Web application testing common vulnerability
Common and Uncommon Web Vulnerabilities
SQL Injection (SQLi)
- Error-based SQLi
- Union-based SQLi
- Blind SQLi
- Time-based Blind SQLi
Cross-Site Scripting (XSS)
- Stored XSS
- Reflected XSS
- DOM-based XSS
Remote Code Execution (RCE)
- Through file upload vulnerabilities
- Via command injection
- Exploiting deserialization flaws
Server-Side Request Forgery (SSRF)
XML External Entity (XXE) Injection
Insecure Deserialization
- Java deserialization
- PHP object injection
Authentication and Authorization Issues
- Broken Authentication and Session Management
- Weak password policies
- Session fixation
- Insecure session tokens
- Insecure Direct Object References (IDOR)
- Insufficient Access Controls
Cross-Site Request Forgery (CSRF)
File Inclusion Vulnerabilities
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
Insecure File Uploads
- Web Shells
- File Type Bypass
Business Logic Flaws
Command Injection
Race Conditions
Server Misconfigurations
API Vulnerabilities
Sensitive Data Exposure
Insufficient Logging and Monitoring
Other Common and Uncommon Web Vulnerabilities
- Clickjacking
- HTTP Parameter Pollution
- Open Redirects
- Security Misconfigurations
- Using Components with Known Vulnerabilities
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
- Cookie Security Issues
- Insecure cookie attributes
- Session hijacking
- Cache Poisoning
- Timing Attacks
- HTTP Response Splitting
- CRLF Injection
- Information Leakage
- Verbose error messages
- Stack traces
- Weak Encryption
- Insufficient key length
- Poor cryptographic practices
- Privilege Escalation
- Race Conditions
- Logic Flaws
- Path Traversal
- Unrestricted File Upload
- Server-Side Template Injection (SSTI)
- Subdomain Takeover
- Insufficient Anti-Automation
- OAuth Misconfigurations
- Weak SSL/TLS Configurations
- Dependency Confusion
- Resource Exhaustion (Denial of Service)