Introduction

Vulnerabilities

This is a standardization of the set of vulnerabilities that serve as a basis for the security analysis performed by Fluid Attacks. This is an ever-evolving effort as new types arise every day.

Index

Access Subversion

• 005. Privilege escalation
• 006. Authentication mechanism absence or evasion
• 007. Cross-site request forgery
• 013. Insecure object reference
• 018. Improper authentication for shared folders
• 024. Unrestricted access between network segments - AWS
• 027. Insecure file upload
• 031. Excessive privileges - AWS
• 039. Improper authorization control for web services
• 042. Insecurely generated cookies
• 051. Cracked weak credentials
• 056. Anonymous connection
• 057. Asymmetric denial of service - Content length
• 062. Concurrent sessions
• 068. Insecure session expiration time
• 075. Unauthorized access to files - APK Content Provider
• 076. Insecure session management
• 081. Lack of multi-factor authentication
• 115. Security controls bypass or absence
• 126. Lack of isolation methods
• 128. Insecurely generated cookies - HttpOnly
• 129. Insecurely generated cookies - SameSite
• 130. Insecurely generated cookies - Secure
• 157. Unrestricted access between network segments
• 158. Unrestricted access between network segments - Azure AD
• 159. Excessive privileges
• 160. Excessive privileges - Temporary Files
• 163. Insecure digital certificates
• 201. Unauthorized access to files
• 202. Unauthorized access to files - Debug APK
• 203. Unauthorized access to files - Cloud Storage Services
• 205. Insufficient Physical Access Controls
• 206. Security controls bypass or absence - Anti hooking
• 207. Security controls bypass or absence - SSLPinning
• 208. Security controls bypass or absence - Antivirus
• 209. Security controls bypass or absence - Emulator
• 210. Security controls bypass or absence - Facial Recognition
• 212. Security controls bypass or absence - Cloudflare
• 240. Authentication mechanism absence or evasion - OTP
• 241. Authentication mechanism absence or evasion - AWS
• 242. Authentication mechanism absence or evasion - WiFi
• 243. Authentication mechanism absence or evasion - Admin Console
• 244. Authentication mechanism absence or evasion - BIOS
• 279. Root detection control bypass
• 280. Session Fixation
• 286. Insecure object reference - Personal information
• 287. Insecure object reference - Corporate information
• 288. Insecure object reference - Financial information
• 295. Insecure session management - Change Password
• 298. Authentication mechanism absence or evasion - Redirect
• 299. Authentication mechanism absence or evasion - JFROG
• 300. Authentication mechanism absence or evasion - Azure
• 301. Concurrent sessions control bypass
• 305. Security controls bypass or absence - Data creation
• 306. Insecure object reference - Files
• 307. Insecure object reference - Data
• 310. Unauthorized access to screen
• 311. Unrestricted access between network segments - JSch
• 325. Excessive privileges - Wildcards
• 328. Insecure object reference - Session management
• 337. Insecure session management - CSRF Fixation
• 345. Security controls bypass or absence - Session Invalidation
• 346. Excessive privileges - Mobile App
• 348. Insecure digital certificates - Lifespan
• 350. Insecure digital certificates - Chain of trust
• 354. Insecure file upload - Files Limit
• 368. Unrestricted access between network segments - StrictHostKeyChecking
• 369. Insecure object reference - User deletion
• 370. Authentication mechanism absence or evasion - Security Image
• 374. Security controls bypass or absence - Debug Protection
• 375. Security controls bypass or absence - Tampering Protection
• 376. Security controls bypass or absence - Reversing Protection
• 436. Security controls bypass or absence - Fingerprint

Data Manipulation

• 098. External control of file name or path
• 103. Insufficient data authenticity validation - APK signing
• 111. Out-of-bounds read
• 123. Local file inclusion
• 204. Insufficient data authenticity validation
• 327. Insufficient data authenticity validation - Images
• 355. Insufficient data authenticity validation - Checksum verification
• 377. Insufficient data authenticity validation - Device Binding
• 383. Insecurely generated token - OTP
• 389. Insufficient data authenticity validation - JAR signing

Deceptive Interactions

• 023. Uncontrolled external site redirect - Host Header Injection
• 032. Spoofing
• 078. Insecurely generated token
• 084. MDNS spoofing
• 086. Missing subresource integrity check
• 097. Reverse tabnabbing
• 100. Server-side request forgery (SSRF)
• 114. Phishing
• 156. Uncontrolled external site redirect
• 182. Email spoofing
• 309. Insecurely generated token - JWT
• 318. Insecurely generated token - Validation
• 322. Insecurely generated token - Lifespan
• 360. Clickjacking
• 408. Traceability Loss - API Gateway

Functionality Abuse

• 002. Asymmetric denial of service
• 003. Symmetric denial of service
• 014. Insecure functionality
• 033. Password change without identity check
• 048. Lack of root detection
• 055. Insecure service configuration - ADB Backups
• 058. Debugging enabled in production - APK
• 060. Insecure service configuration - Host verification
• 061. Remote File Inclusion
• 064. Traceability loss - Server's clock
• 065. Cached form fields
• 067. Improper resource allocation
• 070. Insecure service configuration - ELB
• 072. Duplicate code
• 073. Improper authorization control for web services - RDS
• 079. Non-upgradable dependencies
• 087. Account lockout
• 088. Privacy violation
• 093. Hidden fields manipulation
• 095. Data uniqueness not properly verified
• 101. Lack of protection against deletion
• 102. Email uniqueness not properly verified
• 108. Improper control of interaction frequency
• 109. Unrestricted access between network segments - RDS
• 110. HTTP request smuggling
• 113. Improper type assignation
• 117. Unverifiable files
• 118. Regulation infringement
• 120. Improper dependency pinning
• 122. Email flooding
• 124. Race condition
• 138. Inappropriate coding practices
• 140. Insecure exceptions - Empty or no catch
• 143. Inappropriate coding practices - Eval function
• 145. Inappropriate coding practices - Cyclomatic complexity
• 164. Insecure service configuration
• 165. Insecure service configuration - AWS
• 166. Insecure service configuration - Kerberoast
• 167. Insecure service configuration - Wireless Certificates
• 168. Insecure service configuration - Keystore
• 169. Insecure service configuration - Keys
• 170. Insecure service configuration - Antivirus
• 171. Insecure service configuration - Firewall
• 172. Insecure service configuration - App Backup
• 173. Insecure service configuration - Backup
• 174. Insecure service configuration - Backdoor
• 175. Insecure service configuration - DNS
• 176. Insecure service configuration - SSH
• 177. Insecure service configuration - Security Groups
• 178. Insecure service configuration - RDP
• 179. Insecure service configuration - SMB
• 180. Insecure service configuration - SMTP
• 181. Insecure service configuration - DynamoDB
• 183. Debugging enabled in production
• 200. Traceability loss
• 211. Asymmetric denial of service - ReDoS
• 231. Message flooding
• 233. Incomplete funcional code
• 255. Insecure functionality - Pass the hash
• 256. Lack of protection against deletion - RDS
• 257. Lack of protection against deletion - EC2
• 258. Lack of protection against deletion - ELB
• 259. Lack of protection against deletion - DynamoDB
• 260. Insecure Binary compilation
• 267. Excessive Privileges - Kubernetes
• 268. Insecure service configuration - Webview
• 270. Insecure functionality - File Creation
• 271. Insecure functionality - Password management
• 272. Insecure functionality - Masking
• 273. Insecure functionality - Fingerprint
• 278. Insecure exceptions - NullPointerException
• 285. Insecure service configuration - App Transport Security
• 293. Insecure service configuration - Key pair
• 294. Insecure service configuration - OTP
• 302. Insecure functionality - Session management
• 304. Inappropriate coding practices - Performance
• 308. Enabled default configuration
• 312. Insecure service configuration - Signatures
• 313. Insecure service configuration - Certificates
• 314. Insecure service configuration - DB
• 315. Insecure service configuration - CloudDB
• 316. Improper resource allocation - Buffer overflow
• 317. Improper resource allocation - Memory leak
• 319. Insecure service configuration - Roles
• 320. Insecure service configuration - LDAP
• 324. Insecure functionality - User management
• 333. Insecure service configuration - EC2
• 334. Insecure service configuration - IAM
• 335. Insecure service configuration - Bucket
• 338. Insecure service configuration - Salt
• 339. Insecure service configuration - Request Validation
• 343. Insecure service configuration - BREACH Attack
• 347. Insecure service configuration - Task Hijacking
• 352. Insecure service configuration - Non Masked Variables
• 356. Symmetric denial of service - SMTP
• 357. Symmetric denial of service - FTP
• 358. Insecure service configuration - DocumentBuilderFactory
• 366. Inappropriate coding practices - Transparency Conflict
• 379. Inappropriate coding practices - Unnecessary imports
• 380. Supply Chain Attack - Docker
• 381. Supply Chain Attack - Terraform
• 382. Insufficient data authenticity validation - Front bypass
• 384. Inappropriate coding practices - Wildcard export
• 386. Cross-Site Leak - Frame Counting
• 387. Insecure service configuration - Object Reutilization
• 391. Inappropriate coding practices - Unused properties
• 392. Security controls bypass or absence - Firewall
• 393. Use of software with known vulnerabilities in development
• 394. Insufficient data authenticity validation - Cloudtrail Logs
• 395. Insecure generation of random numbers - Static IV
• 396. Insecure service configuration - KMS
• 398. Fragment Injection
• 399. Security controls absence - Monitoring
• 400. Traceability Loss - AWS
• 401. Insecure service configuration - AKV Secret Expiration
• 402. Traceability Loss - Azure
• 403. Insecure service configuration - usesCleartextTraffic
• 404. OS Command Injection
• 405. Excessive privileges - Access Mode
• 410. Dependency Confusion
• 411. Insecure encryption algorithm - Default encryption
• 412. Lack of protection against deletion - Azure Key Vault
• 413. Insecure file upload - DLL Injection
• 414. Insecure service configuration - Header Checking
• 415. Insecure service configuration - Container level access policy
• 416. XAML injection
• 417. Account Takeover
• 418. Insecure service configuration - Docker
• 419. Traceability Loss - Kubernetes
• 420. Password reset poisoning
• 423. Inappropriate coding practices - System exit
• 426. Supply Chain Attack - Kubernetes
• 428. Inappropriate coding practices - invalid file
• 431. Supply Chain Attack - Lock Files
• 432. Inappropriate coding practices - relative path command
• 437. Supply Chain Attack - GitHub Actions
• 443. Insecure service configuration - Business logic
• 444. Sensitive Information in Auto-Generated Screenshots
• 445. Bucket takeover
• 446. Insecure service configuration - Azure

Information Collection

• 009. Sensitive information in source code
• 011. Use of software with known vulnerabilities
• 016. Insecure encryption algorithm - SSL/TLS
• 017. Sensitive information sent insecurely
• 019. Administrative credentials stored in cache memory
• 020. Non-encrypted confidential information
• 022. Use of an insecure channel
• 025. Call interception
• 026. User enumeration
• 028. Insecure temporary files
• 030. Sensitive information sent via URL parameters
• 036. ViewState not encrypted
• 037. Technical information leak
• 038. Business information leak
• 040. Exposed web services
• 046. Missing secure obfuscation - APK
• 047. Automatic information enumeration
• 052. Insecure encryption algorithm
• 054. Exposed administrative services
• 059. Sensitive information stored in logs
• 066. Technical information leak - Console functions
• 069. Weak CAPTCHA
• 080. Business information leak - Customers or providers
• 082. Insecurely deleted files
• 085. Sensitive data stored in client-side storage
• 092. Insecure encryption algorithm - Anonymous cipher suites
• 094. Insecure encryption algorithm - Cipher Block Chaining
• 099. Non-encrypted confidential information - S3 Server Side Encryption
• 116. XS-Leaks
• 119. Metadata with sensitive information
• 125. Directory listing
• 133. Insecure encryption algorithm - Perfect Forward Secrecy
• 142. Sensitive information in source code - API Key
• 147. Insecure encryption algorithm - SSLContext
• 148. Use of an insecure channel - FTP
• 149. Use of an insecure channel - SMTP
• 150. Use of an insecure channel - useSslProtocol()
• 151. Use of an insecure channel - Telnet
• 161. Missing secure obfuscation
• 162. Missing secure obfuscation - binary
• 213. Business information leak - JWT
• 214. Business information leak - Credentials
• 215. Business information leak - Repository
• 216. Business information leak - Source Code
• 217. Business information leak - Credit Cards
• 218. Business information leak - Network Unit
• 219. Business information leak - Redis
• 220. Business information leak - Token
• 221. Business information leak - Users
• 222. Business information leak - DB
• 223. Business information leak - JFROG
• 224. Business information leak - AWS
• 225. Business information leak - Azure
• 226. Business information leak - Personal Information
• 227. Business information leak - NAC
• 228. Business information leak - Analytics
• 229. Business information leak - Power BI
• 230. Business information leak - Firestore
• 232. Technical information leak - Angular
• 234. Technical information leak - Stacktrace
• 235. Technical information leak - Headers
• 236. Technical information leak - SourceMap
• 237. Technical information leak - Print Functions
• 238. Technical information leak - API
• 239. Technical information leak - Errors
• 245. Non-encrypted confidential information - Credit Cards
• 246. Non-encrypted confidential information - DB
• 247. Non-encrypted confidential information - AWS
• 248. Non-encrypted confidential information - LDAP
• 249. Non-encrypted confidential information - Credentials
• 250. Non-encrypted hard drives
• 251. Non-encrypted confidential information - JFROG
• 252. Automatic information enumeration - Open ports
• 253. Automatic information enumeration - AWS
• 254. Automatic information enumeration - Credit Cards
• 261. Insecure encryption algorithm - DSA
• 262. Insecure encryption algorithm - SHA1
• 263. Insecure encryption algorithm - MD5
• 264. Insecure encryption algorithm - TripleDES
• 265. Insecure encryption algorithm - AES
• 266. Excessive Privileges - Docker
• 269. Insecure encryption algorithm - Blowfish
• 275. Non-encrypted confidential information - Local data
• 276. Sensitive information sent via URL parameters - Session
• 281. Use of an insecure channel - AWS
• 282. Insecure encryption algorithm - ECB
• 283. Automatic information enumeration - Personal Information
• 284. Non-encrypted confidential information - Base 64
• 289. Technical information leak - Logs
• 290. Technical information leak - IPs
• 291. Business information leak - Financial Information
• 326. Sensitive information in source code - Dependencies
• 331. User Enumeration - Wordpress
• 332. Use of insecure channel - Source code
• 336. Business information leak - Corporate information
• 342. Technical information leak - Alert
• 349. Technical information leak - Credentials
• 351. Automatic information enumeration - Corporate information
• 359. Sensitive information in source code - Credentials
• 367. Sensitive information in source code - Git history
• 372. Use of an insecure channel - HTTP
• 373. Use of an insecure channel - Oracle Database
• 378. Non-encrypted confidential information - Hexadecimal
• 385. Non-encrypted confidential information - Keys
• 406. Non-encrypted confidential information - EFS
• 407. Non-encrypted confidential information - EBS Volumes
• 409. Non-encrypted confidential information - DynamoDB
• 421. Insecure encryption algorithm - Insecure Elliptic Curve
• 427. Use of an insecure channel - Docker
• 433. Non-encrypted confidential information - Redshift Cluster
• 435. Use of software with known vulnerabilities in environments
• 439. Sensitive information in source code - IP
• 441. Non-encrypted confidential information - Azure

Probabilistic Techniques

• 034. Insecure generation of random numbers
• 035. Weak credential policy
• 041. Enabled default credentials
• 050. Guessed weak credentials
• 053. Lack of protection against brute force attacks
• 277. Weak credential policy - Password Expiration
• 296. Weak credential policy - Password Change Limit
• 330. Lack of protection against brute force attacks - Credentials

Protocol Manipulation

• 015. Insecure authentication method - Basic
• 043. Insecure or unset HTTP headers - Content-Security-Policy
• 044. Insecure HTTP methods enabled
• 071. Insecure or unset HTTP headers - Referrer-Policy
• 131. Insecure or unset HTTP headers - Strict Transport Security
• 132. Insecure or unset HTTP headers - X-Content-Type-Options
• 134. Insecure or unset HTTP headers - CORS
• 135. Insecure or unset HTTP headers - X-XSS Protection
• 136. Insecure or unset HTTP headers - Cache Control
• 137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
• 152. Insecure or unset HTTP headers - X-Frame Options
• 153. Insecure or unset HTTP headers - Accept
• 329. Insecure or unset HTTP headers - Content-Type
• 388. Insecure authentication method - NTLM
• 397. Insecure authentication method - LDAP
• 440. Insecure or unset HTTP headers - Permissions-Policy

System Manipulation

• 029. Inadequate file size control
• 077. ARP spoofing
• 091. Log injection
• 104. USB flash drive attacks
• 424. Sideloaded

Unexpected Injection

• 001. SQL injection - C Sharp SQL API
• 004. Remote command execution
• 008. Reflected cross-site scripting (XSS)
• 010. Stored cross-site scripting (XSS)
• 012. SQL injection - Java Persistence API
• 021. XPath injection
• 045. HTML code injection
• 063. Lack of data validation - Path Traversal
• 083. XML injection (XXE)
• 089. Lack of data validation - Trust boundary violation
• 090. CSV injection
• 096. Insecure deserialization
• 105. Apache lucene query injection
• 106. NoSQL injection
• 107. LDAP injection
• 112. SQL injection - Java SQL API
• 121. HTTP parameter pollution
• 127. Lack of data validation - Type confusion
• 141. Lack of data validation - URL
• 146. SQL injection
• 154. Time-based SQL Injection
• 155. SQL Injection - Headers
• 184. Lack of data validation
• 185. Lack of data validation - Header x-amzn-RequestId
• 186. Lack of data validation - Web Service
• 187. Lack of data validation - Source Code
• 188. Lack of data validation - Modify DOM Elements
• 189. Lack of data validation - Content Spoofing
• 190. Lack of data validation - Session Cookie
• 191. Lack of data validation - Responses
• 192. Lack of data validation - Reflected Parameters
• 193. Lack of data validation - Host Header Injection
• 194. Lack of data validation - Input Length
• 195. Lack of data validation - Headers
• 196. Lack of data validation - Dates
• 197. Lack of data validation - Numbers
• 198. Lack of data validation - Out of range
• 199. Lack of data validation - Emails
• 274. Restricted fields manipulation
• 297. SQL injection - Code
• 321. Lack of data validation - HTML code
• 323. XML injection (XXE) - Unmarshaller
• 340. Lack of data validation - Special Characters
• 341. Lack of data validation - OTP
• 344. Lack of data validation - Non Sanitized Variables
• 353. Lack of data validation - Token
• 361. Missing secure obfuscation - JavaScript
• 362. Technical information leak - Content response
• 363. Weak credential policy - Password strength
• 364. Weak credential policy - Temporary passwords
• 365. Authentication mechanism absence or evasion - Response tampering
• 371. DOM-Based cross-site scripting (XSS)
• 390. Prototype Pollution
• 422. Server side template injection
• 425. Server side cross-site scripting
• 429. Universal cross-site scripting (UXSS)
• 430. Serverless - one dedicated IAM role per function
• 434. Client-side template injection
• 438. Error-based SQL Injection
• 442. SMTP header injection

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.