Ruby
Available solutions
- Asymmetric denial of service
- Symmetric denial of service
- Remote command execution
- Privilege escalation
- Cross-site request forgery
- Reflected cross-site scripting (XSS)
- Sensitive information in source code
- Stored cross-site scripting (XSS)
- Use of software with known vulnerabilities
- Insecure object reference
- Insecure functionality
- Insecure authentication method - Basic
- Insecure encryption algorithm - SSL/TLS
- Sensitive information sent insecurely
- Administrative credentials stored in cache memory
- XPath injection
- Uncontrolled external site redirect - Host Header Injection
- User enumeration
- Insecure file upload
- Insecure temporary files
- Inadequate file size control
- Password change without identity check
- Insecure generation of random numbers
- Technical information leak
- Enabled default credentials
- Insecurely generated cookies
- Insecure or unset HTTP headers - Content-Security-Policy
- Insecure HTTP methods enabled
- HTML code injection
- Automatic information enumeration
- Guessed weak credentials
- Cracked weak credentials
- Insecure encryption algorithm
- Lack of protection against brute force attacks
- Anonymous connection
- Asymmetric denial of service - Content length
- Sensitive information stored in logs
- Remote File Inclusion
- Concurrent sessions
- Lack of data validation - Path Traversal
- Cached form fields
- Technical information leak - Console functions
- Improper resource allocation
- Insecure session expiration time
- Insecure or unset HTTP headers - Referrer-Policy
- Insecure session management
- Insecurely generated token
- Lack of multi-factor authentication
- Insecurely deleted files
- XML injection (XXE)
- Sensitive data stored in client-side storage
- Missing subresource integrity check
- Account lockout
- CSV injection
- Log injection
- Insecure encryption algorithm - Anonymous cipher suites
- Hidden fields manipulation
- Insecure encryption algorithm - Cipher Block Chaining
- Data uniqueness not properly verified
- Insecure deserialization
- External control of file name or path
- Server-side request forgery (SSRF)
- Email uniqueness not properly verified
- Apache lucene query injection
- NoSQL injection
- LDAP injection
- Improper control of interaction frequency
- Improper type assignation
- Security controls bypass or absence
- XS-Leaks
- Metadata with sensitive information
- Improper dependency pinning
- HTTP parameter pollution
- Local file inclusion
- Race condition
- Directory listing
- Lack of data validation - Type confusion
- Insecurely generated cookies - HttpOnly
- Insecurely generated cookies - SameSite
- Insecurely generated cookies - Secure
- Insecure or unset HTTP headers - Strict Transport Security
- Insecure or unset HTTP headers - X-Content-Type-Options
- Insecure encryption algorithm - Perfect Forward Secrecy
- Insecure or unset HTTP headers - CORS
- Insecure or unset HTTP headers - X-XSS Protection
- Insecure or unset HTTP headers - Cache Control
- Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
- Inappropriate coding practices
- Insecure exceptions - Empty or no catch
- Lack of data validation - URL
- Sensitive information in source code - API Key
- Inappropriate coding practices - Cyclomatic complexity
- SQL injection
- Insecure encryption algorithm - SSLContext
- Use of an insecure channel - FTP
- Use of an insecure channel - SMTP
- Use of an insecure channel - Telnet
- Insecure or unset HTTP headers - X-Frame Options
- Insecure or unset HTTP headers - Accept
- Time-based SQL Injection
- SQL Injection - Headers
- Uncontrolled external site redirect
- Excessive privileges
- Excessive privileges - Temporary Files
- Debugging enabled in production
- Lack of data validation
- Lack of data validation - Header x-amzn-RequestId
- Lack of data validation - Web Service
- Lack of data validation - Source Code
- Lack of data validation - Modify DOM Elements
- Lack of data validation - Session Cookie
- Lack of data validation - Responses
- Lack of data validation - Reflected Parameters
- Lack of data validation - Host Header Injection
- Lack of data validation - Input Length
- Lack of data validation - Headers
- Lack of data validation - Dates
- Lack of data validation - Numbers
- Lack of data validation - Out of range
- Lack of data validation - Emails
- Traceability loss
- Unauthorized access to files
- Insufficient data authenticity validation
- Asymmetric denial of service - ReDoS
- Incomplete funcional code
- Technical information leak - Stacktrace
- Technical information leak - Headers
- Technical information leak - SourceMap
- Technical information leak - Print Functions
- Technical information leak - API
- Technical information leak - Errors
- Automatic information enumeration - Open ports
- Automatic information enumeration - Credit Cards
- Insecure functionality - Pass the hash
- Insecure encryption algorithm - DSA
- Insecure encryption algorithm - SHA1
- Insecure encryption algorithm - MD5
- Insecure encryption algorithm - TripleDES
- Insecure encryption algorithm - AES
- Insecure encryption algorithm - Blowfish
- Insecure functionality - File Creation
- Insecure functionality - Password management
- Insecure functionality - Masking
- Insecure functionality - Fingerprint
- Restricted fields manipulation
- Sensitive information sent via URL parameters - Session
- Weak credential policy - Password Expiration
- Insecure exceptions - NullPointerException
- Session Fixation
- Automatic information enumeration - Personal Information
- Insecure object reference - Personal information
- Insecure object reference - Corporate information
- Insecure object reference - Financial information
- Technical information leak - Logs
- Technical information leak - IPs
- Insecure session management - Change Password
- Weak credential policy - Password Change Limit
- SQL injection - Code
- Concurrent sessions control bypass
- Insecure functionality - Session management
- Security controls bypass or absence - Data creation
- Insecure object reference - Files
- Insecure object reference - Data
- Enabled default configuration
- Insecurely generated token - JWT
- Unauthorized access to screen
- Improper resource allocation - Memory leak
- Insecurely generated token - Validation
- Lack of data validation - HTML code
- Insecurely generated token - Lifespan
- Insecure functionality - User management
- Sensitive information in source code - Dependencies
- Insecure object reference - Session management
- Insecure or unset HTTP headers - Content-Type
- Lack of protection against brute force attacks - Credentials
- Insecure session management - CSRF Fixation
- Lack of data validation - Special Characters
- Lack of data validation - OTP
- Lack of data validation - Non Sanitized Variables
- Security controls bypass or absence - Session Invalidation
- Technical information leak - Credentials
- Automatic information enumeration - Corporate information
- Lack of data validation - Token
- Insecure file upload - Files Limit
- Insufficient data authenticity validation - Checksum verification
- Sensitive information in source code - Credentials
- Technical information leak - Content response
- Weak credential policy - Password strength
- Weak credential policy - Temporary passwords
- Insecure object reference - User deletion
- DOM-Based cross-site scripting (XSS)
- Use of an insecure channel - HTTP
- Security controls bypass or absence - Tampering Protection
- Security controls bypass or absence - Reversing Protection
- Inappropriate coding practices - Unnecessary imports
- Insufficient data authenticity validation - Front bypass
- Insecurely generated token - OTP
- Insecure authentication method - NTLM
- Inappropriate coding practices - Unused properties
- Use of software with known vulnerabilities in development
- Insecure generation of random numbers - Static IV
- Insecure authentication method - LDAP
- OS Command Injection
- Insecure encryption algorithm - Default encryption
- Password reset poisoning
- Insecure encryption algorithm - Insecure Elliptic Curve
- Server side template injection
- Inappropriate coding practices - System exit
- Inappropriate coding practices - invalid file
- Universal cross-site scripting (UXSS)
- Inappropriate coding practices - relative path command
- Client-side template injection
- Use of software with known vulnerabilities in environments
- Security controls bypass or absence - Fingerprint