2022 Ultimate Security Guide for Small Businesses. Read Now

HomeCommon Vulnerabilities Glossary

Common Vulnerabilities Glossary

A

Description:

An attacker is able bypass authentication mechanisms to gain permissions of an authentictad user.

Recommended Tests:

  • pentesting service
  •  static and dynamic code analysis

Related Vulnerabilities:

Description:

An attacker is able to gain permissions to either read, write or execute that they were not intended to.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Broken Access Control

B

Description:

A type of XSS attack where the injected client-side script is executed in a backend application such as via feedback forms.

Recommended Tests:

Related Vulnerabilities:

  • Cross Site Scripting (XSS)
  • Reflected Cross Site Scripting (XSS)
  • DOM based Cross Site Scripting (XSS)
  • Stored Cross Site Scripting (XSS)

Description:

Access controls are configured or designed in such a way that it does not sufficiently prevent users from being able to act outside of their intended permissions. This is an OWASP Top 10 2021 Vulnerability.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Authorization bypass

Description:

An attacker can put more data in a buffer than it can hold or in a memory area past a buffer. This vulnerability can result in severe consequences such as arbitrary code execution.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Format string attack

Description:

An attacker can manipulate the business logic of an application with negatives consequences to the business.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

  • Authorization bypass
  • Weak input validation

C

Description:

The vulnerable code does a catch NullPointerException, which is a bad practice.

Recommended Tests:

  • – static and dynamic code analysis

Related Vulnerabilities:

Description:

Covert storage channels occur when out-of-band data is stored in messages for memory reuse, potentially resuling in bad actors gaining information about the process that created the message.

Recommended Tests:

Related Vulnerabilities:

Description:

An attacker is able to submit a CRLF ( Carriage Return Line Feed) to an application.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • HTTP Response Splitting
  • Log Injection

Description:

A type of injection where an attacker sends a malicious client-side script to a different end user of the same application through the application. There are multiple types of XSS including Stored, Reflected and DOM.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

  • Stored Cross Site Scripting (XSS)
  • Reflected Cross Site Scripting (XSS)
  • DOM based Cross Site Scripting (XSS)

Description:

An attacker is able to force users to execute unwanted actions on a web application in which they’re currently authenticated due to a lack of anti-CSRF protections in the application.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

Description:

An attacker is able to put malicious input into CSV files.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

D

Description:

The attacker renders the application or process unavailable to other users.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

The application deserialized untrusted data, which may be purpusefully or accidentally malformed. In the worst case, this may results in arbitrary code execution

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

A type of XSS attack where the injected client-side script is executed as a result of modifying the DOM “environment” in the victim’s browser.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

  • Cross Site Scripting (XSS)
  • Stored Cross Site Scripting (XSS)
  • Reflected Cross Site Scripting (XSS)

Description:

Doubly freeing memory results when free() is called more than once on the same value in the code and can lead to memory leaks.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

E

Description:

Allowing use of an empty string as a password is insecure as it is too easy to guess.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Brute-force

Description:

The software uses untrusted input to construct all or part of an expression language (EL) statement in a Java Server Page (JSP).

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

F

Description:

An attacker is able to access resources that are not referenced by the application but still accessible.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

 

H

Description:

Hardcoded passwords can be seen by anyone with permission to view the code.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Heartbleeed is a major security vulnerability in certain versions of OpenSSL which can result in memory leaks.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

An attacker is able to gain permissions of another user of the same permisssion level.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

The application trusts and parses user-supplied input in the Host header.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

I

Description:

Allowing data to be parsed by an application or software without sufficient controls to limit attacks such as injection.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

The application does not enforce the intended restricted directory access policy.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

An application that does not properly handle errors may be inadvertently providing attacker with information needed to facilitate their attack.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

The application does not sufficiently validate input to be in the expected range of values.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

When sensitive data is passed to parameters in the URL, there is an increased risk that an attacker may be able to gain access to it. For example, the data may be exposed to 3rd party sources or unintended parties via Referer header, browser cache, or via vulnerable proxies.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

A wide range of vulnerabilities resulting from an application parsing untrusted input. Consequences can include arbitrary code execution.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Improper configuration of a compiler such as not using the correct security relevant flags. This can result in many issues including secret data being stored in memory.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

The application deserialized untrusted data, which may be purpusefully or accidentally malformed. In the worst case, this may results in arbitrary code execution

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

Description:

The application uses user-supplied input to access objects directly.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

SSL and PKI should be securely configured to prevent network sniffing and Man-in-the-Middle Attacks

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Using untrusted 3rd party resources such as externally hosted content exposes the application and its users to security risks unless proper security controls are in place.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Creating and/or using temporary files insecurely can leave application and system data vulnerable to various attacks such as local privilege escalation.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

Standard pseudo-random number generators cannot withstand cryptographic attacks.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Insufficient Randomness

Description:

Standard pseudo-random number generators cannot withstand cryptographic attacks.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Insufficient Randomness

Description:

Short Session-ID take less time be guessed by attackers.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

L

Description:

When outdated, vulnerable code is not patched, its known vulnerabilities may be exploited by attackers.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Processes should only operate with the minimum level of privilege needed. If elevation to root is needed, it needs to be dropped as soon as it is no longer needed. The reason for this is if an attacker compromises a process, they will gain its permissions.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

An attacker is able to force the application to include a local file, therefore potentially causing arbitrary code execution.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Certain versions of Apache Log4j are vulnerable to remote code execution via the JDBC Appender when attacker controls configuration.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

M

Description:

Attacker intercepts and modifies network traffic.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

Failure to free an allocated block of memory when no longer needed.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

Description:

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Failure to validate input when parsing XML can lead to various attacks such as XML entity injection and potentially lead to arbitrary command execution.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

N

Description:

The attacker is able to inject code into commands for databases that don’t use SQL queries.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

O

Description:

Use of deprecated or obsolete functions in code may indicate neglected code.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

Description:

An attacker is able to redirect or forward other users to another URL via the application

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

A regular expression used to restrict user input may have its controls bypassed if it is insecurely written.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

P

Description:

An attacker is able to access files and directories that are stored outside the web root folder.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

An attacker is able to execute arbitrary code because the PHP application receives input from an upstream component but does not restrict or incorrectly restricts it before its usage in “require,” “include,” or similar functions.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Remote File Inclusion
  • Local File Inclusion

Description:

An attacker is able to provide input that is not sufficiently sanitized before being parsed by a unserialize() PHP function resulting in multiple potential attacks such as injection, Denial of Service or Path Traversal.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

  • Injection
  • Path Traversal
  • Denial of Service

Description:

Storing a password without any form of encryption may result in the password being compromised.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Privacy violation refers to any mishandling of private information such as PII, PHI, Credit data or other sensitive data. Often, this is also illegal.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Threat Modeling and Architecture Review

Related Vulnerabilities:

Description:

The application executes commands from an untrusted source or in an untrusted environment.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

R

Description:

A type of XSS attack where the injected client-side script is reflected off the server and not stored on the backend such as a URL parameter injected into an error message.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

  • Cross Site Scripting (XSS)
  • Stored Cross Site Scripting (XSS)
  • DOM based Cross Site Scripting (XSS)

Description:

An attacker is able to force the application to include a remote file, therefore potentially causing arbitrary code execution.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Returning from inside a finally block in code will cause exceptions to be lost.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

S

Description:

An attacker is able to hijack a valid user session.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

Sessions tokens and cookies not being terminated after logout can facilitate Session Hijacking

Recommended Tests:

  • pentesting service
  • Web application penetration testing

Related Vulnerabilities:

Description:

Session Puzzling (also known as Session Variable Overloading) is an application-level vulnerability that occurs when the application uses the same session variable for more than one purpose, potentially allowing an attacker to access pages in an order unanticipated by the developers.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

  • Session Variable Overloading
  • Session Race Condition

Description:

An attacker is able to produce unexpected results when the timing of actions impact other actions.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

Description:

Session Variable Overloading (also known as Session Puzzling) is an application-level vulnerability that occurs when the application uses the same session variable for more than one purpose, potentially allowing an attacker to access pages in an order unanticipated by the developers.

Recommended Tests:

  • pentesting service

Related Vulnerabilities:

  • Session Puzzling
  • Session Race Condition

Description:

An attacker is able to inject malicious code in SQL statements.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

Description:

An attacker is able to inject data that is then parsed for Server-Side Include directives.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

Description:

A type of XSS attack where the injected client-side script is permanently on target servers such as in a database.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

  • Cross Site Scripting (XSS)
  • Reflected Cross Site Scripting (XSS)
  • DOM based Cross Site Scripting (XSS)

U

Description:

Ignoring a method’s return value can cause the program to overlook unexpected states and conditions.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

Description:

If an application allows any type of file to be uploaded, an attacker may be able to upload malicious files.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

Description:

Memory corruption and potential arbitrary code execution may occur when certain unsafe functions are used in a signal handler.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Unsafe JNI errors occur when a Java application uses JNI to call code written in another programming language and can render Java applications vulnerable to security flaws in other languages.

Recommended Tests:

  • static and dynamic code analysis

Related Vulnerabilities:

Description:

An attacker may be able to bypass security checks in an application by creating unexpected control flow paths if there is unsafe use of reflection mechanisms (in languages like Java or C#).

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis
  • Web application penetration testing

Related Vulnerabilities:

Description:

Sensitive information may be decrypted or exposed by an attacker when weak or broken cryptographic algorithms are used to encrypt this data.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

Description:

Referencing memory after it has been freed can cause a program to crash.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

V

Description:

An attacker is able to gain permissions of another user of a higher permission level.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities:

X

Description:

If an attacker is able to intefere with application’s processing of XML data and trick it to process XML input containing a reference to an external entity, they made be able to perform a variety of attacks including server side request forgery and arvitrary code execution.

Recommended Tests:

  • pentesting service
  • static and dynamic code analysis

Related Vulnerabilities: