S.

No Vulnerabilities Severity Applicable

1 Error-based SQL Injection High
2 Union-based SQL Injection High
3 Boolean-based (content-based) Blind SQL injection High
4 Time-based Blind SQL injection High
5 Out-of-band SQL injection High
6 Second order sql injection High
7 Broken authentication and session management High
8 Insecure Direct Object Reference (IDOR) High
9 XML external entity injection (XXE) High
10 Sensitive data Exposure High
11 Credintials over unencrypted channel High
12 Cross-site request forgery (CSRF) High
13 file upload vulnerabilities High
14 formula injection High
15 Local file Inclusion (LFI) High
16 Remote File Inclusion (RFI) High
17 Server-side request forgery (SSRF) High
18 Privilege escalation(horizontal/vertical) High
19 Insecure Deserialization High
20 Insufficient logging and monitoring High
21 HTML injection(Reflected) High
22 HTML injection(Stored) High
23 Hyperlink Injection High
24 Insecure Design High
25 Iframe injection(Cross frame scripting) High
26 Command injection High
27 Xpath injection High
28 LDAP injection High
29 Default or weak password in database(like phpmyadmin) High
30 Database connection string disclosure High
31 Authentication Bypass using SQL High
32 Reflected Cross-site scripting High
33 Stored Cross site-scripting High
34 Dom based Cross-site scripting High
35 Direct URL access to sensitive XML File High
36 Business logic flaw High
37 Server-side template injection High
38 Client-side template injection High
39 Broken
Broken Access control via Response Manipulation OR
Authentication High
40 Unauthorized access of the application (without credentials) High
41 OTP Bypass High
42 Application using known vulnerability Medium
43 Path traversal Medium
44 Directory Listing Medium
45 Clickjacking Medium
46 default credentials Medium
47 Brute force attack Medium
48 Sensitive data in get request Medium
49 unvalidated redirects and forwards Medium
50 Security misconfiguration Medium
51 Cross site tracing Medium
52 Insufficient Session Expiration Medium
53 Internal path disclosure/Full Path Disclosure Medium
54 sql query disclosure Medium
55 Full Path Disclosure Medium
56 Improper error handling Medium
57 Failure to invalidate session after password change Medium
58 Failure to invalidate session after email change Medium
59 Lack of Rate Limiting Medium
60 Email flooding Medium
61 OTP flooding Medium
62 Host Header Injection Medium
63 Misssing HTTP headers Low
64 Autocomplete feature is On Low
65 Change password without old passaword Low
66 HTTP errors Low
67 No account lockout policy Low
68 Remember password Low
69 Weak password policy Low
70 Weak crossdomain.xml Low
71 No input validation Low
72 HTTP 414 error Low
73 Cookie without HttpOnly flag Low
74 Content type is not specified Low
75 Cookie without Secure flag Low
76 Concurrent user login Low
77 Banner Grabbing Low
78 Captcha not Implemented Low
79 Reset password token and key leakage via referer header Low
80 debug mode enable Low
81 Test For EXIF Geodata Low
82 Captcha Bypass Low
Finding Auditor Comments/Remarks
Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain
Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two
Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database whic
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which
Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.
Second-order SQL injection
Application functions relatedarises when user-supplied
to authentication data is
and session stored by the
management application
are often not and later incorporated
implemented correctly,into SQL queries
allowing attack

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, dir
Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, explo
Many
Many web
web applications
applications do
do not
not properly
properly protect
protect sensitive
sensitive data,
data, such
such as
as credit
credit cards,
cards, tax
tax IDs,
IDs, and
and authentication
authentication credentials.
credentials. Att
Att

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any
This script is possibly vulnerable to unrestricted file upload. Various web applications allow users to upload files (such as pictur
Formula or CSV injection is by an attacker to get shell or to execute some malicious commands from a user
Local file inclusion attack is used to include the local file of the system/server on live application
Remote file inclusion attack is used to execute malicious commands remotely(using RFI we can get the shell also)
(SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application
Applications unwitingly give admin or some upper level access to normal user which should be do in this way
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict
It includes everything from unlogged events, logs that are not stored properly and warnings where no action is taken within re
HTML injection is an attack that is similar to Cross-site Scripting (XSS). ... Attacker discovers injection vulnerability and decides
HTML injection is an attack that is similar to Cross-site Scripting (XSS). ... Attacker discovers injection vulnerability and decides
Hyperlink Injection vulnerability arises when the attacker's injected hyperlink gets successfully sent in the emails. Majority of t
Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design
Cross-Frame Scripting (XSS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an eff
Command injection
Attackers can exploitisvulnerable
a cyber attack
XMLthat involvesifexecuting
processors arbitrary
they can upload XMLcommands
or includeonhostile
a hostcontent
operating system
in an XML (OS). Typically,
document, exploth

LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input
PHPmyadmin should not be accessible for all user
The connection string may include attributes such as the name of the driver, server and database
An attacker can bypass authentication using sql commands
In which malicious scripts are injected in request paramter then send it to victim and when victim click on the URL/request the
In which malicious scripts are injected in request paramter then send it to victim and when victim click on the URL/request the
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a resu
If your application fails to appropriately restrict URL access, security can be compromised through a technique called forced br
Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unint
Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a tem
Client-side template injection vulnerabilities arise when applications using a client-side template framework dynamically embe
Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access re
Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default ad
OTP Bypass may lead to access the sensitive files and details.
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable
Definition
A directoryoflisting
'PathisTraversal' Definition:
inappropriately Path Traversal
exposed, is one of the
yielding potentially many critical
sensitive web application
information security
to attackers. vulnerabilities.
Extended Description.It Aem
d

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into
An can expliot or bypass the authentication if the users are using default credentials
An attacker use brute force attack to unlock the account at login page or can use to retrieve information such as username fro
Sensitive data in url is harmful for a user, the attacker can read the information
Some application redirects the user to malicious web app which is harmful for a user.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application serve
XST could be used as a method to steal user's cookies via Cross-site Scripting (XSS) even if the cookie has the "HttpOnly" flag se
A session should expire after a limited time of logged in user
This enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/.
Sometimes when attacker use malicious sql commands the web apps gives sql query on the web page
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/
Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when d
The web application doesn't expire on password change if it is already open in another browser.
The web application doesn't expire on email change if it is already open in another browser.
Lack of Resources & Rate Limiting is when the API does not restrict the number or frequency of requests from a particular API
The process of sending large quantities of emails, often with large attachments, in order to disable a network or part of a netw
OTP flooding mostly occurs when there is no rate limit is implemented on the OTP request an application can make.
The HTTP host header injection is an attack in which a malevolent actor tampers with the host header in a client request. This
The application should use HTTP headers for protecting the web site against script and other types of attack
Autocomplete feature should be On in login page
A web application should implement password change policy with old password
A website sometimes display http error and those errors reveal information about system
Web application uses no account lockout policy and an attacker can brute force the username and passoword to get access of
Web application provides a feature called as remember password which harmful for a user.
Web app allows user to set a weak passwords which is harmful for them
A weak crossdomain.xml file can allow the cybercriminal to access several types of confidential information.
Applications should validate the user commands
In which an attacker plays with the parameter of request by enter large value of parameter in request so that page doesn’t giv
a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by c
This value informs the browser what kind of data to expect. If this header is missing, the browser may incorrectly handle the d
When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channe
Applications generally provide concurrent login but for more security it should provide only one login functionality at a time
Banner grabbing or OS fingerprinting is a method to determine the operating system running on a remote target system
If Captcha is not implemented on Login/Forgot password page then it may lead to automation attacks
The HTTP referrer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource b
The web application uses Laravel framework. Laravel Debug mode is enabled. Debug mode should be turned off in production
Exif Data stores sensitive information like Geo-location, Date, Name of the camera, Modified date, Time, Sensing Method, File
Attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than huma
https://sqlwiki.netspi.com/detection OR http://securityidiots.com/Web-Pentest/SQL-
Reference URL
Injection/Part-1-Basic-of-SQL-for-SQLi.html
https://sqlwiki.netspi.com/detection OR http://securityidiots.com/Web-Pentest/SQL-
Injection/Part-1-Basic-of-SQL-for-SQLi.html
https://sqlwiki.netspi.com/detection OR http://securityidiots.com/Web-Pentest/SQL-
Injection/Part-1-Basic-of-SQL-for-SQLi.html
https://sqlwiki.netspi.com/detection OR http://securityidiots.com/Web-Pentest/SQL-
Injection/Part-1-Basic-of-SQL-for-SQLi.html
https://sqlwiki.netspi.com/detection OR http://securityidiots.com/Web-Pentest/SQL-
Injection/Part-1-Basic-of-SQL-for-SQLi.html

https://portswigger.net/kb/issues/00100210_sql-injection-second-order
https://hdivsecurity.com/owasp-broken-authentication-and-session-management
http://www.hackingarticles.in/beginner-guide-insecure-direct-object-references/
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://blog.detectify.com/2016/07/01/owasp-top-10-sensitive-data-exposure-6/
https://www.owasp.org/index.php/Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)
http://www.hackingarticles.in/understanding-csrf-vulnerability-beginner-guide/
http://www.hackingarticles.in/file-upload-exploitation-bwapp-bypass-security/
https://payatu.com/csv-injection-basic-to-exploit/
http://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/
https://teamultimate.in/local-file-inclusion-lfi-remote-file-inclusion-rfi/
https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
https://searchsecurity.techtarget.com/definition/privilege-escalation-attack
https://blog.detectify.com/2018/03/21/owasp-top-10-insecure-deserialization/
https://blog.detectify.com/2018/04/06/owasp-top-10-insufficient-logging-monitoring/
https://teamultimate.in/html-injection-reflected-stored/
https://teamultimate.in/html-injection-reflected-stored/

https://owasp.org/Top10/A04_2021-Insecure_Design/
https://www.owasp.org/index.php/Cross_Frame_Scripting
https://www.owasp.org/index.php/Command_Injection
http://projects.webappsec.org/w/page/13247005/XPath%20Injection
http://projects.webappsec.org/w/page/13246947/LDAP%20Injection

https://www.acunetix.com/vulnerabilities/web/database-connection-string-disclosure
https://support.portswigger.net/customer/portal/articles/2791007-Methodology_SQL_Injection_Authentication_.html
http://phpsecurity.readthedocs.io/en/latest/Cross-Site-Scripting-(XSS).html
http://phpsecurity.readthedocs.io/en/latest/Cross-Site-Scripting-(XSS).html
https://owasp.org/www-community/attacks/DOM_Based_XSS#
https://www.veracode.com/security/failure-restrict-url-access
https://portswigger.net/web-security/logic-flaws#
https://portswigger.net/web-security/server-side-template-injection
https://portswigger.net/kb/issues/00200308_client-side-template-injection
https://portswigger.net/web-security/access-control
https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
https://systemweakness.com/bypassing-otp-verification-797851057e79
https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities
https://www.tinfoilsecurity.com/blog/what-is-path-traversal
http://lifeofpentester.blogspot.in/2013/10/directory-browsing-vulnerability.html
https://www.lookingglasscyber.com/blog/threat-intelligence-insights/x-frame-options-clickjacking/
https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)
https://www.owasp.org/index.php/Brute_force_attack
https://www.owasp.org/index.php/Information_exposure_through_query_strings_in_url
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
https://blog.detectify.com/2016/06/17/owasp-top-10-security-misconfiguration-5/
https://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability/
https://www.htbridge.com/vulnerability/insufficient-session-expiration.html
https://www.owasp.org/index.php/Full_Path_Disclosure

https://owasp.org/www-community/attacks/Full_Path_Disclosure#:~:text=Full%20Path%20Disclosure%20(FPD)%20vulnerabil
https://owasp.org/www-community/Improper_Error_Handling

https://securityboulevard.com/2021/07/api-security-101-lack-of-resources-rate-limiting/#
https://www.oxfordreference.com/view/10.1093/oi/authority.20110803095749306#

https://crashtest-security.com/invalid-host-header/#:~:text=What%20is%20a%20Host%20header,the%20client%20in%20the%
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.acunetix.com/vulnerabilities/web/password-type-input-with-auto-complete-enabled
https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009)
https://www.owasp.org/index.php/Testing_for_Error_Code_(OTG-ERR-001)
https://vulnerabilities.teammentor.net/article/577e90c9-8e44-4240-b00f-768316d63901
https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)
https://www.acunetix.com/vulnerabilities/web/weak-password
https://www.paladion.net/blogs/weak-crossdomain-xml-and-its-exploitation-poc
https://www.owasp.org/index.php/Testing_for_Input_Validation
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/414
https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set
https://www.acunetix.com/vulnerabilities/web/content-type-is-not-specified
https://portswigger.net/kb/issues/00500200_ssl-cookie-without-secure-flag-set
http://appsecnotes.blogspot.com/2009/05/simultaneous-sessions-for-single-user.html
https://haklab.net/banner-grabbing-foot-printing-network-scanning/

https://www.geeksforgeeks.org/cross-domain-referrer-header-leakage/
https://www.acunetix.com/vulnerabilities/web/laravel-debug-mode-enabled/
https://beaglesecurity.com/blog/vulnerability/exif-data-information-leakage.html
https://blog.securelayer7.net/owasp-top-10-insufficient-attack-protection-7-captcha-bypass/
_channels_(OTG-CRYPST-003)

on_Authentication_.html
 Path Traversal | OWASP Foundation

closure%20(FPD)%20vulnerabilities,file%20they%20wish%20to%20view.

der,the%20client%20in%20the%20response.

HTML attribute: autocomplete - HTML: HyperText Markup Language | MDN (mozilla.org)

ties_(OTG-AUTHN-009)

Blocking Brute Force Attacks | OWASP Foundation

24. Security Testing (Basics) - Input Validation and Output Encoding - YouTube

CAPTCHA Bypass Vulnerability - Insufficient Attack Protection (securelayer7.net)