Application is vulnerable to Directory Traversal attack

Insecure Direct Object References

Insecure Deserialization

Broken Authentication
Improper Token Management
Valid user's details can be enumerated
Valid account can be brute forced
Application does not have a strong password policy
NTLM Authentication is used in the Application
Weak OTP/PIN implementation
Secure attribute is not set in
Abuse of Send-Mail Functionality

Sensitive Information Sent Over Unencrypted Channel

Internal IP disclosure
Parameter Enumeration through error message
Programming language and version disclosure
Application's Request/Response reveals sensitive information
Error message reveals sensitive information

HTTP Request Smuggling attack

Application is vulnerable to Email flooding attack
Application is vulnerable to OTP flooding attack
Application is vulnerable to Race Condition Attack
Missing Web API Rate Limiting

Is it possible for all user to gain access to administrative endpoints?

Can a user perform sensitive actions by simply changing HTTP

Mass Assignment vulnerability

Object with sensitive fields has an empty constructor
Block-list the non-bindable, sensitive fields
Assess if it is possible to modify fields never intended to be modified from outside
Application is vulnerable to Cross Origin Resource Sharing
Oauth/JWT/SAML Misconfiguration
Using Known Vulnerable Components
Predictable Resource Location
Content type incorrectly stated
Missing Security Headers
Content security policy (CSP) headers not set properly
Malicious file can be uploaded on the server
Predictable Resource Location
Internal IP disclosure
Internal Path disclosure
Arbitrary Methods enabled on server
Web Service disclosed

Application is vulnerable to OS Command injection attack

Application is vulnerable to Remote Code Execution attack
Application is vulnerable to Remote file inclusion attack
Application is vulnerable to Log Injection attack
Server side validation not in place
Application is vulnerable to SQL injection attack
Application is vulnerable to XML External Entity (XXE) Injection
Application is vulnerable to Xpath Injection attack
Application is vulnerabe to XML Injection attack
Application is vulnerable to CRLF/Response Spilliting attack
Application is vulnerable to URL Redirection attack
XML-RPC is publicly available
Application accepts special character as user input
Application throws ODBC/SQL error message
Application is vulnerable to JSON injection attack

Older version of programming language found

Older version of SSL supported
Unwanted ports and services

Having sensitive data in logs

Auditable events, such as logins, failed logins, and high-value transactions, are not logged
Appropriate alerting thresholds/response escalation processes are not in place
Application is vulnerable to ROBOT attack
Client side renegotiation is supported
Application supports weak ciphers/Encoding
Invalid SSL certificate
Missing HSTS header
Insecure Server-side renegotiation is supported
 API1:2019 Broken Object Level Authorization
Directory Traversal attack allows attackers to access files and directories that are outside of the web server's root
Application allows user-supplied input to directly access an object, such as a file or database record, without proper validation
Application receives untrusted serialized data from an attacker and deserializes it without proper validation or sanitization

API2:2019 Broken User Authentication

Attempting to bypass authentication mechanisms, such as password-based authentication, two-factor authentication, or sessi
Application fails to properly manage the lifecycle of authentication tokens
Malicious actor can use brute-force techniques to either guess or confirm valid users in a system
Gain unauthorized access to a user account by guessing or cracking the account's password through a brute force attack.
Checking whether an application enforces a strong password policy or not
NTLM authentication is a legacy authentication protocol
if these authentication factors are implemented weakly, they can be compromised by attackers
If the secure attribute is not set in a cookie, it means that the cookie can potentially be intercepted and read by attackers
Type of attack where an attacker gains unauthorized access to an application's Send-Mail functionality, which is typically used

API3:2019 Excessive Data Exposure

It can allow attackers to intercept and read the data in transit.
Occurs when an application or service running on a web server exposes internal IP addresses to external users
Occurs when an attacker is able to determine valid input parameters for an application or service by analyzing the error messa
Occurs when an application or server reveals information about the programming language and version it is running on
Occurs when sensitive information is transmitted in the clear (unencrypted) over the network, either in the request or respons
Occurs when an application or service generates error messages that contain sensitive information

API4:2019 Lack of Resources & Rate Limiting

While simulating an HRS attack, tester sends crafted HTTP requests that can be interpreted differently by different component
Email flooding attacks can overwhelm email servers and disrupt communication.
An OTP (One-Time Password) flooding attack is a type of cyber attack in which an attacker sends a large number of O
In a race condition attack, an attacker attempts to manipulate the timing of events to gain unauthorized access to se
When an API does not have rate limiting, an attacker can make a large number of requests to the API in a short amo

API5:2019 — Broken function level authorization

It should not be possible for all users to gain access to administrative endpoints of an application.
If an application has an administrative function that requires an administrator-level user to be authenticated, but the applicati

API6:2019 Mass assignment

Occurs when an application fails to properly validate or sanitize input from a user or an attacker, which can lead to unintended
It means that the sensitive fields are not initialized or set to any specific values by default, attacker may be able to create an in

By blocking non-bindable sensitive fields, the application can prevent an attacker from accessing or modifying sensitive data.
If sensitive or critical fields can be modified by an attacker, it can result in unauthorized access, data loss, or other types of atta
 API7:2019 Security Misconfiguration
If the website does not properly implement CORS protections, the attacker can use the user's existing session or cookie data to
Misconfigurations in these protocols can result in security vulnerabilities that can be exploited by attackers to gain unauthoriz
This vulnerability arises when an application includes components or libraries with known security vulnerabilities that have no
Allows an attacker to guess the location of sensitive resources or data within a web application.
This occurs when the Content-Type header of a response or request is set incorrectly or is not specified at all.
Security headers provide additional protection to web applications by instructing the browser on how to handle certain types
CSP is a security feature that allows web developers to control which resources (e.g., scripts, stylesheets, images, etc.) are allo
Untrusted file data should be handled accordingly and in a secure manner.
Allow an attacker to guess the location of sensitive resources or data within a web application
This can happen when the application includes IP addresses in error messages, response headers, or in the HTML source code
Occurs when a web application leaks internal file system paths
Checking whether the insecure methods are enabled. Disable methods that are not in use.
Occurs when sensitive information about the web service, such as its configuration settings, API endpoints, or underlying tech

API8:2019 Injection
Occurs when an attacker is able to inject and execute arbitrary commands or scripts on a target operating system through an a
Allows an attacker to execute arbitrary code or commands on a remote system.
Allows an attacker to include and execute remote files on a target system
Allows an attacker to inject malicious input into log files generated by an application.
Server-side validation is a security practice that involves validating user input and enforcing business rules on the server-side b
Allows an attacker to execute malicious SQL statements or commands on a target database
Allows an attacker to inject malicious XML entities into an application that parses XML input.
Allows an attacker to modify or retrieve data from an XML database by injecting malicious XPath queries into an application th
Allows an attacker to inject malicious code into an XML input or output of an application
Allows an attacker to inject arbitrary HTTP headers into a response, potentially leading to various types of attacks.
Allows an attacker to redirect a user from a legitimate website to a malicious website.
If an XML-RPC service is publicly available, it can be a security risk as it can allow unauthorized users to access sensitive inform
Special characters such as quotes, brackets, and semicolons can be used by attackers to inject malicious code
It can reveal sensitive information about the application's underlying architecture and database schema
Arises when a web application deserializes JSON data from an untrusted source without proper validation

API9:2019 Improper Assets Management

Using an older version can be a security risk as it may have known vulnerabilities that have been fixed in newer versions.
It may have known vulnerabilities that have been fixed in newer versions.
If a service is not needed, it is recommended to disable it to reduce the attack surface.

API10:2019 Insufficient logging monitoring

It may expose sensitive information to unauthorized users.
Not logging such events can lead to a lack of visibility into user activities and unauthorized access attempts.
Security incidents may go undetected, and attackers may have more time to carry out malicious activities.
 SSL Checklist
ROBOT (Return Of Bleichenbacher's Oracle Threat) is a cryptographic vulnerability that affects some implementations of RSA k
Allows a client to request a new SSL/TLS session during an existing session with the same server.
It means that it allows the use of encryption or encoding methods that are considered insecure or outdated.
An invalid SSL certificate is a certificate that has not been issued by a trusted certificate authority
HSTS is a web security policy mechanism that allows web servers to declare that web browsers should only interact with them
Insecure server-side renegotiation vulnerability can be exploited by an attacker to inject arbitrary plaintext into the SSL/TLS se