Vulnerability Wiki

A03:2021 / CWE-79

Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into web pages viewed by other users. The browser executes the script because it trusts the content served by the website.

A03:2021 / CWE-89

SQL Injection allows attackers to interfere with database queries by inserting malicious SQL code through user-controlled input fields.

A05:2021 / CWE-611

XXE attacks target applications that parse XML input by exploiting external entity processing to read local files, perform SSRF, or cause denial of service.

A08:2021 / CWE-502

Insecure deserialization occurs when applications deserialize data from untrusted sources without validation, allowing attackers to manipulate serialized objects.

Directory traversal attacks exploit insufficient input validation to access files and directories outside the intended directory, using sequences like ../ to navigate the file system.

A01:2021 / CWE-352

CSRF tricks an authenticated user's browser into sending unintended requests to a web application, executing actions without their knowledge.

A01:2021 / CWE-639

IDOR occurs when an application exposes internal object references (like database IDs) and fails to verify that the requesting user is authorised to access the referenced object.

A10:2021 / CWE-918

SSRF allows an attacker to make the server-side application send HTTP requests to an arbitrary domain of the attacker's choosing, often targeting internal services.

A05:2021 / CWE-693

Web applications that don't set security-related HTTP response headers leave browsers without instructions on how to protect against common attacks.

A05:2021 / CWE-16

Security misconfiguration covers a broad range of issues from default credentials and unnecessary features enabled, to overly permissive CORS policies and exposed debug endpoints.

Cross-Origin Resource Sharing (CORS) misconfigurations allow unauthorised websites to make authenticated requests to your API and read the responses.

Infrastructure-as-Code files (Docker Compose, Kubernetes YAML, Terraform) deployed with insecure defaults create attack vectors before code even reaches production. Privileged containers, exposed ports, missing resource limits, and insecure configurations are common.

A07:2021 / CWE-287

Broken authentication encompasses weaknesses that allow attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.

A02:2021 / CWE-311

Applications that fail to properly protect sensitive data like financial information, healthcare records, or credentials through encryption and access controls.

Employee and customer email addresses associated with your domain may appear in public data breaches. Attackers use these leaked credentials for credential stuffing attacks against your login endpoints.

API keys, database passwords, private keys, and tokens embedded directly in source code, configuration files, or environment variable definitions are trivially discoverable by anyone with repository access.

A06:2021 / CWE-1035

Applications using libraries, frameworks, or dependencies with known security vulnerabilities inherit those risks.

A06:2021 / CWE-1035

WordPress plugins and themes are the primary attack vector for WordPress sites. Outdated, abandoned, or malicious plugins introduce vulnerabilities ranging from XSS and SQLi to remote code execution and backdoors.

A09:2021 / CWE-778

Without adequate logging and monitoring, breaches go undetected for extended periods, allowing attackers to persist, escalate, and exfiltrate data.

Clickjacking tricks users into clicking on hidden elements by overlaying a transparent iframe of the target application on top of a malicious page.

Subdomain takeover occurs when a DNS record (typically a CNAME) points to an external service that has been deprovisioned, allowing an attacker to claim that service and serve content on the subdomain.

Missing or misconfigured SPF, DKIM, and DMARC records allow attackers to send emails that appear to come from your domain, enabling phishing and business email compromise.

GraphQL APIs with introspection enabled in production expose the entire API schema, including types, fields, queries, and mutations, to anyone who queries the endpoint.

An open redirect vulnerability allows attackers to craft URLs using the legitimate domain that redirect users to malicious external websites.

Honeypot URLs and canary tokens are decoy resources deployed on your domain to detect unauthorised access attempts. When an attacker or automated scanner accesses these fake endpoints, an immediate alert is triggered.

E-commerce applications face unique attack vectors including payment form skimming, coupon/promo abuse, account takeover for stored payment methods, and business logic flaws in checkout flows that enable price manipulation.

Sensitive data related to your organisation — credentials, internal documents, database dumps, source code, and API keys — may be traded or posted on dark web forums, paste sites, and underground marketplaces.

Free website security scanning tools analyse publicly accessible web applications for common vulnerabilities, misconfigurations, and security weaknesses without requiring payment. These tools range from single-purpose checkers (SSL testing, header analysis) to comprehensive platforms like ShieldReport that cover the OWASP Top 10, TLS configuration, DNS hardening, and email authentication in a single scan.