satish tiwary: 100 Web Vulnerabilities you should know as a Web application Penetration Tester

100 Web Vulnerabilities you should know as a Web application Penetration Tester

If you are working as web application penetration testing engineer you must know all the below listed vulnerablities.

100 Web Vulnerabilities, categorized into various types :

SO lets Try to understand all these one by one:

TYPES OF Injection Vulnerabilities:

1. SQL Injection (SQLi)

This is Relates to SQL language or you can say about database query language.

2. Cross-Site Scripting (XSS)

Mostly found in web sites or web application. using this trick cyber expers all over the world find vulnerablities in web sites or web applications.

3. Cross-Site Request Forgery (CSRF)

It is also related to website.

4. Remote Code Execution (RCE)

This trick is used to execute code remotely.

5. Command Injection

Injecting any command either on a website web appl or os.

6. XML Injection

7. LDAP Injection

8. XPath Injection

9. HTML Injection

10. Server-Side Includes (SSI) Injection

11. OS Command Injection

12. Blind SQL Injection

13. Server-Side Template Injection (SSTI) Broken Authentication and Session Management: 14. Session Fixation 15. Brute Force Attack 16. Session Hijacking 17. Password Cracking 18. Weak Password Storage 19. Insecure Authentication 20. Cookie Theft 21. Credential Reuse Sensitive Data Exposure: 22. Inadequate Encryption 23. Insecure Direct Object References (IDOR) 24. Data Leakage 25. Unencrypted Data Storage 26. Missing Security Headers 27. Insecure File Handling Security Misconfiguration: 28. Default Passwords 29. Directory Listing 30. Unprotected API Endpoints 31. Open Ports and Services 32. Improper Access Controls 33. Information Disclosure 34. Unpatched Software 35. Misconfigured CORS 36. HTTP Security Headers Misconfiguration XML-Related Vulnerabilities: 37. XML External Entity (XXE) Injection 38. XML Entity Expansion (XEE) 39. XML Bomb Broken Access Control: 40. Inadequate Authorization 41. Privilege Escalation 42. Insecure Direct Object References 43. Forceful Browsing 44. Missing Function-Level Access Control Insecure Deserialization: 45. Remote Code Execution via Deserialization 46. Data Tampering 47. Object Injection API Security Issues: 48. Insecure API Endpoints 49. API Key Exposure 50. Lack of Rate Limiting 51. Inadequate Input Validation Insecure Communication: 52. Man-in-the-Middle (MITM) Attack 53. Insufficient Transport Layer Security 54. Insecure SSL/TLS Configuration 55. Insecure Communication Protocols Client-Side Vulnerabilities: 56. DOM-based XSS 57. Insecure Cross-Origin Communication 58. Browser Cache Poisoning 59. Clickjacking 60. HTML5 Security Issues Denial of Service (DoS): 61. Distributed Denial of Service (DDoS) 62. Application Layer DoS 63. Resource Exhaustion 64. Slowloris Attack 65. XML Denial of Service Other Web Vulnerabilities: 66. Server-Side Request Forgery (SSRF) 67. HTTP Parameter Pollution (HPP) 68. Insecure Redirects and Forwards 69. File Inclusion Vulnerabilities 70. Security Header Bypass 71. Clickjacking 72. Inadequate Session Timeout 73. Insufficient Logging and Monitoring 74. Business Logic Vulnerabilities 75. API Abuse Mobile Web Vulnerabilities: 76. Insecure Data Storage on Mobile Devices 77. Insecure Data Transmission on Mobile Devices 78. Insecure Mobile API Endpoints 79. Mobile App Reverse Engineering

IoT Web Vulnerabilities:

This is used in Internet of Things related Vulnerablities.

80. Insecure IoT Device Management 81. Weak Authentication on IoT Devices 82. IoT Device Vulnerabilities

Web of Things (WoT) Vulnerabilities:

This is also part of IOT but only on web Part.

83. Unauthorized Access to Smart Homes 84. IoT Data Privacy Issues

Authentication Bypass:

This trick used to bupass authentication system on web or remote login program.

85. Insecure "Remember Me" Functionality 86. CAPTCHA Bypass

Server-Side Request Forgery (SSRF):

Server side script.

87. Blind SSR 88. Time-Based Blind SSRF Content Spoofing: 89. MIME Sniffing 90. X-Content-Type-Options Bypass 91. Content Security Policy (CSP) Bypass Business Logic Flaws: 92. Inconsistent Validation 93. Race Conditions 94. Order Processing Vulnerabilities 95. Price Manipulation 96. Account Enumeration 97. User-Based Flaws Zero-Day Vulnerabilities: 98. Unknown Vulnerabilities 99. Unpatched Vulnerabilities 100. Day-Zero Exploits

Injection Vulnerabilities: 1. SQL Injection (SQLi) 2. Cross-Site Scripting (XSS) 3. Cross-Site Request Forgery (CSRF) 4. Remote Code Execution (RCE) 5. Command Injection 6. XML Injection 7. LDAP Injection 8. XPath Injection 9. HTML Injection 10. Server-Side Includes (SSI) Injection 11. OS Command Injection 12. Blind SQL Injection 13. Server-Side Template Injection (SSTI)

Broken Authentication and Session Management: 14. Session Fixation 15. Brute Force Attack 16. Session Hijacking 17. Password Cracking 18. Weak Password Storage 19. Insecure Authentication 20. Cookie Theft 21. Credential Reuse

Sensitive Data Exposure: 22. Inadequate Encryption 23. Insecure Direct Object References (IDOR) 24. Data Leakage 25. Unencrypted Data Storage 26. Missing Security Headers 27. Insecure File Handling

Security Misconfiguration: 28. Default Passwords 29. Directory Listing 30. Unprotected API Endpoints 31. Open Ports and Services 32. Improper Access Controls 33. Information Disclosure 34. Unpatched Software 35. Misconfigured CORS 36. HTTP Security Headers Misconfiguration

XML-Related Vulnerabilities: 37. XML External Entity (XXE) Injection 38. XML Entity Expansion (XEE) 39. XML Bomb

Broken Access Control: 40. Inadequate Authorization 41. Privilege Escalation 42. Insecure Direct Object References 43. Forceful Browsing 44. Missing Function-Level Access Control

Insecure Deserialization: 45. Remote Code Execution via Deserialization 46. Data Tampering 47. Object Injection

API Security Issues: 48. Insecure API Endpoints 49. API Key Exposure 50. Lack of Rate Limiting 51. Inadequate Input Validation

Insecure Communication: 52. Man-in-the-Middle (MITM) Attack 53. Insufficient Transport Layer Security 54. Insecure SSL/TLS Configuration 55. Insecure Communication Protocols

Client-Side Vulnerabilities: 56. DOM-based XSS 57. Insecure Cross-Origin Communication 58. Browser Cache Poisoning 59. Clickjacking 60. HTML5 Security Issues

Denial of Service (DoS): 61. Distributed Denial of Service (DDoS) 62. Application Layer DoS 63. Resource Exhaustion 64. Slowloris Attack 65. XML Denial of Service

Other Web Vulnerabilities: 66. Server-Side Request Forgery (SSRF) 67. HTTP Parameter Pollution (HPP) 68. Insecure Redirects and Forwards 69. File Inclusion Vulnerabilities 70. Security Header Bypass 71. Clickjacking 72. Inadequate Session Timeout 73. Insufficient Logging and Monitoring 74. Business Logic Vulnerabilities 75. API Abuse

Mobile Web Vulnerabilities: 76. Insecure Data Storage on Mobile Devices 77. Insecure Data Transmission on Mobile Devices 78. Insecure Mobile API Endpoints 79. Mobile App Reverse Engineering

IoT Web Vulnerabilities: 80. Insecure IoT Device Management 81. Weak Authentication on IoT Devices 82. IoT Device Vulnerabilities

Web of Things (WoT) Vulnerabilities: 83. Unauthorized Access to Smart Homes 84. IoT Data Privacy Issues

Authentication Bypass: 85. Insecure "Remember Me" Functionality 86. CAPTCHA Bypass

Server-Side Request Forgery (SSRF): 87. Blind SSR 88. Time-Based Blind SSRF

Content Spoofing: 89. MIME Sniffing 90. X-Content-Type-Options Bypass 91. Content Security Policy (CSP) Bypass

Business Logic Flaws: 92. Inconsistent Validation 93. Race Conditions 94. Order Processing Vulnerabilities 95. Price Manipulation 96. Account Enumeration 97. User-Based Flaws

Zero-Day Vulnerabilities: 98. Unknown Vulnerabilities 99. Unpatched Vulnerabilities 100. Day-Zero Exploits

satish tiwary

100 Web Vulnerabilities you should know as a Web application Penetration Tester

TYPES OF Injection Vulnerabilities:

1. SQL Injection (SQLi)

2. Cross-Site Scripting (XSS)

3. Cross-Site Request Forgery (CSRF)

4. Remote Code Execution (RCE)

5. Command Injection

IoT Web Vulnerabilities:

Web of Things (WoT) Vulnerabilities:

Authentication Bypass:

Server-Side Request Forgery (SSRF):

0 coment�rios:

Post a Comment

100 Web Vulnerabilities you should know as a Web application Penetration Tester

Tab 1

Tab 2

Tab 3

Popular Posts

Home Top Ad

Tags

Contact Form

Categories

Total Pageviews

Search This Blog

Recent Posts

Recent Posts

satish tiwary

100 Web Vulnerabilities you should know as a Web application Penetration Tester

TYPES OF Injection Vulnerabilities:

1. SQL Injection (SQLi)

2. Cross-Site Scripting (XSS)

3. Cross-Site Request Forgery (CSRF)

4. Remote Code Execution (RCE)

5. Command Injection

IoT Web Vulnerabilities:

Web of Things (WoT) Vulnerabilities:

Authentication Bypass:

Server-Side Request Forgery (SSRF):

0 coment�rios:

Post a Comment

100 Web Vulnerabilities you should know as a Web application Penetration Tester

Tab 1 Tab 2 Tab 3

Popular Posts

Home Top Ad

Tags

Contact Form

Categories

Total Pageviews

Search This Blog

Recent Posts

Recent Posts

Tab 1

Tab 2

Tab 3