- Race condition
- Directory listing
- Lack of data validation - Type confusion
- Insecurely generated cookies - HttpOnly
- Insecurely generated cookies - SameSite
- Insecure or unset HTTP headers - Strict Transport Security
- Insecure or unset HTTP headers - X-Content-Type-Options
- Insecure or unset HTTP headers - Cache Control
- Inappropriate coding practices
- Lack of data validation - URL
- Sensitive information in source code - API Key
- Inappropriate coding practices - Eval function
- Inappropriate coding practices - Cyclomatic complexity
- SQL injection
- Use of an insecure channel - useSslProtocol()
- Insecure or unset HTTP headers - Accept
- Time-based SQL Injection
- SQL Injection - Headers
- Uncontrolled external site redirect
- Excessive privileges - Temporary Files
- Insecure service configuration
- Insecure service configuration - Backdoor
- Debugging enabled in production
- Lack of data validation - Web Service
- Lack of data validation - Source Code
- Lack of data validation - Content Spoofing
- Lack of data validation - Session Cookie
- Lack of data validation - Responses
- Lack of data validation - Reflected Parameters
- Lack of data validation - Host Header Injection
- Lack of data validation - Input Length
- Lack of data validation - Headers
- Lack of data validation - Dates
- Lack of data validation - Numbers
- Lack of data validation - Out of range
- Lack of data validation - Emails
- Unauthorized access to files
- Asymmetric denial of service - ReDoS
- Business information leak - Credit Cards
- Business information leak - Users
- Message flooding
- Technical information leak - Headers
- Technical information leak - Print Functions
- Authentication mechanism absence or evasion - OTP
- Authentication mechanism absence or evasion - Admin Console
- Non-encrypted confidential information - LDAP
- Automatic information enumeration - Credit Cards
- Insecure encryption algorithm - DSA
- Insecure encryption algorithm - SHA1
- Insecure encryption algorithm - TripleDES
- Insecure functionality - File Creation
- Insecure functionality - Password management
- Insecure functionality - Masking
- Insecure functionality - Fingerprint
- Restricted fields manipulation
- Insecure exceptions - NullPointerException
- Session Fixation
- Insecure encryption algorithm - ECB
- Automatic information enumeration - Personal Information
- Non-encrypted confidential information - Base 64
- Insecure object reference - Personal information
- Insecure object reference - Financial information
- Technical information leak - Logs
- Technical information leak - IPs
- Business information leak - Financial Information
- Insecure session management - Change Password
- SQL injection - Code
- Authentication mechanism absence or evasion - Redirect
- Insecure functionality - Session management
- Security controls bypass or absence - Data creation
- Insecure object reference - Files
- Insecure object reference - Data
- Enabled default configuration
- Improper resource allocation - Memory leak
- Lack of data validation - HTML code
- XML injection (XXE) - Unmarshaller
- Sensitive information in source code - Dependencies
- Insufficient data authenticity validation - Images
- Insecure object reference - Session management
- Insecure or unset HTTP headers - Content-Type
- Lack of protection against brute force attacks - Credentials
- User Enumeration - Wordpress
- Use of insecure channel - Source code
- Insecure service configuration - Request Validation
- Lack of data validation - Special Characters
- Lack of data validation - OTP
- Insecure service configuration - BREACH Attack
- Lack of data validation - Non Sanitized Variables
- Security controls bypass or absence - Session Invalidation
- Automatic information enumeration - Corporate information
- Insecure file upload - Files Limit
- Insufficient data authenticity validation - Checksum verification
- Symmetric denial of service - SMTP
- Sensitive information in source code - Credentials
- Technical information leak - Content response
- Insecure object reference - User deletion
- DOM-Based cross-site scripting (XSS)
- Use of an insecure channel - HTTP
- Non-encrypted confidential information - Hexadecimal
- Insufficient data authenticity validation - Front bypass
- Insecure service configuration - Object Reutilization
- Insecure generation of random numbers - Static IV
- Security controls absence - Monitoring
- OS Command Injection
- Insecure service configuration - Header Checking
- Account Takeover
- Password reset poisoning
- Insecure encryption algorithm - Insecure Elliptic Curve
- Server side template injection
- Inappropriate coding practices - invalid file
- Use of software with known vulnerabilities in environments
- Security controls bypass or absence - Fingerprint