RvR logo





SQL Injection

SQL Injection

Variants:
Direct Persistent Session 

Also Known As:
Sequel Injection

SSI Injection

Server Side Include Injection

Variants:
Direct 

SSJS Injection

Server Side Javascript Injection

Variants:
Direct Persistent Session 

Also Known As:
NoSQL Injection - deprecated

ASP-JS Injection

ASP Javascript Code Injection

Variants:
Direct Persistent Session 

Also Known As:
ASP Remote Dynamic Code Evaluation

ASP-VBS Injection

ASP VBScript Code Injection

Variants:
Direct Persistent Session 

Also Known As:
ASP Remote Dynamic Code Evaluation

PHP Injection

PHP Code Injection

Variants:
Direct Persistent Session 

Also Known As:
PHP Dynamic Code Evaluation

Java Injection

Java Code Injection

Variants:
Direct Persistent Session 

Also Known As:
JSP Code Injection, ScriptEngine Code Injection, Rhino Code Injection - Variation

Python Injection

Python Code Injection

Variants:
Direct Persistent Session 

Perl Injection

Perl Code Injection

Variants:
Direct Persistent Session 

Ruby Injection

Ruby Code Injection

Variants:
Direct Persistent Session 

PHP Object Injection

PHP Object Injection

Variants:
Direct Persistent Session 

PHP preg_replace Abuse

PHP preg_replace Abuse

Variants:
Direct Persistent Session 

ABAP Injection

ABAP Code Injection

Variants:
Direct Persistent Session 

Also Known As:
ABAP Dynamic Code Evaluation

OS Command Injection

OS Command Injection

Variants:
Direct Persistent Session 

Also Known As:
OS Commanding, Shell Injection

Format String Injection

Format String Injection

Variants:
Direct Persistent Session 

Also Known As:
String Format Overflow

EL Injection

Expression Language Injection

Variants:
Direct Persistent Session 

RoR YAML Injection

RoR YAML Injection

Variants:
Direct 

Also Known As:
RoR Code Execution, Ruby On Rails Code Execution

EL3 Injection

EL3 Injection

Variants:
Direct Persistent Session 

Also Known As:
Lambda Injection

Memcached Injection

Memcached Injection

Variants:
Direct Persistent Session 

HQL Injection

HQL Injection

Variants:
Direct Persistent Session 

Also Known As:
ORM Injection

Mongo NoSQL Injection

Mongo NoSQL Injection 2014 Variant

Variants:
Direct Persistent Session 

LDAP Injection

LDAP Injection

Variants:
Direct Persistent Session 

Escape Sequence Injection

Escape Sequence Injection

Variants:
Direct Persistent Session 

HTTP Request Injection

HTTP Request Injection

Variants:
Direct Persistent Session 

Also Known As:
HRI

Reflection Injection

Reflection Injection

Variants:
Direct Persistent Session 

XQUERY Injection

XQUERY Injection

Variants:
Direct Persistent Session 

XPATH Injection

XPATH Injection

Variants:
Direct Persistent Session 

CSPP

Connection String Parameter Pollution

Variants:
Direct Persistent Session 

Windows DATA ADS

Windows DATA Alternate Data Stream

Variants:
Direct Persistent Session 

Also Known As:
ADS

OGNL Expression Injection

OGNL Expression Injection

Variants:
Direct 

Unsigned Server Control Property Injection

Unsigned Server Side Control Property Injection

Variants:
Direct 

Also Known As:
EoDSeC

SQL Filter Injection

SQL Filter Injection

Variants:
Direct Persistent Session 

Also Known As:
SQL Rowset Injection

Null-Byte Injection

Null Byte Injection

Variants:
Direct Persistent Session 

Also Known As:
Poison Null Byte, Embedding Null Code

SMTP Injection

SMTP Injection

Variants:
Direct Persistent Session 

Also Known As:
MX Injection, Mail Command Injection, Email Injection

IMAP Injection

IMAP Injection

Variants:
Direct Persistent Session 

Also Known As:
MX Injection, Mail Command Injection

POP3 Injection

POP3 Injection

Variants:
Direct Persistent Session 

Also Known As:
POP3 MX Injection

Email Header Injection

Email Header Injection

Variants:
Direct Persistent Session 

HTTP Request Header Injection

HTTP Request Header Injection

Variants:
Direct Persistent Session 

XML Injection

XML Injection

Variants:
Direct Persistent Session 

Special Element Injection

Special Element Injection

Variants:
Direct Persistent Session 

Also Known As:
Parameter Delimiter Injection

XCS

Cross Context Scripting

Variants:
Direct Persistent Session 

XSS

Cross Site Scripting

Variants:
Direct Persistent Multiphase Session 

DOM XSS

DOM Cross Site Scripting

Variants:
Direct 

Also Known As:
DXSS

Flash XSS

Cross Site Scripting using Flash

Variants:
Direct 

Also Known As:
Flash Injection

Flash Parameter Injection

Flash Parameter Injection

Variants:
Direct 

Also Known As:
FPI, Flash Injection

XSF

Cross Site Flashing

Variants:
Direct 

Also Known As:
Flash Injection

RFD

Reflected File Download

Variants:
Direct Persistent Multiphase Session 

Also Known As:
Malicious File Download

Unvalidated Redirect

Unvalidated Redirect

Variants:
Direct Persistent Multiphase Session 

Also Known As:
Open Redirect, External Redirect, Phishing via Redirect, URL Redirector Abuse

HTTP Response Splitting

HTTP Response Splitting

Variants:
Direct Persistent Session 

Also Known As:
HTTP Response Header Injection, CRLF Injection

HTTP Response Smuggling

HTTP Response Smuggling

Variants:
Direct 

Log Forging

Log Forging

Variants:
Direct Persistent Session 

Also Known As:
Log Injection, Log Spoofing, Web Logs Tampering

WebView Injection

WebView Injection

Variants:
Direct 

Unvalidated Forward

Unvalidated Forward

Variants:
Direct Persistent Multiphase Session 

Content Spoofing

Content Spoofing

Variants:
Direct Persistent Session 

Also Known As:
Content Injection

JSON Hijacking

JSON Hijacking

Variants:
Direct 

Also Known As:
Javascript Hijacking

XSSI

Cross Site Script Inclusion

Variants:
Direct 

CSRF

Cross Site Request Forgery

Variants:
Direct 

Also Known As:
XSRF, Session Riding

Dynamic Ajax CSRF

Dynamic Ajax CSRF

Variants:
Direct 

SDRF

Same Domain Request Forgery

Variants:
Direct 

Clickjacking

Clickjacking

Variants:
Direct 

Also Known As:
UI Redressing

CSWSH

Cross Site WebSocket Hijacking

Variants:
Direct 

Frame Spoofing

Frame Spoofing

Variants:
Direct 

PHP Remote File Inclusion

PHP Remote File Inclusion

Variants:
Direct Persistent Session 

Also Known As:
Malicious File Execution

JSP Remote File Inclusion

JSP Remote File Inclusion

Variants:
Direct Persistent Session 

Client-Controlled Price Manipulation

Client Controlled Price Manipulation

Variants:
Direct Persistent Session 

Also Known As:
Web Parameter Tampering, eShoplifting

Client-Controlled User Identifier Manipulation

Client Controlled User Identifier Manipulation

Variants:
Direct Persistent Session 

Also Known As:
User Impersonation via Parameter Tampering

Client-Controlled Privilege Manipulation

Client Controlled Privilege Manipulation

Variants:
Direct Persistent Session 

Also Known As:
Client-Controlled Role Manipulation, Authorization Bypass via via Parameter Tampering

Remote XSL Inclusion

Remote XSLT Inclusion

Variants:
Direct Persistent Session 

Also Known As:
XSL Remote File Inclusion, XSLT Injection, XSLT Transform Injection

Perl Remote File Inclusion

Perl Remote File Inclusion

Variants:
Direct Persistent Session 

Path Traversal

Path Traversal

Variants:
Direct Persistent Session 

Also Known As:
Directory Traversal, Relative Path Traversal

Path Manipulation

Path Manipulation

Variants:
Direct Persistent Session 

Also Known As:
Absoluste Path Traveral

PHP Local File Inclusion

PHP Local File Inclusion

Variants:
Direct Persistent Session 

JSP Local File Inclusion

JSP Local File Inclusion

Variants:
Direct Persistent Session 

XSS via Remote File Inclusion

XSS and Phishing via Remote File Inclusion

Variants:
Direct Persistent Session 

Also Known As:
Remote File Inclusion, Phishing via Remote File Inclusion

MVC Mass Assignment

MVC Mass Assignment

Variants:
Direct 

Also Known As:
Insecure Object Mapping

XXE

XML External Entity Processing

Variants:
Direct 

Also Known As:
XML DTD External Entity Attack, XML DTD Injection

Server Control Signed Property Override

Server Side Control Signed Property Override

Variants:
Direct 

Also Known As:
Control Property Override via Cache Reuse

Insecure Direct Object Reference

Insecure Direct Object Reference

Variants:
Direct Persistent Session 

Also Known As:
Insufficient Authorization, Authorization Bypass Through User-Controlled Key, Resource Injection

Client-Controlled Sum Abuse

Client Controlled Sum Abuse

Variants:
Direct Persistent Session 

Also Known As:
Web Parameter Tampering

Client-Controlled Quantity Manipulation

Client Controlled Quantity Manipulation

Variants:
Direct Persistent Session 

Also Known As:
Web Parameter Tampering

Client-Controlled Authentication Status Manipulation

Client Controlled Authentication Status Manipulation

Variants:
Direct Session 

Also Known As:
Authentication Bypass via Parameter Tampering

Client-Controlled Multiphase Process State Flags Manipulation

Client Controlled Multiphase Process State Flags Manipulation

Variants:
Direct Persistent Session 

Also Known As:
Flow Bypass via Parameter Tampering

Client-Controlled Configuration Setting Manipulation

Client Controlled Configuration Setting Manipulation

Variants:
Direct Session 

Also Known As:
Setting Manipulation

Authentication Bypass via Alternative IP Access

Authentication Bypass via Alternative IP Access

Variants:
Direct 

Also Known As:
Alternative IP Address Encodings

Authentication Bypass using an Alternate Path or Channel

Authentication Bypass using an Alternate Path or Channel

Variants:
Direct 

Also Known As:
Authentication Bypass by Alternate Name

Generic Business Logic Attack

Generic Business Logic Attack

Variants:
Direct 

Generic Session Poisoning Attack

Generic Session Poisoning Attack

Variants:
Direct 

Also Known As:
Session Poisoning, Session Data Pollution

Perl Local File Inclusion

Perl Local File Inclusion

Variants:
Direct Persistent Session 

ABAP Process Control

ABAP Process Control

Variants:
Direct Session 

Also Known As:
Process Control, Dynamic Calls, Call Injection

Execution of Unsigned Dormant Server Controls

Execution of Unsigned Dormant Server Controls

Variants:
Direct 

Also Known As:
EodSec

Execution of Signed Dormant Server Controls via Cache Reuse

Execution of Signed Dormant Server Controls via Cache Reuse

Variants:
Direct 

Also Known As:
EoDSeC

Recovery Destination Manipulation via Parameter Tampering

Password Recovery Destination Manipulation via Parameter Tampering

Variants:
Direct 

Client Controlled Action Type Manipulation via Parameter Tampering

Client Controlled Action Type Manipulation via Parameter Tampering

Variants:
Direct Session 

XML Signature - Key Retrieval XSA

XML Signature - Key Retrieval Cross Site Attack

Variants:
Direct 

XML Routing Detour

XML Routing Detour

Variants:
Direct 

Reverse Proxy Bypass

Reverse Proxy Bypass

Variants:
Direct 

SSRF

Server Side Request Forgery

Variants:
Direct Persistent Session 

Also Known As:
Resource Injection

HTTP Request Smuggling

HTTP Request Smuggling

Variants:
Direct 

Also Known As:
HTTP Request Splitting

Client-Controlled Lock Counter Manipulation

Client Controlled Lock Counter Manipulation

Variants:
Direct 

Also Known As:
Account-Lock Bypass via Parameter Tampering

Client-Controlled Lock Flag Manipulation

Client Controlled Lock Flag Manipulation

Variants:
Direct 

Also Known As:
Account-Lock Bypass via Parameter Tampering

XML Schema Poisoning

XML Schema Poisoning

Variants:
Direct 

Also Known As:
WSDL Metadata Spoofing

Generic Session Puzzling Attack

Generic Session Puzzling Attack

Variants:
Direct 

Authentication Bypass via Forced Browsing

Authentication Bypass via Forced Access

Variants:
Direct 

Also Known As:
Improper Authentication, Authentication Abuse

Authorization Bypass via Forced Browsing

Authorization Bypass via Forced Browsing

Variants:
Direct 

Also Known As:
Improper Authorization, Privilege Abuse

Multiphase Process Bypass via Forced Browsing

Multiphase Process Bypass via Forced Browsing

Variants:
Direct 

Also Known As:
Flow Bypass, Insufficient Process Validation

Authentication Bypass via HTTP Verb Tampering

Authentication Bypass via HTTP Verb Tampering

Variants:
Direct 

Authorization Bypass via HTTP Verb Tampering

Authorization Bypass via HTTP Verb Tampering

Variants:
Direct 

Authentication Bypass via Session Puzzling

Authentication Bypass via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading, Session Poisoning

User Impersonation via Session Puzzling

User Impersonation via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading, Session Poisoning

Privilege Elevation via Session Puzzling

Privilege Elevation via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading, Session Poisoning

Multiphase Process Bypass via Session Puzzling

Multiphase Process Bypass via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading

Password Recovery Destination Manipulation via Session Puzzling

Password Recovery Destination Manipulation via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading

Execution of Unvalidated Dormant Server Controls

Execution of Unvalidated Dormant Server Controls

Variants:
Direct 

Also Known As:
EodSec

Execution of Dormant Server Controls in Unprotected Callbacks

Execution of Dormant Server Controls in Unprotected Callbacks

Variants:
Direct 

Also Known As:
EodSec

Unauthorized Administrative Interface Access

Unauthorized Administrative Interface Access

Variants:
Direct 

Also Known As:
Admin Interface Exposed to the Internet

Execution After Redirect

Execution After Redirect

Variants:
Direct 

Also Known As:
EAR

SOAPAction Spoofing

SOAPAction Spoofing

Variants:
Direct 

Unauthorized WebSocket Access

Unauthorized WebSocket Access

Variants:
Direct 

Source Code Disclosure via Accessible Folder

Source Code Disclosure via Accessible Source Code Folder

Variants:
Direct 

Also Known As:
WEB-INF Directory Information Disclosure, bin Directory Information Disclosure

Enumeration of Obsolete and Unreferenced Files

Enumeration of Obsolete and Unreferenced Files

Variants:
Direct 

Also Known As:
Old, Backup and Unreferenced Files

Predictable Resource Location Enumeration

Predictable Resource Location Enumeration

Variants:
Direct 

Secret Argument Modification

Secret Argument Injection

Variants:
Direct 

Also Known As:
Secret Parameter, Argument Injection, Application Backdoor

HTTP MKCOL Method Abuse

HTTP WebDAV MKCOL Method Abuse

Variants:
Direct 

SQL Execution

SQL Syntax Execution

Variants:
Direct Session 

Malicious File Upload

Malicious File Upload

Variants:
Direct 

Also Known As:
Untrestricted File Upload, Malicious File Execution

Remote Binary Planting

Remote Binary Planting

Variants:
Direct 

Also Known As:
DLL Search Order Hijacking, Windows Insecure Library Loading

HTTP PUT Attack

HTTP PUT Method Abuse

Variants:
Direct 

HTTP OPTIONS Information Disclosure

HTTP OPTIONS Method Information Disclosure

Variants:
Direct 

PHP Uploaded File Variables Abuse

PHP Uploaded File Variables Abuse

Variants:
Direct 

SQL Sorting

SQL Sorting

Variants:
Direct 

Generic User Account Privilege Abuse

Generic User Account Privilege Abuse

Variants:
Direct 

Also Known As:
Privilege Escalation

HTTP DELETE Attack

HTTP DELETE Method Abuse

Variants:
Direct 

HTTP COPY Method Abuse

HTTP WebDAV COPY Method Abuse

Variants:
Direct 

HTTP MOVE Method Abuse

HTTP WebDAV MOVE Method Abuse

Variants:
Direct 

SpoofedMe

User Impersonation via Social Login Design Flaw

Variants:
Direct 

Subdomain Takeover via Abuse of Subdomain Claims

Subdomain Takeover via Abuse of Domain Service Provider Subdomain Claims

Variants:
Direct 

Unrestricted File Upload

Unrestricted File Upload

Variants:
Direct 

Account Lockout Abuse

Account Lockout Abuse

Variants:
Direct 

Also Known As:
Account Lockout Attack, Overly Restrictive Account Lockout Policy, Inducing Account Lockout

Session Fixation

Session Fixation

Variants:
Direct Persistent 

HTTP PROPPATCH Method Abuse

HTTP WebDAV PROPPATCH Method Abuse

Variants:
Direct 

HTTP MKDIR Method Abuse

HTTP MKDIR Method Abuse

Variants:
Direct 

HTTP PROPFIND Method Abuse

HTTP WebDAV PROPFIND WebDav Method Abuse

Variants:
Direct 

HTTP SEARCH Method Abuse

HTTP WebDAV SEARCH Method Abuse

Variants:
Direct 

Logging of Excessive Data

Logging of Excessive Data

Variants:
Direct 

XST

Cross Site Tracing

Variants:
Direct 

Also Known As:
HTTP TRACE-TRACK Abuse, TRACE header reflection

HTTP CONNECT Method Abuse

HTTP CONNECT Method Abuse

Variants:
Direct 

Also Known As:
Proxy Abuse

HTTP LOCK Method Abuse

HTTP WebDAV LOCK Method Abuse

Variants:
Direct 

HTTP UNLOCK Method Abuse

HTTP WebDAV UNLOCK Method Abuse

Variants:
Direct 

Buffer Overflow

Buffer Overflow via Malicious Input

Variants:
Direct Persistent Session 

Also Known As:
Stack Overflow, Heap Overflow

Buffer Overflow against Custom Browser Controls

Buffer Overflow via Client Extension Initialization Params

Variants:
Direct 

Also Known As:
Overflow Variables and Tags

Use After Free

Use After Free

Variants:
Direct 

SOAP Array Overflow

SOAP Array Overflow

Variants:
Direct 

Also Known As:
SOAP Array Attack

User Controlled Memory Pointer Reference

User Controlled Memory Pointer Reference

Variants:
Direct 

Double Free

Double Free

Variants:
Direct 

Memory Leak

Memory Leak

Variants:
Direct 

Null Dereference

Null Dereference

Variants:
Direct 

Expired Pointer Dereference

Expired Pointer Dereference

Variants:
Direct 

Buffer Underwrite

Buffer Underwrite

Variants:
Direct 

Integer Overflow

Integer Overflow

Variants:
Direct 

POODLE

Padding Oracle On Downgraded Legacy Encryption

Variants:
Direct 

Predictable Session Identifier Abuse

Predictable Session Identifier Abuse

Variants:
Direct 

Also Known As:
Predictable Session ID, Session Prediction, Session Credential Falsification

Padding Oracle

Padding Oracle

Variants:
Direct 

Also Known As:
Padding Oracle Crypto Attack

BEAST

Browser Exploit Against SSL TLS

Variants:
Direct 

Also Known As:
BEAST Attack

BREACH

Browser Reconnaissance Exfiltration via Adaptive Compression of Hypertext

Variants:
Direct 

Also Known As:
BREACH Attack

HPP

HTTP Parameter Pollution

Variants:
Direct 

Also Known As:
Improper Handling of Extra Parameters

CAPTCHA Re-Riding

CAPTCHA Re-Riding

Variants:
Direct 

Also Known As:
CAPTCHA Accumulation

Client-side CAPTCHA Logic Abuse

Client-side CAPTCHA Logic Abuse

Variants:
Direct 

Also Known As:
Client-side storage and hidden fields, Client-side CAPTCHA Verification

Chosen CAPTCHA Text Abuse

Chosen CAPTCHA Text Abuse

Variants:
Direct 

Also Known As:
Client-generated CAPTCHA, The Chosen CAPTCHA Text attack

Arithmetic CAPTCHA Abuse

Arithmetic CAPTCHA Abuse

Variants:
Direct 

Also Known As:
Arithmetic CAPTCHA

Chosen CAPTCHA Identifier Abuse

Chosen CAPTCHA Identifier Abuse

Variants:
Direct 

Also Known As:
Chosen CAPTCHA Identifier

CAPTCHA Rainbow Tables

CAPTCHA Rainbow Tables

Variants:
Direct 

CAPTCHA Fixation

CAPTCHA Fixation

Variants:
Direct 

In-Session CAPTCHA Brute-forcing

In-Session CAPTCHA Brute-forcing

Variants:
Direct 

OCR-assisted CAPTCHA Brute-forcing

OCR-assisted CAPTCHA Brute-forcing

Variants:
Direct 

Also Known As:
Weak CAPTCHA

Limited CAPTCHA Repository Abuse

Limited CAPTCHA Repository Abuse

Variants:
Direct 

Also Known As:
Limited Set CAPTCHAs

CAPTCHA Clipping

CAPTCHA Clipping

Variants:
Direct 

Also Known As:
Impersonating CAPTCHA Providers

Missing CAPTCHA Abuse

Missing CAPTCHA Abuse

Variants:
Direct 

Also Known As:
Excessive Feature Abuse, Missing CAPTCHA

Missing Account Lockout Abuse

Missing Account Lockout Abuse

Variants:
Direct 

Session Stored Lockout Flags Abuse

Session Stored Lockout Flags Abuse

Variants:
Direct 

Session Stored Lockout Counter Abuse

Session Stored Lockout Counter Abuse

Variants:
Direct 

Insecure Password Recovery Initiation Destination

Insecure Password Recovery Process Abuse

Variants:
Direct 

Also Known As:
Weak Password Recovery, Insufficient Password Recovery, Insecure Password Recovery Process

Weak Recovery Answer Enumeration

Weak Recovery Answer Enumeration

Variants:
Direct 

Also Known As:
Unrestricted Recovery Question Answer Attempts Abuse

SSL Renegotiation

SSL Renegotiation

Variants:
Direct 

SSL Version Rollback

SSL Version Rollback

Variants:
Direct 

Also Known As:
Cipher Suite Rollback

CRIME

Compression Ratio Info-leak Made Easy

Variants:
Direct 

Also Known As:
CRIME Attack

TIME

Timing Info-leak Made Easy

Variants:
Direct 

Also Known As:
TIME Attack

RC4 Attack

RC4 TLS Attack

Variants:
Direct 

Lucky 13

Lucky 13 Attack

Variants:
Direct 

Also Known As:
Lucky Thirteen

SSL CCS MITM

OpenSSL Change Cipher Spec MITM Injection

Variants:
Direct 

Also Known As:
CCS Injection

Weak Cipher Brute Forcing

Encryption Brute Forcing

Variants:
Direct 

Also Known As:
Weak Cipher Support

Weak SSL Key-Pair Brute Forcing

Weak X509 Asymmetric SSL Key-Pair

Variants:
Direct 

Also Known As:
Insecure Transport Layer Protection

Insecure SSL Protocol Support

Insecure SSL Protocol Support

Variants:
Direct 

Weak Initial Password Generation

Weak Default Password Generation

Variants:
Direct 

Weak Recovery Question Selection

Weak Password Recovery Question Selection

Variants:
Direct 

Predictable Password Recovery Token Enumeration

Predictable Password Recovery Initiation Challenge

Variants:
Direct 

Predictable Anti-CSRF Token Abuse

Predictable Anti-CSRF Token Abuse

Variants:
Direct 

Anti-CSRF Verification Bypass

Anti-CSRF Verification Bypass

Variants:
Direct 

XML Signature Wrapping

XML Rewriting

Variants:
Direct 

Hash Length Extension

Hash Length Extension Attack

Variants:
Direct 

Also Known As:
Signature Forgery, Hash Function Extension

Weak Lockout Policy Abuse

Weak Lockout Policy Abuse

Variants:
Direct 

Also Known As:
Weak Account Lockout

Insufficient Logging Abuse

Insufficient Logging Abuse

Variants:
Direct 

Also Known As:
Insufficient Logging

Log Repudiation Attack

Log Repudiation Attack

Variants:
Direct 

Also Known As:
Repudiation Attack

Inadequate Storage Encryption Key Strength

Inadequate Storage Encryption Key Strength

Variants:
Direct 

Also Known As:
Weak Encryption, Insecure Encryption Key Length, Insecure Encryption Attributes

Insecure Storage Cryptographic Algorithm

Insecure Storage Cryptographic Algorithm

Variants:
Direct 

Insecure Credential Hashing Algorithm

Weak Credential Hashing Algorithm

Variants:
Direct 

Also Known As:
Reversible One-Way Hash, Insecure Storage, Weak Cryptographic Hash

Unsalted Hash

Unsalted Hash

Variants:
Direct 

Missing Required Cryptographic Step

Missing Required Cryptographic Step

Variants:
Direct 

Ineffective Session Termination

Ineffective Session Termination

Variants:
Direct 

Also Known As:
Ineffective Logout

Unrestricted Recovery Initiation

Unrestricted Password Recovery Initiation Attempts Abuse

Variants:
Direct 

Also Known As:
Unlimited Password Recovery Initiation

Persistent Password Recovery Token

Persistent Password Recovery Token

Variants:
Direct 

Also Known As:
Ineffective Password Recovery Process Termination

Incomplete Session Termination in SSO

Incomplete Session Termination in SSO

Variants:
Direct 

Persistent Session Lifespan

Persistent Session Lifespan

Variants:
Direct 

Insufficient Logout Visibility

Insufficient Logout Visibility

Variants:
Direct 

Insufficient Session Expiration

Insufficient Session Expiration

Variants:
Direct 

TOCTTOU Transaction Race Condition

Time of Check to Time of Use Transaction Race Condition

Variants:
Direct 

Also Known As:
TOCTTOU

Context Switching Race Condition

Context Switching Race Condition

Variants:
Direct 

TOCTTOU File Access Race Condition

Time of Check to Time of Use File Access Race Condition

Variants:
Direct 

Also Known As:
TOCTTOU, Race Condition

Member Field Race Condition

Exposure of Data Element to Wrong Session via Data Race Condition

Variants:
Direct 

Also Known As:
Exposure of Data Element to Wrong Session, Singleton Member Field Race Condition, Shared Field Race Condition, Static Field Race Condition

Temporal Session Race Conditions

Temporal Session Race Conditions via Line Targeted ADoS

Variants:
Direct 

Single Handler Race Condition

Single Handler Race Condition

Variants:
Direct 

Switch-Case Race Condition

Switch-Case Race Condition

Variants:
Direct 

Alternate Channel Race Condition

Alternate Channel Race Condition

Variants:
Direct 

Permission Race Condition During Resource Copy

Permission Race Condition During Resource Copy

Variants:
Direct 

Link Following Race Condition

Link Following Race Condition

Variants:
Direct 

Generic Race Condition within a Thread

Generic Race Condition within a Thread

Variants:
Direct 

Cross-Domain Search Timing

Cross-Domain Search Timing

Variants:
Direct 

Also Known As:
Pixel Perfect Timing Attacks

Username Enumeration in Login

Credentials Enumeration in Login

Variants:
Direct 

Also Known As:
Email Enumeration in Login

Username Enumeration in Password Recovery

Credentials Enumeration in Password Recovery

Variants:
Direct 

Also Known As:
Email Enumeration in Password Recovery

Username Enumeration in Registration

Credentials Enumeration in Registration

Variants:
Direct 

Also Known As:
Email Enumeration in Registration

Generic Username Enumeration

Generic Credential Enumeration

Variants:
Direct 

Also Known As:
Generic Email Enumeration

Password Brute Forcing

Variants:
Direct 

Also Known As:
Weak Password Policy

Weak Password Policy

Weak Password Policy

Variants:
Direct 

Remote Timing Attack

Remote Timing Attack

Variants:
Direct 

Also Known As:
Cache-timing Attack - Cryptography Variant, Remote side channel attack

Dir and File Brute Forcing

Directory and File Brute Forcing

Variants:
Direct 

Also Known As:
Informative 404 Messages, Web-based Directory Enumeration

Forced Deadlock

Forced Deadlock

Variants:
Direct 

Also Known As:
Unrestricted Externally Accessible Lock

Web Server Thread Occupation

Web Server Thread Pool Occupation

Variants:
Direct 

Also Known As:
Slowloris DoS Attack, RUDY Attack

HTTP Fragmentation Attack

HTTP Fragmentation Attack

Variants:
Direct 

Also Known As:
RUDY Attack, R U Dead Yet Attack

THC-SSL-DoS

THC SSL Denial of Service

Variants:
Direct 

XML Bomb

XML Bomb

Variants:
Direct 

Also Known As:
Billion Laughs Attack, XML Quadratic Blowup - Variation

ReDOS

Regular Expression DoS

Variants:
Direct 

Also Known As:
RegEx DoS

Database Connection Pool Consumption

Database Connection Pool Consumption

Variants:
Direct 

Also Known As:
Insufficient Resource Pool

Floating Point DoS

Floating Point DoS

Variants:
Direct 

Also Known As:
Magic Number DoS, PHP 2.2250738585072011e-308 Vulnerability, Java Numeric DoS, Mark-of-the-Beast

Hash Collision DoS

Hash Flooding DoS

Variants:
Direct 

Also Known As:
Magic Hash DoS, HashDoS

Resource Exhaustion

Generic Resource Exhaustion

Variants:
Direct 

Also Known As:
XML Ping of Death - Variant

SOAP Coercive Parsing

SOAP Coercive Parsing

Variants:
Direct 

XML Transformation DOS

XML Signature and Encryption Transformation DOS

Variants:
Direct 

Also Known As:
C14N DOS, XSLT DOS, Xpath DOS

XML Signature - Key Retrieval DOS

XML Signature - Key Retrieval DOS

Variants:
Direct 

Over-sized XML DoS

Oversized XML DoS

Variants:
Direct 

Also Known As:
XML Document Size Attack

XML Reference Redirect DoS

XML Reference Redirect DoS

Variants:
Direct 

SOAP Recursive Cryptography DoS

SOAP Recursive Cryptography DoS

Variants:
Direct 

Referral Flood of Trusted Entities

Referral Flood of Trusted Entities

Variants:
Direct 

Also Known As:
WS-Addressing Spoofing - Variant, Anti-DDoS Service Abuse for Blocking Trusted Entities

HTTP Flood

HTTP Flood

Variants:
Direct 

Also Known As:
HTTP GET Flood, HTTP POST Flood, XML Flood, SSL Flood

Credentials Eavesdropping from Unencrypted Channel

Credentials Transported over Unencrypted Channel

Variants:
Direct 

Session Hijacking

Session Hijacking via Eavesdropping

Variants:
Direct 

Also Known As:
Session Sidejacking

Unencrypted Communication Eavesdropping

Unencrypted Communication Eavesdropping

Variants:
Direct 

Also Known As:
Insufficient Transport Layer Protection, Lack of Transport Layer Encryption

SSL Stripping

SSL Stripping

Variants:
Direct 

Session Replay

Session Replay

Variants:
Direct 

Also Known As:
Authentication Bypass by Capture-Replay, Reusing Session ID

MITM

Man-In-The-Middle

Variants:
Direct 

Surf Jacking

Surf Jacking

Variants:
Direct 

Directory Listing

Directory Indexing

Variants:
Direct 

Also Known As:
Directory Browsing

Password Disclosure in Password Recovery

Password Disclosure in Password Recovery

Variants:
Direct 

Generic Password Disclosure

Generic Password Disclosure

Variants:
Direct 

WSDL Disclosure

WSDL Disclosure

Variants:
Direct 

XML Entity Reference Attack

XML Entity Reference Attack

Variants:
Direct 

Also Known As:
DTD Entity Reference Attack

Sensitive Information Disclosure in Log Files

Sensitive Information Disclosure in Log Files

Variants:
Direct 

Also Known As:
Information Leak Through Log Files

Missing Encryption of Sensitive Data

Missing Encryption of Sensitive Data

Variants:
Direct 

Also Known As:
Insecure Storage

Hard-coded Cryptographic Key

Hard-coded Cryptographic Key

Variants:
Direct 

Hard-coded Credentials

Hard-coded Credentials

Variants:
Direct 

Also Known As:
Hard-coded Password

Intent Intercept

Intent Intercept

Variants:
Direct 

Also Known As:
Unauthorized Intent Receipt

Intent Spoof

Intent Spoof

Variants:
Direct 

Also Known As:
Intent Injection

IIS Short File Name Enumeration

IIS Short File Name Disclosure

Variants:
Direct 

CORS Functionality Abuse

HTML5 Cross Origin Resource Sharing Functionality Abuse

Variants:
Direct 

Authentication Bypass via Referer Spoofing

Authentication Bypass via Referer Spoofing

Variants:
Direct 

Also Known As:
Referer Spoofing

Authentication Bypass via IP Spoofing

Authentication Bypass via IP Spoofing

Variants:
Direct 

DNS Rebinding

DNS Rebinding

Variants:
Direct 

Also Known As:
Anti-DNS Pinning

Invalid SSL Certificate

Invalid SSL Certificate

Variants:
Direct 

Expired SSL Certificate

Expired SSL Certificate

Variants:
Direct 

Stolen Expired Certificate Abuse

Stolen Expired Certificate Abuse

Variants:
Direct 

Also Known As:
Improper Validation of Certificate Expiration

Stolen Revoked Certificate Abuse

Stolen Revoked Certificate Abuse

Variants:
Direct 

Also Known As:
Missing Check for Certificate Revocation after Initial Check

Valid Certificate Abuse for Another Domain

Valid Certificate Abuse for Another Domain

Variants:
Direct 

Broken Chain-of-Trust Certificate Abuse

Fake Chain-of-Trust Certificate Abuse

Variants:
Direct 

Endpoint Impersonation in an Encrypted Communication Channel

Endpoint Impersonation in an Encrypted Communication Channel

Variants:
Direct 

Also Known As:
Lack of Certificate Validation

Search Engine Impersonation

Search Engine Impersonation

Variants:
Direct 

User Agent Impersonation

Browser User Agent Impersonation

Variants:
Direct 

ShellShock

ShellShock

Variants:
Direct 

HeartBleed

HeartBleed

Variants:
Direct 

Winshock

Winshock

Variants:
Direct 

Also Known As:
MS14-066, CVE-2014-6321

UDDI Spoofing

UDDI Impersonation

Variants:
Direct 

Also Known As:
ebXML Spoofing