Python
Available solutions
- Remote command execution
- Privilege escalation
- Authentication mechanism absence or evasion
- Cross-site request forgery
- Reflected cross-site scripting (XSS)
- Insecure object reference
- Insecure authentication method - Basic
- XPath injection
- Insecure file upload
- Inadequate file size control
- Password change without identity check
- Improper authorization control for web services
- Insecurely generated cookies
- Insecure or unset HTTP headers - Content-Security-Policy
- Cracked weak credentials
- Asymmetric denial of service - Content length
- Insecure service configuration - Host verification
- Concurrent sessions
- Lack of data validation - Path Traversal
- Insecure session expiration time
- Insecure or unset HTTP headers - Referrer-Policy
- Insecure session management
- XML injection (XXE)
- Lack of data validation - Trust boundary violation
- CSV injection
- Log injection
- Insecure deserialization
- External control of file name or path
- NoSQL injection
- LDAP injection
- Improper type assignation
- HTTP parameter pollution
- Local file inclusion
- Race condition
- Lack of data validation - Type confusion
- Insecurely generated cookies - HttpOnly
- Insecurely generated cookies - SameSite
- Insecurely generated cookies - Secure
- Insecure or unset HTTP headers - Strict Transport Security
- Insecure or unset HTTP headers - X-Content-Type-Options
- Insecure or unset HTTP headers - CORS
- Insecure or unset HTTP headers - X-XSS Protection
- Insecure or unset HTTP headers - Cache Control
- Insecure exceptions - Empty or no catch
- Inappropriate coding practices - Cyclomatic complexity
- Insecure or unset HTTP headers - X-Frame Options
- Insecure or unset HTTP headers - Accept
- Time-based SQL Injection
- SQL Injection - Headers
- Lack of data validation
- Lack of data validation - Header x-amzn-RequestId
- Lack of data validation - Web Service
- Lack of data validation - Source Code
- Lack of data validation - Session Cookie
- Lack of data validation - Responses
- Lack of data validation - Reflected Parameters
- Lack of data validation - Host Header Injection
- Lack of data validation - Input Length
- Lack of data validation - Headers
- Lack of data validation - Dates
- Lack of data validation - Numbers
- Lack of data validation - Out of range
- Lack of data validation - Emails
- Unauthorized access to files
- Insufficient data authenticity validation
- Security controls bypass or absence - Facial Recognition
- Authentication mechanism absence or evasion - OTP
- Authentication mechanism absence or evasion - Admin Console
- Insecure functionality - Fingerprint
- Restricted fields manipulation
- Session Fixation
- Insecure object reference - Personal information
- Insecure session management - Change Password
- SQL injection - Code
- Authentication mechanism absence or evasion - Redirect
- Insecure functionality - Session management
- Security controls bypass or absence - Data creation
- Insecure object reference - Files
- Insecure object reference - Data
- Unauthorized access to screen
- Lack of data validation - HTML code
- Insecure object reference - Session management
- Insecure or unset HTTP headers - Content-Type
- Insecure session management - CSRF Fixation
- Lack of data validation - Special Characters
- Lack of data validation - OTP
- Lack of data validation - Non Sanitized Variables
- Security controls bypass or absence - Session Invalidation
- Lack of data validation - Token
- Insecure file upload - Files Limit
- Insufficient data authenticity validation - Checksum verification
- Weak credential policy - Password strength
- Weak credential policy - Temporary passwords
- Authentication mechanism absence or evasion - Response tampering
- Insecure object reference - User deletion
- Insecurely generated token - OTP
- Insecure authentication method - NTLM
- OS Command Injection
- Server side template injection
- Server side cross-site scripting
- Inappropriate coding practices - invalid file
- Security controls bypass or absence - Fingerprint
- Asymmetric denial of service
- Symmetric denial of service
- Insecure functionality
- Insecure encryption algorithm - SSL/TLS
- Sensitive information sent insecurely
- Non-encrypted confidential information
- Use of an insecure channel
- Uncontrolled external site redirect - Host Header Injection
- User enumeration
- Insecure temporary files
- Sensitive information sent via URL parameters
- Insecure generation of random numbers
- Enabled default credentials
- Automatic information enumeration
- Guessed weak credentials
- Insecure encryption algorithm
- Lack of protection against brute force attacks
- Sensitive information stored in logs
- Remote File Inclusion
- Traceability loss - Server's clock
- Improper resource allocation
- Insecurely generated token
- Non-upgradable dependencies
- Business information leak - Customers or providers
- Insecurely deleted files
- Insecure encryption algorithm - Anonymous cipher suites
- Hidden fields manipulation
- Insecure encryption algorithm - Cipher Block Chaining
- Data uniqueness not properly verified
- Server-side request forgery (SSRF)
- Email uniqueness not properly verified
- Improper control of interaction frequency
- XS-Leaks
- Regulation infringement
- Metadata with sensitive information
- Improper dependency pinning
- Directory listing
- Inappropriate coding practices
- Sensitive information in source code - API Key
- Inappropriate coding practices - Eval function
- Insecure encryption algorithm - SSLContext
- Use of an insecure channel - FTP
- Use of an insecure channel - useSslProtocol()
- Use of an insecure channel - Telnet
- Uncontrolled external site redirect
- Insecure service configuration - SMB
- Insecure service configuration - SMTP
- Debugging enabled in production
- Traceability loss
- Asymmetric denial of service - ReDoS
- Business information leak - JWT
- Business information leak - Credentials
- Business information leak - Source Code
- Business information leak - Credit Cards
- Business information leak - Network Unit
- Business information leak - Token
- Business information leak - Users
- Business information leak - JFROG
- Business information leak - Personal Information
- Technical information leak - Headers
- Technical information leak - Print Functions
- Technical information leak - Errors
- Non-encrypted confidential information - Credit Cards
- Non-encrypted confidential information - DB
- Non-encrypted confidential information - AWS
- Non-encrypted confidential information - LDAP
- Non-encrypted confidential information - Credentials
- Automatic information enumeration - Credit Cards
- Insecure encryption algorithm - DSA
- Insecure encryption algorithm - SHA1
- Insecure encryption algorithm - MD5
- Insecure encryption algorithm - TripleDES
- Insecure encryption algorithm - AES
- Insecure encryption algorithm - Blowfish
- Insecure functionality - File Creation
- Insecure functionality - Password management
- Insecure functionality - Masking
- Non-encrypted confidential information - Local data
- Sensitive information sent via URL parameters - Session
- Insecure encryption algorithm - ECB
- Automatic information enumeration - Personal Information
- Non-encrypted confidential information - Base 64
- Technical information leak - Logs
- Insecure service configuration - OTP
- Weak credential policy - Password Change Limit
- Insecurely generated token - JWT
- Improper resource allocation - Memory leak
- Insecurely generated token - Validation
- Insecure service configuration - Roles
- Insecurely generated token - Lifespan
- Sensitive information in source code - Dependencies
- Lack of protection against brute force attacks - Credentials
- Use of insecure channel - Source code
- Business information leak - Corporate information
- Insecure service configuration - Salt
- Insecure service configuration - BREACH Attack
- Sensitive information in source code - Credentials
- Sensitive information in source code - Git history
- Use of an insecure channel - HTTP
- Non-encrypted confidential information - Hexadecimal
- Inappropriate coding practices - Unnecessary imports
- Inappropriate coding practices - Wildcard export
- Non-encrypted confidential information - Keys
- Inappropriate coding practices - Unused properties
- Use of software with known vulnerabilities in development
- Insecure generation of random numbers - Static IV
- Dependency Confusion
- Password reset poisoning
- Insecure encryption algorithm - Insecure Elliptic Curve
- Use of software with known vulnerabilities in environments