100 Web Vulnerabilities, categorized into various types

https://www.mindmeister.com/1470766611/web-app-pentest?fullscreen=1#

MindMap

⚡️ Injection Vulnerabilities:

1. SQL Injection (SQLi)

2. Cross-Site Scripting (XSS)

3. Cross-Site Request Forgery (CSRF)

4. Remote Code Execution (RCE)

5. Command Injection

6. XML Injection

7. LDAP Injection

8. XPath Injection

9. HTML Injection

10. Server-Side Includes (SSI) Injection

11. OS Command Injection

12. Blind SQL Injection

13. Server-Side Template Injection (SSTI)

⚡️ Broken Authentication and Session Management:

1. Session Fixation

2. Brute Force Attack

3. Session Hijacking

4. Password Cracking

5. Weak Password Storage

6. Insecure Authentication

7. Cookie Theft

8. Credential Reuse

⚡️ Sensitive Data Exposure:

1. Inadequate Encryption

2. Insecure Direct Object References (IDOR)

3. Data Leakage

4. Unencrypted Data Storage

5. Missing Security Headers

6. Insecure File Handling

⚡️ Security Misconfiguration:

1. Default Passwords

2. Directory Listing

3. Unprotected API Endpoints

4. Open Ports and Services

5. Improper Access Controls

6. Information Disclosure

7. Unpatched Software

8. Misconfigured CORS

9. HTTP Security Headers Misconfiguration

⚡️ XML-Related Vulnerabilities:

1. XML External Entity (XXE) Injection

2. XML Entity Expansion (XEE)

3. XML Bomb

⚡️ Broken Access Control:

1. Inadequate Authorization

2. Privilege Escalation

3. Insecure Direct Object References

4. Forceful Browsing

5. Missing Function-Level Access Control

⚡️ Insecure Deserialization:

1. Remote Code Execution via Deserialization

2. Data Tampering

3. Object Injection

⚡️ API Security Issues:

1. Insecure API Endpoints

2. API Key Exposure

3. Lack of Rate Limiting

4. Inadequate Input Validation

⚡️ Insecure Communication:

1. Man-in-the-Middle (MITM) Attack

2. Insufficient Transport Layer Security

3. Insecure SSL/TLS Configuration

4. Insecure Communication Protocols

⚡️ Client-Side Vulnerabilities:

1. DOM-based XSS

2. Insecure Cross-Origin Communication

3. Browser Cache Poisoning

4. Clickjacking

5. HTML5 Security Issues

⚡️ Denial of Service (DoS):

1. Distributed Denial of Service (DDoS)

2. Application Layer DoS

3. Resource Exhaustion

4. Slowloris Attack

5. XML Denial of Service

⚡️ Other Web Vulnerabilities:

1. Server-Side Request Forgery (SSRF)

2. HTTP Parameter Pollution (HPP)

3. Insecure Redirects and Forwards

4. File Inclusion Vulnerabilities

5. Security Header Bypass

6. Clickjacking

7. Inadequate Session Timeout

8. Insufficient Logging and Monitoring

9. Business Logic Vulnerabilities

10. API Abuse

⚡️ Mobile Web Vulnerabilities:

1. Insecure Data Storage on Mobile Devices

2. Insecure Data Transmission on Mobile Devices

3. Insecure Mobile API Endpoints

4. Mobile App Reverse Engineering

⚡️ IoT Web Vulnerabilities:

1. Insecure IoT Device Management

2. Weak Authentication on IoT Devices

3. IoT Device Vulnerabilities

⚡️ Web of Things (WoT) Vulnerabilities:

1. Unauthorized Access to Smart Homes

2. IoT Data Privacy Issues

⚡️ Authentication Bypass:

1. Insecure "Remember Me" Functionality

2. CAPTCHA Bypass

⚡️ Server-Side Request Forgery (SSRF):

1. Blind SSR

2. Time-Based Blind SSRF

⚡️ Content Spoofing:

1. MIME Sniffing

2. X-Content-Type-Options Bypass

3. Content Security Policy (CSP) Bypass

⚡️ Business Logic Flaws:

1. Inconsistent Validation

2. Race Conditions

3. Order Processing Vulnerabilities

4. Price Manipulation

5. Account Enumeration

6. User-Based Flaws

⚡️ Zero-Day Vulnerabilities:

1. Unknown Vulnerabilities

2. Unpatched Vulnerabilities

3. Day-Zero Exploits

---

---