A to Z – Web Vulnerabilities Index – OWASP Standard

web vulnerabilities index tech hyme

Vulnerability Assessment and Penetration Testing (VA/PT) provides enterprises with a more comprehensive application evaluation than any single test alone. Using the VA/PT approach gives an organization a more detailed view of the threats facing its applications, enabling the business to better protect its systems and data from malicious attacks.

Vulnerabilities can be found in Network or Applications from third-party vendors and internally made software, but most of these flaws aren’t easily found and fixed. Using VA/PT enables to focus on mitigating critical vulnerabilities while the VA/PT continues to discover vulnerabilities.

Suggested Read:

VA/PT involves compromising the system, and during the process, some of the files may be altered. This process ensures that the system is brought back to the original state, before the testing, by cleaning & restoring the data and files used in the target machines. Certain measures and methods are been suggested in this study to determine and prevent exploitation (Attacks) with Manual Pen testing.

Also Read: Techhyme’s Online Tools

In this article, we’ve listed out all Web based Vulnerabilities based on OWASP Standard which is n open community of engineers and security IT professionals whose goal is to make the web safer for users and other entities. The main aim of OWASP Top 10 is to educate the developers, designers, managers, architects and organizations about the most important security vulnerabilities.

Letter Vulnerability Name(s)
A
  • Authentication Bypass
  • Arbitrary File Read
  • Arbitrary File Creation
  • Arbitrary File Deletion
  • Abuse of Functionality
  • Authorization Bypass
  • Argument Injection
  • Application Error Message
  • ASP.NET Debugging Enabled
  • ASP.NET Version Disclosure
  • Action Spoofing
  • Autocomplete Enabled
  • Action Spoofing
  • Apache Tomcat Documentation Files
  • Arbitrary HTTP Methods
  • Apache Tomcat Version Disclosure
B
  • Buffer Overflow
  • Backup Files
  • Browser Cache Weakness
  • Blind SQL Injection
  • Business Logic Flaw
  • BREACH Attack
  • BEAST Attack
C
  • CSRF (Cross Site Request Forgery)
  • Code Execution
  • CRLF Injection
  • Command Injection
  • CSV Injection
  • CRIME Attack
  • CGI Argument Injection
  • Cookie Manipulation
  • Cleartext Submission of Password
  • CAPTCHA Not Implemented
  • Cryptography: Insecure Digest
D
  • Directory Listing
  • Directory Traversal
  • Denial of Service
  • Documentation Files
  • DOM XSS
  • DROWN Attack
  • Development Configuration Files
  • Default Credentials
  • DB Server Error Message
E
  • Email Address Disclosure
  • Expired SSL Certificate
  • External Host Header Attack
  • Etag Header Information Disclosure
  • Error Based SQL Injection
F
  • File Inclusion
  • FREAK Attack
  • Framework Version Disclosure
  • Favicon Disclosure
  • Forceful Browsing
G
H
  • Host Header Attack
  • HTTP Response Splitting
  • HTTP Parameter Pollution
  • HTML Injection
  • Heartbleed Bug
  • Hardcoded Credentials
  • HTML form without CSRF protection
  • Htaccess File Readable
I
  • Internal IP Address Disclosure
  • IDOR (Insecure Direct Object Reference)
  • Insecure Deserialization
  • Improper Error Handling
  • Internal Path Disclosure
  • Internal Server Error
  • Information Leakage
  • Improper Input/Output Validation
  • Insecure transition from HTTP to HTTPS in form post
  • Insecure External IFrame
  • Insecure Cryptographic Storage
  • Insecure Components
  • Input Field with Autocomplete Enabled
  • Improper Session Termination
  • Improper Error Logging
  • Insufficient Transport Layer Protection
  • Improper CAPTCHA Implementation
  • IFRAME Injection
  • Insufficient Logging and Monitoring
J
K
L
  • LDAP Injection
  • LFI (Local File Inclusion)
  • Logjam Attack
  • LUCKY13 Attack
M
  • Missing Security Headers
  • Malware Identified
  • Missing Custom Error Pages
  • Missing Session Expiration
  • Missing Logout Functionality
  • Microsoft IIS Tilde Vulnerability
  • Missing Password Field Masking
N
O
  • Outdated Components
  • Out-of-date Version
  • Outdated JavaScript Libraries
  • OTP Bypass
P
  • Path Traversal
  • Privilege Escalation
  • Possible Bruteforce Attack
  • Possible Sensitive Files
  • Path Disclosure
  • Padding Oracle Attack
  • Password Transmitted over HTTP
  • Possible Sensitive Information Disclosure
  • PHP Version Disclosure
  • Python Version Disclosure
  • Pre-attack Probe
  • Poodle Attack
Q
R
  • RFI (Remote File Inclusion)
  • RCE (Remote Code Execution)
  • Reverse Proxy Bypass
  • ROBOT Attack
  • Reflected XSS
S
  • SQL Injection
  • SSRF (Service Side Request Forgery)
  • Sensitive Information Disclosure
  • Source Code Disclosure
  • Session Hijacking
  • Session Fixation
  • Session Replay Attack
  • Session Mismanagement
  • SSI (Server-Side Includes)
  • SSTI (Server Side Template Injection)
  • Stack Trace Disclosure
  • Slow HTTP DOS Attack
  • Sweet32 Attack
  • Secure Client Renegotiation
  • SSL Weak Ciphers
  • Session ID Name Fingerprinting
  • Session Cookie without HttpOnly Flag Set
  • Session Cookie without Secure Flag Set
  • Server Misconfiguration
  • Sensitive Information Leakage
  • Stored XSS
  • SRI (Subresource Integrity)
T
  • Tracing Error
  • Trace.axd Detected
  • Tracing Misconfiguration
  • Time-based SQL Injection
U
  • URL Redirection
  • Unrestricted File Upload
  • Using Components with Known Vulnerabilities
  • Unwanted HTTP Methods
  • Unencrypted __VIEWSTATE Parameter
  • Unused Ports/Services
  • Unvalidated Redirects and Forwards
  • User Enumeration and Guessable User Account
  • User Credentials are sent in clear text
  • UI Redressing: Clickjacking/Tapjacking
V
  • Version Disclosure
  • Vulnerable JavaScript Library
  • Vulnerable Remember Password
  • Vulnerable Forgot Password Implementation
W
  • Weak Credentials
  • Weak Crypto
  • Web Server Version Disclosure
  • WebDAV Enabled
  • Web Backdoor Detected
  • Weak Captcha
  • WordPress User Enumeration
X
  • XSS (Cross Site Scripting)
  • XPath Injection
  • XXE (XML External Entity)
  • XFS (Cross Frame Scripting)
  • XSLT (Extensible Stylesheet Language Transformations)
  • XST (Cross Site Tracing)
Y
Z

Author: Chetan Soni, a Cyber Security Expert

Leave a Reply