Vulnerability Encyclopedia
understand, detect, remediate
A practical reference for security professionals. Each entry covers what the vulnerability is, how to find it, and how to fix it, with CVSS scoring, compliance mapping, and detection guidance.
No credit card required. Free plan available forever.
102 vulnerabilities
SQL Injection
SQL injection allows attackers to manipulate database queries through unsanitised user input, potentially leading to full data breaches, authentication bypass, and remote code execution.
Read moreOS Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the host server by injecting malicious input into application functions that pass data to system shells.
Read moreInsecure Deserialization
Insecure deserialization allows attackers to manipulate serialised objects to achieve remote code execution, privilege escalation, or injection attacks when the application deserialises untrusted data.
Read moreJWT Security Vulnerabilities
JWT vulnerabilities include weak signing algorithms, missing expiration claims, the "none" algorithm bypass, and algorithm confusion attacks that can lead to authentication bypass and token forgery.
Read moreDefault Credentials
Default credentials provide attackers with immediate, unauthenticated access to systems and applications. They are among the first things automated scanners and botnets check.
Read moreHardcoded Secrets
Hardcoded secrets (API keys, passwords, tokens, and private keys embedded in source code) are a leading cause of data breaches when code is shared, committed to repositories, or decompiled.
Read moreSecrets in Version Control
Secrets in version control is the exposure of live credentials (API keys, cloud access keys, database passwords, OAuth client secrets, signing keys, session tokens) through the repository history, public visibility, downstream forks, or pull request diffs. The credential is not just present in source; it is recoverable by anyone with read access to the history, indexed by automated scanners scraping public hosts, and may have been mirrored, cached, or built into container images long before the developer noticed.
Read moreRemote Code Execution (RCE)
Remote code execution lets attackers run arbitrary commands on your server by exploiting code injection flaws, unsafe deserialization, or unpatched dependencies, often leading to full system compromise.
Read moreBuffer Overflow
Buffer overflow vulnerabilities occur when a program writes data beyond the bounds of allocated memory, allowing attackers to corrupt data, crash applications, or execute arbitrary code.
Read moreAuthentication Bypass
Authentication bypass lets attackers access protected resources without valid credentials by exploiting logic flaws, default accounts, weak tokens, or missing auth checks on API endpoints.
Read moreServer-Side Template Injection
SSTI occurs when user input is embedded directly into server-side template code, allowing attackers to inject template expressions that execute arbitrary code on the server.
Read moreDependency Confusion
Dependency confusion is the supply-chain attack class where an attacker publishes a malicious package to a public registry under the same name as an internal package, and the build pipeline silently resolves to the attacker package. The Alex Birsan 2021 disclosure landed inside Microsoft, Apple, PayPal, Shopify, Tesla, Uber, and Yelp; the root cause is not a CVE in a dependency, it is the resolver order, the scope rule, and the lockfile pin that the build configuration did or did not enforce.
Read moreExposed MongoDB (Port 27017)
Internet-facing MongoDB on TCP 27017 with no authentication enabled, weak authentication, an outdated build, or a permissive cloud security group is one of the most consistently exploited data-exposure paths in cloud, container, and on-premise estates. Tens of thousands of unauthenticated MongoDB instances have been wiped, ransomed, or copied in successive sweeps since 2017. Learn how to detect MongoDB exposure, lock it down, and keep the closure verifiable.
Read moreExposed Elasticsearch (Port 9200)
Internet-facing Elasticsearch (or OpenSearch) on TCP 9200 with the security plugin disabled, weak authentication, an outdated build still affected by Log4Shell or older Groovy and Painless sandbox escapes, or a permissive cloud security group is one of the most consistently exploited data-exposure paths in cloud, container, and on-premise estates. Tens of thousands of unauthenticated Elasticsearch clusters have been wiped, ransomed, or copied in successive sweeps since 2017, and several of the largest publicly documented breaches of the last decade trace back to a single open index. Learn how to detect Elasticsearch exposure, lock it down, and keep the closure verifiable.
Read moreExposed Docker Socket (Port 2375 / 2376)
An exposed Docker remote API on TCP 2375 with no authentication, a TLS-protected Docker daemon on TCP 2376 with weak or absent client certificate enforcement, or a /var/run/docker.sock mounted into an untrusted container or CI runner is root-equivalent on the host. An attacker who can reach the socket can start any container, mount the host filesystem, read every credential, pivot across the network, and stage cryptojacking, ransomware, or data exfiltration. The mass-exploitation track record is unbroken: Kinsing, TeamTNT, WatchDog, Doki, Hildegard, and Lemon_Duck have each industrialised exposed-Docker-socket discovery and takeover. Learn how to detect the exposure, lock it down, and keep the closure verifiable.
Read moreExposed Kubernetes API Server (TCP 6443 / 8443 / 10250)
A kube-apiserver reachable from the public internet with --anonymous-auth=true and the system:anonymous or system:unauthenticated user bound to a permissive ClusterRole, a kubelet on TCP 10250 accepting anonymous requests with --authorization-mode=AlwaysAllow, an etcd peer or client port on 2379 or 2380 reachable without TLS client certificates, or a managed cluster with the public API endpoint left open after a debug session, all collapse to the same outcome: cluster takeover, lateral movement to every workload, and a credentialled pivot into every cloud account the cluster is federated against. Learn how to detect the exposure, lock it down, and keep the closure verifiable.
Read moreExposed Redis (Port 6379)
Internet-facing Redis on TCP 6379 with no AUTH, no ACL, the legacy protected-mode bypass, dangerous commands enabled, an outdated build, or a permissive cloud security group is one of the most consistently exploited cache and data-store exposure paths in cloud, container, and on-premise estates. Mass-exploitation campaigns (Meow, P2Pinfect, HeadCrab, Migo, Muhstik, Redigo) have wiped, mined, or backdoored hundreds of thousands of unauthenticated Redis instances across successive sweeps. Learn how to detect Redis exposure, lock it down, and keep the closure verifiable.
Read moreCross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, credential theft, and defacement.
Read moreServer-Side Request Forgery (SSRF)
SSRF allows attackers to make the server send requests to internal services, cloud metadata endpoints, or other restricted resources, potentially leading to data exfiltration or remote code execution.
Read moreInsecure Direct Object Reference (IDOR)
IDOR occurs when an application exposes internal object references without authorisation checks, allowing attackers to access or modify other users' data by simply changing a parameter value.
Read moreBroken Authentication
Broken authentication encompasses weaknesses in login mechanisms (weak brute-force protection, predictable tokens, insecure password recovery) that allow attackers to compromise user accounts.
Read moreSensitive Data Exposure
Sensitive data exposure occurs when applications inadvertently leak PII, credentials, API keys, or internal details through responses, logs, error messages, or insecure storage.
Read morePath Traversal
Path traversal (directory traversal) allows attackers to access files and directories outside the intended web root by manipulating file path references with sequences like "../".
Read moreXML External Entity (XXE) Injection
XXE injection exploits misconfigured XML parsers to read local files, perform SSRF, or cause denial of service through entity expansion attacks.
Read moreCORS Misconfiguration
CORS misconfiguration occurs when overly permissive cross-origin resource sharing policies allow malicious websites to read sensitive data from your application on behalf of authenticated users.
Read moreSubdomain Takeover
Subdomain takeover occurs when a DNS record points to a deprovisioned cloud resource, allowing attackers to claim the resource and serve malicious content on a trusted subdomain.
Read moreUnrestricted File Upload
Unrestricted file upload vulnerabilities allow attackers to upload malicious files (web shells, scripts, or executables) that can lead to remote code execution on the server.
Read moreSession Fixation & Session Management
Session fixation allows attackers to set a user's session ID before authentication, gaining access to the authenticated session. Weak session management amplifies the risk.
Read moreVulnerable & Outdated Dependencies
Using libraries and frameworks with known vulnerabilities is one of the most common security risks. Attackers actively exploit published CVEs in outdated dependencies.
Read moreBroken Access Control
Broken access control, the #1 OWASP Top 10 category, allows users to act outside their intended permissions, accessing other users' data or performing unauthorised administrative actions.
Read moreCloud Storage Misconfiguration
Misconfigured cloud storage buckets (AWS S3, Google Cloud Storage, Azure Blob) with public access are a leading cause of large-scale data breaches, exposing sensitive files to the internet.
Read morePrivilege Escalation
Privilege escalation occurs when an attacker gains access to resources or functionality beyond their authorized level, either by accessing other users' data (horizontal) or elevating to admin roles (vertical).
Read moreDenial of Service (DoS)
Denial of service attacks exhaust application resources through crafted requests, algorithmic complexity abuse, or resource flooding, making your service unavailable to legitimate users.
Read morePrototype Pollution
Prototype pollution lets attackers inject properties into JavaScript Object prototypes through unsafe merge or clone operations, potentially leading to XSS, RCE, or denial of service.
Read moreNoSQL Injection
NoSQL injection exploits applications that pass unsanitised input to NoSQL database queries, allowing attackers to bypass authentication, extract data, or manipulate query logic using operators like $gt, $ne, and $regex.
Read moreHTTP Request Smuggling
HTTP request smuggling exploits discrepancies between how front-end proxies and back-end servers parse HTTP requests, allowing attackers to smuggle malicious requests that bypass security controls.
Read moreRace Condition (TOCTOU)
Race conditions exploit timing gaps between checking a condition and using the result, allowing attackers to send parallel requests that bypass limits, duplicate transactions, or corrupt application state.
Read moreMass Assignment
Mass assignment occurs when an application automatically binds request parameters to internal data models without filtering, letting attackers modify protected fields like roles, prices, or permissions.
Read moreWeb Cache Poisoning
Web cache poisoning manipulates caching systems by injecting malicious content through unkeyed inputs (headers, cookies), causing the poisoned response to be served to every subsequent visitor.
Read moreWeb Cache Deception
Web cache deception tricks an intermediate cache (CDN, reverse proxy, or load balancer) into storing a private, authenticated response under a URL that looks static, so any subsequent visitor can retrieve another user's data by requesting the same path.
Read moreGraphQL Vulnerabilities
GraphQL APIs introduce unique security risks including introspection leaks, deeply nested query attacks, batching abuse, and field-level authorization gaps that can expose sensitive data or crash servers.
Read moreLDAP Injection
LDAP injection manipulates directory service queries by injecting special characters into unsanitised input, allowing attackers to bypass authentication, enumerate users, or extract directory data.
Read moreLocal File Inclusion (LFI/RFI)
File inclusion vulnerabilities let attackers read arbitrary server files (LFI) or load external malicious scripts (RFI) by manipulating file path parameters, potentially leading to credential theft or remote code execution.
Read moreBusiness Logic Flaws
Business logic flaws exploit gaps between intended application behaviour and actual implementation, allowing attackers to bypass workflows, manipulate pricing, skip validation steps, or abuse functionality in unintended ways.
Read moreOAuth Misconfiguration
OAuth misconfigurations, including open redirect URIs, missing state parameters, and implicit flow token exposure, enable attackers to steal authorization codes, hijack accounts, and access protected resources.
Read moreBroken Object Level Authorization (BOLA)
BOLA is the API-context authorization failure where an endpoint accepts an object identifier and returns the resource without verifying that the caller is allowed to read or modify that specific object. Ranked first on the OWASP API Security Top 10 (API1:2023), BOLA is the most common API vulnerability and the most damaging when it leaks tenant data.
Read moreRegex Denial of Service (ReDoS)
Regex denial of service (CWE-1333) abuses catastrophic backtracking in poorly written regular expressions. A single crafted string of a few hundred characters can pin a CPU core for minutes, freezing request handlers, exhausting worker pools, and taking the application offline without any traffic flood.
Read morePrompt Injection
Prompt injection lets an attacker override the developer's instructions to a large language model by smuggling adversarial content into the prompt or into context the model later reads. It is ranked LLM01 on the OWASP Top 10 for LLM Applications and is the most common finding in LLM-backed product pentests.
Read morePassword Reset Poisoning
Password reset poisoning lets an attacker rewrite the domain in a victim's reset email by manipulating the Host or X-Forwarded-Host header. The reset token is generated against a real account but delivered as a link to an attacker-controlled domain, leading to silent account takeover without any credential phishing.
Read moreWebSocket Security
WebSocket flaws live in the gap between a single authorised upgrade and a long-lived bidirectional channel. Missing origin validation enables cross-site WebSocket hijacking. Missing per-message authorisation lets a low-privileged session reach privileged actions. Missing rate limits and frame-size caps turn a single socket into a denial-of-service primitive.
Read moreDOM Clobbering
DOM clobbering shadows global properties on window and document by injecting HTML elements with controlled id and name attributes. The technique bypasses HTML sanitisers and Content Security Policy because no script tag or event handler is required: page JavaScript reads what it thinks is configuration and instead reads attacker-controlled DOM references.
Read moreXPath Injection
XPath injection manipulates queries against XML data stores by injecting filter syntax into unsanitised input. Login forms backed by XML user files, configuration lookups, and legacy enterprise apps that rely on XQuery or XPath expressions can leak the full document, bypass authentication, or surface admin-only nodes when input is concatenated into the query string.
Read moreWeak Cryptography
Weak cryptography covers any application-layer cryptographic choice that fails to deliver its security guarantee: MD5 or SHA1 used for password hashing or signatures, AES in ECB mode, predictable initialisation vectors, hardcoded keys, weak key lengths, JWTs accepting the none algorithm, and Math.random used as a security primitive. The data may be encrypted on paper, but the protection is illusory once an attacker recognises the weakness.
Read moreParameter Tampering
Parameter tampering is the manipulation of values that travel between client and server (hidden fields, query strings, POST bodies, cookies, and headers) to make the server act on values it should never have trusted. The best-known shape is shopping-cart price tampering, but the class spans privilege flips, identifier swaps, currency switches, quantity overflows, and feature-flag toggles. The bug is not the manipulation; it is the server choosing to trust a client-controlled value.
Read morePadding Oracle Attack
A padding oracle attack lets an attacker decrypt or forge ciphertext one byte at a time by submitting modified ciphertexts and observing whether the server reports a padding error or another distinguishable response. The cipher is real, the key is secret, but the server still leaks plaintext because it discloses, through error messages or timing, whether the decrypted padding was valid. The bug is not the encryption; it is the oracle.
Read moreSecond-Order SQL Injection
Second-order SQL injection (also called stored or persistent SQL injection) stores a tainted value through one safe-looking endpoint, then triggers the injection on a later query that reads the stored value into an unsafe SQL string. The vulnerable sink is rarely the endpoint that took the input. Standard reflected SQLi tests miss it because the payload does not fire until a different code path runs.
Read moreXSS via SVG File Upload
SVG is an XML-based image format that supports script tags, event handlers, and external references. When an application accepts SVG uploads and serves them back inline from an origin that holds session state, every uploaded file becomes a stored XSS payload that runs as the victim user. The vulnerability lives in the rendering contract, not in the upload form.
Read moreSMTP Header Injection
SMTP injection turns a contact form, signup confirmation, or password reset endpoint into an attacker-controlled mail relay. By injecting carriage return and line feed sequences into a user-controlled field that ends up in an email header, an attacker adds extra recipients, replaces the subject, rewrites the From address, or drops a fully-formed message body that the application sends from its own infrastructure. The vulnerability lives in the mail-building step, not in the mail server.
Read moreInsecure Randomness
Insecure randomness covers any security-sensitive value generated by a non-cryptographic random number generator. Session identifiers from Math.random, password reset tokens from java.util.Random, OAuth state from rand(), or CSRF tokens seeded from a process timestamp all share the same shape: the algorithm is deterministic, the seed is recoverable, and an attacker who watches a few outputs can predict the next one. The library call returns a random-looking number; the security guarantee never lands.
Read moreBroken Function Level Authorization (BFLA)
BFLA is the function-level authorization failure where a privileged or administrative API endpoint accepts a request from a caller that should not be allowed to invoke it. Authentication passes and the route resolves, but the role, scope, or tenant check that should gate the action is missing or only enforced in the UI. Ranked fifth on the OWASP API Security Top 10 (API5:2023), BFLA is the action-level analogue of BOLA and a frequent path to vertical privilege escalation in modern multi-tenant APIs.
Read moreBroken Object Property Level Authorization (BOPLA)
BOPLA is the field-level authorisation failure inside an object the caller is otherwise allowed to access. The route resolves, the object loads, and the wrong fields come back on a read or get accepted on a write. Ranked third on the OWASP API Security Top 10 (API3:2023), BOPLA absorbs the older Excessive Data Exposure (read side) and Mass Assignment (write side) categories and is one of the quietest paths to silent privilege escalation in modern multi-tenant APIs.
Read moreInsecure Design
Insecure design (OWASP A04:2021) is the absence of a secure design pattern, a missing security control at the architecture level, or a threat-model gap that lets an attacker reach a result the application was never meant to allow. It is not an implementation bug; a perfectly coded implementation of a flawed design is still insecure.
Read moreVulnerable & Outdated Components
Vulnerable and outdated components (OWASP A06:2021) is the parent category for the software-supply-chain risk that an application depends on libraries, frameworks, runtimes, container base images, or operating-system packages that ship with known CVEs, missing patches, or no upstream maintainer. It reaches across direct, transitive, runtime, and infrastructure layers and is one of the most common ways an enterprise application becomes exploitable without a single line of code changing.
Read moreIndirect Prompt Injection via RAG
An attacker hides instructions inside a document, web page, ticket, email, code comment, or any source the LLM later retrieves. When the model reads that content during a retrieval-augmented generation step, it follows the smuggled instructions instead of the developer’s system prompt. The attack does not need the attacker to talk to the model directly.
Read moreImproper Output Handling in LLM Applications
When an application treats text produced by a large language model as already safe and uses that text in a security-sensitive context (HTML rendering, SQL query, fetched URL, shell command, file write, agent tool argument), every classical web vulnerability class re-emerges through the new entry point. OWASP ranks the class LLM05:2025 Improper Output Handling.
Read moreExcessive Agency in LLM Applications
When an LLM application grants the model authority to take actions through tools or function calls, the question is no longer whether the model produces the right text, but whether the application gave the model authorities it should not have. OWASP ranks the class LLM06:2025 Excessive Agency.
Read moreCryptographic Failures
Cryptographic failures (OWASP A02:2021) is the parent category for every situation in which an application either does not apply cryptography where it is required or applies it badly enough that the protection is illusory. It covers missing encryption in transit, missing encryption at rest, broken or deprecated algorithms, weak key sizes, ECB-mode block ciphers, predictable initialisation vectors, hardcoded keys, exposed signing material, insecure randomness used as a security primitive, broken certificate validation, missing integrity protection, and key-management failures across the production stack.
Read moreSystem Prompt Leakage in LLM Applications
When an attacker can coax an LLM application into reading back the developer-written system prompt, every secret, authorisation rule, tool registration, and internal vocabulary fragment embedded in that prompt becomes public. OWASP ranks the class LLM07:2025 System Prompt Leakage.
Read moreUnbounded Consumption in LLM Applications
Unbounded consumption (OWASP LLM10:2025) is the vulnerability class where an LLM-backed application lets a caller burn more compute, more tokens, more provider dollars, or more inference time than the feature design intended. It covers denial of wallet, recursive tool-call explosion, output-length abuse, retrieval-window manipulation, inference-as-a-service abuse, model extraction through repeated probing, concurrency saturation, and runaway background inference. The fix is operational: budget every dimension, cap parameters server-side, separate provider keys per tenant, and log per-call token, cost, latency, and identity on the operating record.
Read moreData and Model Poisoning in LLM Applications
Data and model poisoning (OWASP LLM04:2025) is the vulnerability class where an attacker shapes the data the model is trained on, fine-tuned with, or retrieves from, in order to bias what the model produces at inference time. The attack can install behavioural triggers (targeted backdoors), it can drift response quality across the board (untargeted contamination), or it can manipulate retrieved content so a downstream RAG pipeline emits the attacker chosen text. The fix is operational: validate every corpus source, gate every fine-tune through an approval workflow, quarantine new retrieval sources, sign model checkpoints, and keep a training data lineage record an AppSec or audit reader can follow.
Read moreSecurity Logging and Monitoring Failures
Security logging and monitoring failures (OWASP A09:2021) is the parent category for every situation in which an application, platform, or programme fails to capture, transport, store, monitor, alert on, or retain the security-relevant events the defender needs. It covers missing events, incomplete context, host-bound logs that never reach the central store, monitoring without detection rules, alerts without runbooks, sensitive data in log lines, and retention that falls short of the audit obligation.
Read moreMFA Bypass
MFA bypass is the class of weaknesses that lets an attacker defeat or skip the second authentication factor. It spans adversary-in-the-middle phishing kits that steal the post-MFA session, push notification fatigue, SIM swap of the SMS factor, backup-code abuse, helpdesk-driven enrolment reset, consent phishing against OAuth, and design flaws that let the second-factor step be skipped or replayed.
Read moreServer-Side Cache Poisoning
Server-side cache poisoning lives inside the application boundary rather than at the CDN. It corrupts the object cache, the fragment cache, the full-page cache, the reverse-proxy cache, or the framework template cache that the origin reads, so a poisoned response is served to every subsequent user until the cache entry expires or is purged.
Read moreCSS Injection
CSS injection is the class of vulnerabilities where attacker-controlled data lands inside a style sheet, a style attribute, a style tag, an unsanitised CSS custom property, or a theme-colour template, so the browser parses attacker rules as part of the page. The vulnerability does not require script execution. Data exfiltration through attribute selectors, dangling-markup channels, keyframe timing, and font-ligature side channels turns CSS into a credible exfil primitive even where a Content Security Policy blocks scripts.
Read moreModel Extraction Attack
Model extraction is the AI/ML confidentiality class where an attacker queries a deployed model through its normal inference surface and reconstructs the model itself (model stealing), confidential properties of the training data (membership inference), or representations of training records (model inversion). The inference endpoint becomes the leak. The fix is layered across rate limiting, output minimisation, differential privacy, watermarking, observability scoping, and a contractual layer.
Read moreCSRF Chained with Logic Flaws
A chained CSRF finding is one in which the forged request alone is not the impact, the impact is the downstream logic flaw the forged request reaches: an IDOR that crosses a tenant boundary, a race condition that opens a state window, a mass-assignment that flips a privileged property, a state-machine skip that bypasses a checkout step, or a content-type confusion that defeats the framework defence. The chain is the finding, not just the missing token.
Read moreSensitive Information Disclosure in LLM Applications
Sensitive information disclosure (OWASP LLM02:2025) is the vulnerability class where an LLM-backed application emits content the data owner never intended to release: PII from training data, secrets baked into prompts or fine-tuning corpora, intellectual property the retrieval layer surfaced, conversation memory from another user, or fields reconstructed through embedding inversion and membership inference. The damage is rarely the model. The damage is the data that reached the response, the log, the vector store, or the third-party observability vendor on the way through.
Read moreLLM Supply Chain Vulnerabilities
LLM supply chain vulnerabilities (OWASP LLM03:2025) are the class where an attacker compromises the artefacts and tooling that flow into a deployed LLM feature: the foundation model checkpoint, the fine-tuned weights, the LoRA adapter, the embedding model, the tokenizer, the model card, the inference SDK, the model server runtime, the plugin or tool package, the training pipeline, and the deployment artefact. The damage is rarely the model. The damage is the integrity envelope around every artefact the team did not author but the team has to ship anyway.
Read moreVector and Embedding Weaknesses
Vector and embedding weaknesses (OWASP LLM08:2025) are the class of flaws in the retrieval layer that almost every production LLM application now depends on. The threat surface is the corpus, the vector store, the ingestion pipeline, the embedding model, the retrieval call, and the per-document access-control envelope. Findings include cross-tenant retrieval that bypasses authorisation, embedding inversion that recovers source text from stored vectors, ingestion that admits unreviewed documents, retrieval-side denial of service, and deletion paths that leave vectors behind.
Read moreExposed RDP (Port 3389)
Internet-facing Remote Desktop Protocol on TCP 3389 is one of the most consistently exploited initial access vectors in CISA KEV and ransomware incident reports. Learn how to detect it, close it, and keep it closed.
Read moreExposed SMB (Port 445 / 139)
Internet-facing Server Message Block on TCP 445, and the older NetBIOS session service on TCP 139, are among the most consistently exploited ransomware and lateral-movement vectors in joint CISA, FBI, and NCSC advisories. Learn how to detect them, close them, and keep them closed.
Read moreSSH Misconfiguration (Port 22)
Internet-facing Secure Shell on TCP 22 with permissive root login, password authentication, legacy ciphers, or unpatched OpenSSH builds is one of the most consistently exploited initial access vectors in cloud, Linux, network appliance, OT, and IoT estates. Learn how to detect SSH exposure and weak configuration, harden it, and keep the closure verifiable.
Read moreCross-Site Request Forgery (CSRF)
CSRF tricks authenticated users into submitting unintended requests, allowing attackers to change account settings, transfer funds, or modify data without the user's knowledge.
Read moreSecurity Misconfiguration
Security misconfiguration is one of the most common vulnerability categories. Missing security headers, default credentials, verbose error messages, and unnecessary services expose applications to attack.
Read moreOpen Redirect
Open redirect vulnerabilities allow attackers to redirect users from a trusted domain to a malicious site, enabling phishing attacks that leverage the trust of the vulnerable domain.
Read moreTLS/SSL Misconfiguration
TLS/SSL misconfigurations (deprecated protocols, weak ciphers, expired certificates, and missing HSTS) expose encrypted communications to interception and downgrade attacks.
Read moreMissing Security Headers
Missing HTTP security headers leave applications vulnerable to clickjacking, XSS, MIME sniffing, and other client-side attacks that are easily prevented with proper header configuration.
Read moreWeak Password Policy
Weak password policies permit short or simple passwords that are easily guessed or cracked through brute-force, dictionary, or credential stuffing attacks.
Read moreMissing Rate Limiting
Missing rate limiting allows attackers to send unlimited requests to sensitive endpoints, enabling brute-force attacks, credential stuffing, account enumeration, and denial of service.
Read moreDNS Misconfiguration
DNS misconfigurations (missing or incorrect SPF, DKIM, and DMARC records) allow attackers to spoof your domain in phishing emails, damaging reputation and enabling social engineering.
Read moreClickjacking (UI Redress)
Clickjacking tricks users into clicking hidden UI elements by overlaying a transparent iframe on a malicious page, enabling unauthorized actions like changing account settings or initiating transfers.
Read moreHost Header Injection
Host header injection exploits applications that trust the HTTP Host header for URL generation, enabling password reset poisoning, cache poisoning, and server-side request routing manipulation.
Read moreCRLF Injection
CRLF injection inserts carriage return and line feed characters into HTTP responses, allowing attackers to split responses, inject headers, set malicious cookies, or enable cross-site scripting.
Read moreInsufficient Logging and Monitoring
Insufficient logging and monitoring (OWASP A09:2021) leaves authentication failures, access control violations, and exploit attempts invisible to defenders. Without an audit trail and active alerting, breaches go undetected long enough for attackers to pivot, persist, and exfiltrate.
Read moreHTTP Parameter Pollution (HPP)
HTTP parameter pollution exploits the disagreement between WAFs, reverse proxies, and applications about which copy of a duplicated parameter to honour, enabling authorisation bypass, WAF evasion, redirect override, and rate limit evasion across the request path.
Read moreCSV Injection (Formula Injection)
CSV injection lets an attacker plant spreadsheet formulas inside data that the application later exports as a CSV, XLSX, or TSV file. When a user opens the export in Excel, LibreOffice Calc, or Google Sheets, the formula executes inside the spreadsheet, leading to data exfiltration, hyperlink phishing, and, on legacy DDE-enabled clients, command execution on the analyst workstation.
Read moreUsername Enumeration
Username enumeration is a discrepancy in application responses that lets an unauthenticated attacker decide whether a given username, email, or phone number belongs to a real account. The login form returns a different error for a known account, the signup form rejects an email that already exists, the password reset flow takes longer when the address resolves, or the MFA prompt only appears after a valid first-factor. Each one is a small leak; together they hand an attacker a clean list of valid accounts to target with credential stuffing, password spraying, phishing, and reset-flow abuse.
Read moreHTML Injection
HTML injection (CWE-80) is any condition where an application reflects attacker-controlled markup into the rendered HTML of a page without first encoding it for the HTML context. The vulnerability sits next to but distinct from XSS: HTML injection covers the markup-injection root, XSS adds JavaScript execution. When a WAF blocks script tags but lets iframes, anchors, or styles through, the result is in-domain phishing, brand defacement, dangling-markup data exfiltration, and the conditions for chaining into clickjacking or open-redirect attacks.
Read moreInsecure Cookie Attributes
Cookies that ship without Secure, HttpOnly, SameSite, or scoped prefixes expose sessions, CSRF tokens, and authentication state to script theft, network interception, cross-site request abuse, and cross-subdomain leakage. The bug is in the attribute set, not in the cookie value.
Read moreMisinformation in LLM Applications
Misinformation (OWASP LLM09:2025) is the application-layer class where the model produces confidently wrong output that surrounding systems or human users act on. The damage is rarely the model itself. The damage is the downstream decision, ticket, contract, code commit, configuration change, refund, prescription, attestation, or customer message that inherited the wrong fact through a feature engineered without retrieval grounding, citation enforcement, schema constraint, factuality check, or a representative evaluation harness.
Read moreDirectory Listing
Directory listing reveals the contents of web server directories to anyone who requests them, potentially exposing backup files, configuration files, source code, and other sensitive data.
Read moreInformation Disclosure
Information disclosure through verbose error messages, stack traces, server banners, and debug pages gives attackers valuable intelligence about your application's internals and attack surface.
Read moreDetect vulnerabilities automatically
SecPortal scans for all these vulnerabilities with 33+ built-in modules. External scanning, authenticated testing, and code analysis. Start free.
No credit card required. Free plan available forever.