Vulnerabilities

Injection

• SQL Injection
  • Classic SQLi
  • Blind SQLi
  • Time-based SQLi
  • Error-based SQLi
• Command Injection
  • OS Command Injection
  • Remote Command Execution (RCE)
  • Server-Side Template Injection (SSTI)
• NoSQL Injection
  • MongoDB Injection
  • Other NoSQL Databases
• LDAP Injection
• XPath Injection

Cross-Site Scripting (XSS)

• Reflected XSS
• Stored XSS
• DOM-based XSS
• Self-XSS

Cross-Site Request Forgery (CSRF)

• Same-Site Cookie Misconfiguration
• Anti-CSRF Token Bypass

Authentication Issues

• Broken Authentication
  • Credential Stuffing
  • Weak Password Policy
  • Exposed Credentials
• Session Fixation
• Missing Multi-Factor Authentication (MFA)

Authorization Issues

• Insecure Direct Object References (IDOR)
• Privilege Escalation
  • Horizontal Privilege Escalation
  • Vertical Privilege Escalation

File Handling Issues

• Local File Inclusion (LFI)
• Remote File Inclusion (RFI)
• Path Traversal
• Unrestricted File Upload
• Directory Listing

Security Misconfigurations

• Missing Security Headers
  • X-Content-Type-Options
  • Content Security Policy (CSP)
  • X-Frame-Options
• Default Credentials
• Directory Indexing Enabled

Cryptographic Issues

• Weak Encryption Algorithms
• Hardcoded Secrets
• Insecure Data Storage
• Padding Oracle Attacks

Information Disclosure

• Error Messages
• Exposed API Keys
• Sensitive Data Exposure
• Source Code Disclosure

Business Logic Issues

• Insecure Workflow
• Improper Input Validation
• Abusing Application Functionality

Server-Side Request Forgery (SSRF)

• Internal Network Scanning
• Data Exfiltration
• Cloud Metadata Extraction

Client-Side Vulnerabilities

• Clickjacking
• DOM Manipulation
• CORS Misconfigurations

Deserialization Issues

• Insecure Deserialization
• Object Injection

Other

• Subdomain Takeover
• HTTP Request Smuggling
• Cache Poisoning
• Race Conditions

---