Core Workflow
Phase 1: Injection Vulnerabilities Assessment
Evaluate injection attack vectors targeting data processing components:
SQL Injection (1)
- •Definition: Malicious SQL code inserted into input fields to manipulate database queries
- •Root Cause: Lack of input validation, improper use of parameterized queries
- •Impact: Unauthorized data access, data manipulation, database compromise
- •Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts
Cross-Site Scripting - XSS (2)
- •Definition: Injection of malicious scripts into web pages viewed by other users
- •Root Cause: Insufficient output encoding, lack of input sanitization
- •Impact: Session hijacking, credential theft, website defacement
- •Mitigation: Output encoding, Content Security Policy (CSP), input sanitization
Command Injection (5, 11)
- •Definition: Execution of arbitrary system commands through vulnerable applications
- •Root Cause: Unsanitized user input passed to system shells
- •Impact: Full system compromise, data exfiltration, lateral movement
- •Mitigation: Avoid shell execution, whitelist valid commands, strict input validation
XML Injection (6), LDAP Injection (7), XPath Injection (8)
- •Definition: Manipulation of XML/LDAP/XPath queries through malicious input
- •Root Cause: Improper input handling in query construction
- •Impact: Data exposure, authentication bypass, information disclosure
- •Mitigation: Input validation, parameterized queries, escape special characters
Server-Side Template Injection - SSTI (13)
- •Definition: Injection of malicious code into template engines
- •Root Cause: User input embedded directly in template expressions
- •Impact: Remote code execution, server compromise
- •Mitigation: Sandbox template engines, avoid user input in templates, strict input validation
Phase 2: Authentication and Session Security
Assess authentication mechanism weaknesses:
Session Fixation (14)
- •Definition: Attacker sets victim's session ID before authentication
- •Root Cause: Session ID not regenerated after login
- •Impact: Session hijacking, unauthorized account access
- •Mitigation: Regenerate session ID on authentication, use secure session management
Brute Force Attack (15)
- •Definition: Systematic password guessing using automated tools
- •Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
- •Impact: Unauthorized access, credential compromise
- •Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA
Session Hijacking (16)
- •Definition: Attacker steals or predicts valid session tokens
- •Root Cause: Weak session token generation, insecure transmission
- •Impact: Account takeover, unauthorized access
- •Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags
Credential Stuffing and Reuse (22)
- •Definition: Using leaked credentials to access accounts across services
- •Root Cause: Users reusing passwords, no breach detection
- •Impact: Mass account compromise, data breaches
- •Mitigation: MFA, breach password checks, unique credential requirements
Insecure "Remember Me" Functionality (85)
- •Definition: Weak persistent authentication token implementation
- •Root Cause: Predictable tokens, inadequate expiration controls
- •Impact: Unauthorized persistent access, session compromise
- •Mitigation: Strong token generation, proper expiration, secure storage
CAPTCHA Bypass (86)
- •Definition: Circumventing bot detection mechanisms
- •Root Cause: Weak CAPTCHA algorithms, improper validation
- •Impact: Automated attacks, credential stuffing, spam
- •Mitigation: reCAPTCHA v3, layered bot detection, rate limiting
Phase 3: Sensitive Data Exposure
Identify data protection failures:
IDOR - Insecure Direct Object References (23, 42)
- •Definition: Direct access to internal objects via user-supplied references
- •Root Cause: Missing authorization checks on object access
- •Impact: Unauthorized data access, privacy breaches
- •Mitigation: Access control validation, indirect reference maps, authorization checks
Data Leakage (24)
- •Definition: Inadvertent disclosure of sensitive information
- •Root Cause: Inadequate data protection, weak access controls
- •Impact: Privacy breaches, regulatory penalties, reputation damage
- •Mitigation: DLP solutions, encryption, access controls, security training
Unencrypted Data Storage (25)
- •Definition: Storing sensitive data without encryption
- •Root Cause: Failure to implement encryption at rest
- •Impact: Data breaches if storage compromised
- •Mitigation: Full-disk encryption, database encryption, secure key management
Information Disclosure (33)
- •Definition: Exposure of system details through error messages or responses
- •Root Cause: Verbose error handling, debug information in production
- •Impact: Reconnaissance for further attacks, credential exposure
- •Mitigation: Generic error messages, disable debug mode, secure logging
Phase 4: Security Misconfiguration
Assess configuration weaknesses:
Missing Security Headers (26)
- •Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)
- •Root Cause: Inadequate server configuration
- •Impact: XSS attacks, clickjacking, protocol downgrade
- •Mitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTS
Default Passwords (28)
- •Definition: Unchanged default credentials on systems/applications
- •Root Cause: Failure to change vendor defaults
- •Impact: Unauthorized access, system compromise
- •Mitigation: Mandatory password changes, strong password policies
Directory Listing (29)
- •Definition: Web server exposes directory contents
- •Root Cause: Improper server configuration
- •Impact: Information disclosure, sensitive file exposure
- •Mitigation: Disable directory indexing, use default index files
Unprotected API Endpoints (30)
- •Definition: APIs lacking authentication or authorization
- •Root Cause: Missing security controls on API routes
- •Impact: Unauthorized data access, API abuse
- •Mitigation: OAuth/API keys, access controls, rate limiting
Open Ports and Services (31)
- •Definition: Unnecessary network services exposed
- •Root Cause: Failure to minimize attack surface
- •Impact: Exploitation of vulnerable services
- •Mitigation: Port scanning audits, firewall rules, service minimization
Misconfigured CORS (35)
- •Definition: Overly permissive Cross-Origin Resource Sharing policies
- •Root Cause: Wildcard origins, improper CORS configuration
- •Impact: Cross-site request attacks, data theft
- •Mitigation: Whitelist trusted origins, validate CORS headers
Unpatched Software (34)
- •Definition: Systems running outdated vulnerable software
- •Root Cause: Neglected patch management
- •Impact: Exploitation of known vulnerabilities
- •Mitigation: Patch management program, vulnerability scanning, automated updates
Phase 5: XML-Related Vulnerabilities
Evaluate XML processing security:
XXE - XML External Entity Injection (37)
- •Definition: Exploitation of XML parsers to access files or internal systems
- •Root Cause: External entity processing enabled
- •Impact: File disclosure, SSRF, denial of service
- •Mitigation: Disable external entities, use safe XML parsers
XEE - XML Entity Expansion (38)
- •Definition: Excessive entity expansion causing resource exhaustion
- •Root Cause: Unlimited entity expansion allowed
- •Impact: Denial of service, parser crashes
- •Mitigation: Limit entity expansion, configure parser restrictions
XML Bomb (Billion Laughs) (39)
- •Definition: Crafted XML with nested entities consuming resources
- •Root Cause: Recursive entity definitions
- •Impact: Memory exhaustion, denial of service
- •Mitigation: Entity expansion limits, input size restrictions
XML Denial of Service (65)
- •Definition: Specially crafted XML causing excessive processing
- •Root Cause: Complex document structures without limits
- •Impact: CPU/memory exhaustion, service unavailability
- •Mitigation: Schema validation, size limits, processing timeouts
Phase 6: Broken Access Control
Assess authorization enforcement:
Inadequate Authorization (40)
- •Definition: Failure to properly enforce access controls
- •Root Cause: Weak authorization policies, missing checks
- •Impact: Unauthorized access to sensitive resources
- •Mitigation: RBAC, centralized IAM, regular access reviews
Privilege Escalation (41)
- •Definition: Gaining elevated access beyond intended permissions
- •Root Cause: Misconfigured permissions, system vulnerabilities
- •Impact: Full system compromise, data manipulation
- •Mitigation: Least privilege, regular patching, privilege monitoring
Forceful Browsing (43)
- •Definition: Direct URL manipulation to access restricted resources
- •Root Cause: Weak access controls, predictable URLs
- •Impact: Unauthorized file/directory access
- •Mitigation: Server-side access controls, unpredictable resource paths
Missing Function-Level Access Control (44)
- •Definition: Unprotected administrative or privileged functions
- •Root Cause: Authorization only at UI level
- •Impact: Unauthorized function execution
- •Mitigation: Server-side authorization for all functions, RBAC
Phase 7: Insecure Deserialization
Evaluate object serialization security:
Remote Code Execution via Deserialization (45)
- •Definition: Arbitrary code execution through malicious serialized objects
- •Root Cause: Untrusted data deserialized without validation
- •Impact: Complete system compromise, code execution
- •Mitigation: Avoid deserializing untrusted data, integrity checks, type validation
Data Tampering (46)
- •Definition: Unauthorized modification of serialized data
- •Root Cause: Missing integrity verification
- •Impact: Data corruption, privilege manipulation
- •Mitigation: Digital signatures, HMAC validation, encryption
Object Injection (47)
- •Definition: Malicious object instantiation during deserialization
- •Root Cause: Unsafe deserialization practices
- •Impact: Code execution, unauthorized access
- •Mitigation: Type restrictions, class whitelisting, secure libraries
Phase 8: API Security Assessment
Evaluate API-specific vulnerabilities:
Insecure API Endpoints (48)
- •Definition: APIs without proper security controls
- •Root Cause: Poor API design, missing authentication
- •Impact: Data breaches, unauthorized access
- •Mitigation: OAuth/JWT, HTTPS, input validation, rate limiting
API Key Exposure (49)
- •Definition: Leaked or exposed API credentials
- •Root Cause: Hardcoded keys, insecure storage
- •Impact: Unauthorized API access, abuse
- •Mitigation: Secure key storage, rotation, environment variables
Lack of Rate Limiting (50)
- •Definition: No controls on API request frequency
- •Root Cause: Missing throttling mechanisms
- •Impact: DoS, API abuse, resource exhaustion
- •Mitigation: Rate limits per user/IP, throttling, DDoS protection
Inadequate Input Validation (51)
- •Definition: APIs accepting unvalidated user input
- •Root Cause: Missing server-side validation
- •Impact: Injection attacks, data corruption
- •Mitigation: Strict validation, parameterized queries, WAF
API Abuse (75)
- •Definition: Exploiting API functionality for malicious purposes
- •Root Cause: Excessive trust in client input
- •Impact: Data theft, account takeover, service abuse
- •Mitigation: Strong authentication, behavior analysis, anomaly detection
Phase 9: Communication Security
Assess transport layer protections:
Man-in-the-Middle Attack (52)
- •Definition: Interception of communication between parties
- •Root Cause: Unencrypted channels, compromised networks
- •Impact: Data theft, session hijacking, impersonation
- •Mitigation: TLS/SSL, certificate pinning, mutual authentication
Insufficient Transport Layer Security (53)
- •Definition: Weak or outdated encryption for data in transit
- •Root Cause: Outdated protocols (SSLv2/3), weak ciphers
- •Impact: Traffic interception, credential theft
- •Mitigation: TLS 1.2+, strong cipher suites, HSTS
Insecure SSL/TLS Configuration (54)
- •Definition: Improperly configured encryption settings
- •Root Cause: Weak ciphers, missing forward secrecy
- •Impact: Traffic decryption, MITM attacks
- •Mitigation: Modern cipher suites, PFS, certificate validation
Insecure Communication Protocols (55)
- •Definition: Use of unencrypted protocols (HTTP, Telnet, FTP)
- •Root Cause: Legacy systems, security unawareness
- •Impact: Traffic sniffing, credential exposure
- •Mitigation: HTTPS, SSH, SFTP, VPN tunnels
Phase 10: Client-Side Vulnerabilities
Evaluate browser-side security:
DOM-based XSS (56)
- •Definition: XSS through client-side JavaScript manipulation
- •Root Cause: Unsafe DOM manipulation with user input
- •Impact: Session theft, credential harvesting
- •Mitigation: Safe DOM APIs, CSP, input sanitization
Insecure Cross-Origin Communication (57)
- •Definition: Improper handling of cross-origin requests
- •Root Cause: Relaxed CORS/SOP policies
- •Impact: Data leakage, CSRF attacks
- •Mitigation: Strict CORS, CSRF tokens, origin validation
Browser Cache Poisoning (58)
- •Definition: Manipulation of cached content
- •Root Cause: Weak cache validation
- •Impact: Malicious content delivery
- •Mitigation: Cache-Control headers, HTTPS, integrity checks
Clickjacking (59, 71)
- •Definition: UI redress attack tricking users into clicking hidden elements
- •Root Cause: Missing frame protection
- •Impact: Unintended actions, credential theft
- •Mitigation: X-Frame-Options, CSP frame-ancestors, frame-busting
HTML5 Security Issues (60)
- •Definition: Vulnerabilities in HTML5 APIs (WebSockets, Storage, Geolocation)
- •Root Cause: Improper API usage, insufficient validation
- •Impact: Data leakage, XSS, privacy violations
- •Mitigation: Secure API usage, input validation, sandboxing
Phase 11: Denial of Service Assessment
Evaluate availability threats:
DDoS - Distributed Denial of Service (61)
- •Definition: Overwhelming systems with traffic from multiple sources
- •Root Cause: Botnets, amplification attacks
- •Impact: Service unavailability, revenue loss
- •Mitigation: DDoS protection services, rate limiting, CDN
Application Layer DoS (62)
- •Definition: Targeting application logic to exhaust resources
- •Root Cause: Inefficient code, resource-intensive operations
- •Impact: Application unavailability, degraded performance
- •Mitigation: Rate limiting, caching, WAF, code optimization
Resource Exhaustion (63)
- •Definition: Depleting CPU, memory, disk, or network resources
- •Root Cause: Inefficient resource management
- •Impact: System crashes, service degradation
- •Mitigation: Resource quotas, monitoring, load balancing
Slowloris Attack (64)
- •Definition: Keeping connections open with partial HTTP requests
- •Root Cause: No connection timeouts
- •Impact: Web server resource exhaustion
- •Mitigation: Connection timeouts, request limits, reverse proxy
Phase 12: Server-Side Request Forgery
Assess SSRF vulnerabilities:
SSRF - Server-Side Request Forgery (66)
- •Definition: Manipulating server to make requests to internal resources
- •Root Cause: Unvalidated user-controlled URLs
- •Impact: Internal network access, data theft, cloud metadata access
- •Mitigation: URL whitelisting, network segmentation, egress filtering
Blind SSRF (87)
- •Definition: SSRF without direct response visibility
- •Root Cause: Similar to SSRF, harder to detect
- •Impact: Data exfiltration, internal reconnaissance
- •Mitigation: Allowlists, WAF, network restrictions
Time-Based Blind SSRF (88)
- •Definition: Inferring SSRF success through response timing
- •Root Cause: Processing delays indicating request outcomes
- •Impact: Prolonged exploitation, detection evasion
- •Mitigation: Request timeouts, anomaly detection, timing monitoring
Phase 13: Additional Web Vulnerabilities
| # | Vulnerability | Root Cause | Impact | Mitigation |
|---|---|---|---|---|
| 67 | HTTP Parameter Pollution | Inconsistent parsing | Injection, ACL bypass | Strict parsing, validation |
| 68 | Insecure Redirects | Unvalidated targets | Phishing, malware | Whitelist destinations |
| 69 | File Inclusion (LFI/RFI) | Unvalidated paths | Code exec, disclosure | Whitelist files, disable RFI |
| 70 | Security Header Bypass | Misconfigured headers | XSS, clickjacking | Proper headers, audits |
| 72 | Inadequate Session Timeout | Excessive timeouts | Session hijacking | Idle termination, timeouts |
| 73 | Insufficient Logging | Missing infrastructure | Detection gaps | SIEM, alerting |
| 74 | Business Logic Flaws | Insecure design | Fraud, unauthorized ops | Threat modeling, testing |
Phase 14: Mobile and IoT Security
| # | Vulnerability | Root Cause | Impact | Mitigation |
|---|---|---|---|---|
| 76 | Insecure Mobile Storage | Plain text, weak crypto | Data theft | Keychain/Keystore, encrypt |
| 77 | Insecure Mobile Transmission | HTTP, cert failures | Traffic interception | TLS, cert pinning |
| 78 | Insecure Mobile APIs | Missing auth/validation | Data exposure | OAuth/JWT, validation |
| 79 | App Reverse Engineering | Hardcoded creds | Credential theft | Obfuscation, RASP |
| 80 | IoT Management Issues | Weak auth, no TLS | Device takeover | Strong auth, TLS |
| 81 | Weak IoT Authentication | Default passwords | Unauthorized access | Unique creds, MFA |
| 82 | IoT Vulnerabilities | Design flaws, old firmware | Botnet recruitment | Updates, segmentation |
| 83 | Smart Home Access | Insecure defaults | Privacy invasion | MFA, segmentation |
| 84 | IoT Privacy Issues | Excessive collection | Surveillance | Data minimization |
Phase 15: Advanced and Zero-Day Threats
| # | Vulnerability | Root Cause | Impact | Mitigation |
|---|---|---|---|---|
| 89 | MIME Sniffing | Missing headers | XSS, spoofing | X-Content-Type-Options |
| 91 | CSP Bypass | Weak config | XSS despite CSP | Strict CSP, nonces |
| 92 | Inconsistent Validation | Decentralized logic | Control bypass | Centralized validation |
| 93 | Race Conditions | Missing sync | Privilege escalation | Proper locking |
| 94-95 | Business Logic Flaws | Missing validation | Financial fraud | Server-side validation |
| 96 | Account Enumeration | Different responses | Targeted attacks | Uniform responses |
| 98-99 | Unpatched Vulnerabilities | Patch delays | Zero-day exploitation | Patch management |
| 100 | Zero-Day Exploits | Unknown vulns | Unmitigated attacks | Defense in depth |
Quick Reference
Vulnerability Categories Summary
| Category | Vulnerability Numbers | Key Controls |
|---|---|---|
| Injection | 1-13 | Parameterized queries, input validation, output encoding |
| Authentication | 14-23, 85-86 | MFA, session management, account lockout |
| Data Exposure | 24-27 | Encryption at rest/transit, access controls, DLP |
| Misconfiguration | 28-36 | Secure defaults, hardening, patching |
| XML | 37-39, 65 | Disable external entities, limit expansion |
| Access Control | 40-44 | RBAC, least privilege, authorization checks |
| Deserialization | 45-47 | Avoid untrusted data, integrity validation |
| API Security | 48-51, 75 | OAuth, rate limiting, input validation |
| Communication | 52-55 | TLS 1.2+, certificate validation, HTTPS |
| Client-Side | 56-60 | CSP, X-Frame-Options, safe DOM |
| DoS | 61-65 | Rate limiting, DDoS protection, resource limits |
| SSRF | 66, 87-88 | URL whitelisting, egress filtering |
| Mobile/IoT | 76-84 | Encryption, authentication, secure storage |
| Business Logic | 74, 92-97 | Threat modeling, logic testing |
| Zero-Day | 98-100 | Defense in depth, threat intelligence |
Critical Security Headers
Content-Security-Policy: default-src 'self'; script-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=()
OWASP Top 10 Mapping
| OWASP 2021 | Related Vulnerabilities |
|---|---|
| A01: Broken Access Control | 40-44, 23, 74 |
| A02: Cryptographic Failures | 24-25, 53-55 |
| A03: Injection | 1-13, 37-39 |
| A04: Insecure Design | 74, 92-97 |
| A05: Security Misconfiguration | 26-36 |
| A06: Vulnerable Components | 34, 98-100 |
| A07: Auth Failures | 14-23, 85-86 |
| A08: Data Integrity | 45-47 |
| A09: Logging Failures | 73 |
| A10: SSRF | 66, 87-88 |
Constraints and Limitations
- •Vulnerability definitions represent common patterns; specific implementations vary
- •Mitigations must be adapted to technology stack and architecture
- •New vulnerabilities emerge continuously; reference should be updated
- •Some vulnerabilities overlap across categories (e.g., IDOR appears in multiple contexts)
- •Effectiveness of mitigations depends on proper implementation
- •Automated scanners cannot detect all vulnerability types (especially business logic)
Troubleshooting
Common Assessment Challenges
| Challenge | Solution |
|---|---|
| False positives in scanning | Manual verification, contextual analysis |
| Business logic flaws missed | Manual testing, threat modeling, abuse case analysis |
| Encrypted traffic analysis | Proxy configuration, certificate installation |
| WAF blocking tests | Rate adjustment, IP rotation, payload encoding |
| Session handling issues | Cookie management, authentication state tracking |
| API discovery | Swagger/OpenAPI enumeration, traffic analysis |
Vulnerability Verification Techniques
| Vulnerability Type | Verification Approach |
|---|---|
| Injection | Payload testing with encoded variants |
| XSS | Alert boxes, cookie access, DOM inspection |
| CSRF | Cross-origin form submission testing |
| SSRF | Out-of-band DNS/HTTP callbacks |
| XXE | External entity with controlled server |
| Access Control | Horizontal/vertical privilege testing |
| Authentication | Credential rotation, session analysis |
References
- •OWASP Top 10 Web Application Security Risks
- •CWE/SANS Top 25 Most Dangerous Software Errors
- •OWASP Testing Guide
- •OWASP Application Security Verification Standard (ASVS)
- •NIST Cybersecurity Framework
- •Source: Kumar MS - Top 100 Web Vulnerabilities