Knowledge Base - Issues

Our knowledge-base provides a comprehensive collection of information on vulnerabilities related to cyber security.
AddJavaScriptInterface Remote Code Execution is a vulnerability in Android and mobile application that allows attackers to execute arbitrary code on the device. It is a type of Input Validation vulnerability, identified by the Common Weakness Enumeration (CWE) directory as CWE-494. It is also included in the OWASP Testing Guide, which...
Apache Solr local parameter injection is an input validation vulnerability (CWE-20) which occurs when user input is not properly sanitized and validated. This vulnerability can be exploited to inject local parameters into the application, which can then be used to execute malicious code on the server. This vulnerability is most...

/ Clickjacking (UI Redressing)

Clickjacking (UI Redressing) is a type of attack that occurs when an attacker uses multiple transparent or opaque layers to deceive a user into clicking on a button or link on another page when they were expecting to click on the top level page. This attack can be used to...
Cordova Cross-site Scripting (XSS) is a type of vulnerability classified by CWE-79, Cross-site Scripting, which occurs in Android, iOS, and Mobile App platforms. XSS vulnerabilities occur when an application or webpage does not sanitize user input properly, allowing malicious code to be executed as part of the application. This type...

/ CSS Injection (Reflected)

CSS Injection (reflected) is an input validation vulnerability that occurs when an application does not properly validate input from a web or API user. This type of attack allows malicious code to be injected into a web page such that it is reflected back to the user when it is...

/ CSS Injection (Stored)

CSS injection (stored) is a type of input validation vulnerability which occurs when a web application stores user-supplied data in a web page without properly validating or encoding it, which allows malicious users to inject arbitrary CSS code into the page. This type of vulnerability is classified in the Common...

/ CSV Injection

CSV injection, also known as Formula Injection, is an attack technique used to exploit web and API applications that use comma-separated values (CSV) to store or exchange data. It is an input validation vulnerability, which is categorized as CWE-134 according to the Common Weakness Enumeration (CWE). CSV injection is a...

/ Dll Hijacking

DLL Hijacking is a type of vulnerability where an attacker is able to gain control of a system by exploiting a DLL file. DLLs are dynamic link library files, which are executable files used by applications to perform certain tasks. A DLL hijacking attack involves a malicious actor crafting a...
Expression Language (EL) injection is a type of vulnerability that occurs when an attacker is able to inject malicious code into an application's expression language interpreter (ELI). EL injection attacks can be used to gain access to sensitive data, modify existing data, and execute arbitrary commands. EL injection is also...

/ File Path Manipulation

File path manipulation is a type of input validation vulnerability that occurs when user input is not properly sanitized, allowing malicious users to modify the file paths used by a web application or API. This vulnerability is classified in the Common Weakness Enumeration (CWE) directory as CWE-22, and is considered...

/ File Path Traversal

File path traversal is a type of input validation vulnerability that is categorized under the CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the CWE Top 25 (2022). This vulnerability occurs when an application receives input from an external source, such as a user, and does not...
Form action hijacking (reflected) is a type of input validation vulnerability in web and API applications that occurs when user-supplied input is not properly validated or sanitized. This type of attack occurs when an attacker uses malicious user input to modify the action attribute of a form element. This allows...
Form action hijacking (stored) is a type of input validation vulnerability that occurs when user-supplied data is used to dynamically construct a URL or form action without proper validation or sanitization. This type of attack is also referred to as an open redirect attack. This vulnerability is classified as CWE-601...

/ Format String Injection

Format string injection is a type of input validation vulnerability that is categorized under CWE-134 in the Common Weakness Enumeration (CWE) directory. This vulnerability occurs in web and API applications when user-supplied input is formatted using a language-specific formatting library. The malicious input can be used to gain access to...

/ Host Header Injection

Host Header Injection (CWE-113) is an input validation vulnerability that occurs when user-supplied input from the HTTP header is not properly sanitized and is then used to generate dynamic content. This vulnerability allows an attacker to manipulate the content of a web page or API response, which can lead to...

/ HTTP Incoming Requests

HTTP Incoming Requests is a vulnerability that occurs in web and API applications when input is not validated, allowing malicious requests to be sent and executed by the server. This vulnerability is officially listed in the Common Weakness Enumeration (CWE) directory under CWE-20 and is also referenced in the OWASP...

/ HTTP Request Smuggling

HTTP Request Smuggling (CWE-113) is a type of web application vulnerability that allows an attacker to exploit an application's trust in a client by sending multiple, overlapping HTTP requests to a web server. This vulnerability occurs when the web server processes overlapping requests as separate requests, allowing the attacker to...
HTTP Response Header Injection, also known as HTTP Response Splitting, is an input validation vulnerability that occurs when an attacker is able to inject a malicious payload into an HTTP response header. This type of attack is categorized as an Input Validation vulnerability (CWE-20) and is covered under the OWASP...

/ HTTP Verb Tampering

HTTP Verb Tampering is a type of web application vulnerability and is classified as an input validation issue (CWE-20). It is also known as HTTP Smuggling, HTTP Tunneling, and HTTP Method Abuse. This vulnerability occurs when web and API applications fail to properly validate the HTTP request method, allowing attackers...
Improper Control of Generation of Code (CWE-20) is a type of input validation vulnerability that occurs when an application generates code that is not sufficiently controlled. This type of vulnerability is often seen in web and API applications and is listed in the CWE Top 25 list of the most...

/ Improper Input Validation

Improper Input Validation is a type of vulnerability found in a web or API application. It occurs when user input is not properly validated before it is used interactively or stored in the system. This can lead to errors, buffer overflows, and memory corruption which can be used to gain...

/ Improper Input Validation

Improper input validation is a vulnerability in an application or system that allows unverified or unfiltered data to be input, which can result in malicious commands being executed or sensitive data being disclosed. This vulnerability is categorized under the CWE directory as CWE-20 and was added to the OWASP Top...

/ Incubated Vulnerability

Incubated Vulnerability is a type of input validation vulnerability that occurs when an attacker is able to introduce malicious code into a system, which remains dormant until a specific event triggers its execution. This type of vulnerability is classified under CWE-20 and falls under the "Improper Input Validation" category of...

/ Input Returned in Response

Input returned in response is a vulnerability in web and API applications that occurs when user input is returned in the response to a web or API request without first being validated. This vulnerability is classified under CWE-20, Improper Input Validation, and is part of the OWASP Top 10 most...
Insecure File Provider Paths Setting is a vulnerability categorized as an Input Validation vulnerability (CWE-20) that occurs in Android and Mobile App ecosystems. This vulnerability can allow attackers to access files on a device through file provider paths that are not properly configured. It can also allow attackers to manipulate...
Insecure hostname validation check (CWE-295) is a type of input validation vulnerability that occurs when an application or system does not properly validate the hostname of requests from a client. This vulnerability is common in mobile applications (iOS and Android) and can lead to man-in-the-middle attacks. According to the OWASP...

/ iOS URL Scheme Hijacking

iOS URL Scheme Hijacking is a type of input validation vulnerability which occurs in mobile applications on iOS. It is classified in CWE-601 as “URL Redirection to Untrusted Site ('Open Redirect')”. This vulnerability occurs when an application uses URL schemes to pass data to other applications, and is not properly...

/ iOS URL Scheme Injection

iOS URL Scheme Injection is a type of input validation vulnerability that occurs on mobile devices running iOS and in mobile applications. This vulnerability can allow attackers to inject malicious URLs into applications, allowing them to gain access to various data or functions within the application. The Common Weakness Enumeration...

/ LDAP Injection

LDAP Injection (CWE-90) is a type of injection attack in which malicious code is inserted into LDAP statements via web form input. It occurs when user input is not sufficiently validated and is then used to construct LDAP statements that are passed to an LDAP server for execution. This type...

/ Link Manipulation

Link manipulation is an input validation vulnerability that occurs within web or API applications. It is categorized by the Common Weakness Enumeration (CWE) directory as CWE-23 and is defined as “the failure to properly validate input passed through a link, allowing an attacker to manipulate the destination of the link”....

/ LMAP Injection

IMAP (Internet Message Access Protocol) Injection is a type of input validation vulnerability classified under CWE-20. It occurs when unfiltered user input is allowed to execute an IMAP command on an application-side IMAP server. This could occur if the application does not properly sanitize user input before passing it to...

/ Local File Inclusion

Local File Inclusion (LFI) is a type of IT vulnerability that affects web and API applications and is categorized under input validation (CWE-22). It is a type of attack whereby an attacker can manipulate web-based application input to gain access to a system’s files, such as configuration files, databases, and...

/ No Plausibility Check

No plausibility check, also known as input validation, is a vulnerability that occurs in web and API applications. This type of vulnerability occurs when application inputs are not verified and validated before being used by the application. This can lead to attackers being able to input malicious code into the...

/ NoSQL Injection

NoSQL Injection is a type of injection attack that targets NoSQL databases such as MongoDB and CouchDB. In this attack, an attacker injects malicious code into a NoSQL query and can gain access to sensitive data. According to the CWE directory, NoSQL Injection is classified as CWE-918 and is a...

/ Open Redirection

Open redirection is an input validation vulnerability which is defined in the CWE directory as a type of 'CWE-601: URL Redirection to Untrusted Site (Open Redirection)'. It occurs when an application that accepts a user-controlled input redirects the user to an external untrusted website. This vulnerability is commonly found in...

/ Oracle Injection

Oracle Injection is an input validation vulnerability that occurs primarily in web and API applications. This type of attack is possible when an application takes user input from an Oracle database and does not properly validate or sanitize the data before using it in a database query. This type of...

/ ORM Injection

ORM Injection is a type of injection attack that occurs in web and API applications when user input is not properly validated before being used in an ORM query. The Common Weakness Enumeration directory identifies this vulnerability under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (‘SQL...

/ OS Command Injection

OS command injection (CWE-78) is an injection attack technique used to execute arbitrary system commands on a vulnerable web or API application. It occurs when a user is able to inject malicious code into an input field of a web application or API in order to execute system commands on...

/ Perl Code Injection

Perl Code Injection is a type of vulnerability that occurs when user input is not properly validated and is then used as part of a command or a programming language statement. This vulnerability is classified as CWE-94 Input Validation and is described in the OWASP Testing Guide, V4 as an...

/ PHP Code Injection

PHP code injection is an input validation vulnerability that allows an attacker to inject malicious code into web applications or APIs written in PHP. This vulnerability can be found in the CWE directory under CWE-94: Improper Control of Generation of Code ('Code Injection'). It is also covered in the OWASP...

/ Python Code Injection

Python code injection, also known as Python injection, is a type of vulnerability that occurs when user-supplied input is not properly validated or is used without proper sanitization or encoding. Python code injection is classified as an input validation vulnerability and is listed in the Common Weakness Enumeration (CWE) directory...
Reflected Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. It occurs when user input is not properly sanitized and is reflected back to the user in the application’s response. This type of attack can be used to inject malicious client-side scripts into a...
Reliance on Untrusted Inputs in a Security Decision is a vulnerability in the Common Weakness Enumeration (CWE) directory with the ID CWE-327. This vulnerability is a type of input validation vulnerability that occurs when an application uses externally-supplied input to make a security decision. It occurs when a security decision...

/ Remote File Inclusion

Remote File Inclusion (RFI) is a type of vulnerability classified by the Common Weakness Enumeration (CWE-98) as an input validation issue. It occurs when a web application or API allows the inclusion of remote files through user input parameters. When exploited, an attacker can take advantage of this vulnerability and...

/ Resource Injection

Resource Injection (CWE-99) is an input validation vulnerability that occurs when untrusted data is used to control a web or API resource in an unsafe manner. This vulnerability is defined in the Common Weakness Enumeration (CWE) directory as an input validation problem where the application does not properly validate or...

/ Ruby Code Injection

Ruby code injection is a type of input validation vulnerability, which is listed in the Common Weakness Enumeration directory as CWE-94. This type of vulnerability occurs when data entered by a user is not validated or sanitized and is executed as a Ruby code within the application. This type of...
Server-Side Includes (SSI) Injection is a type of vulnerability that exists in Web and API applications. This vulnerability occurs when user-supplied data is not properly validated before being used in dynamic page generation, allowing attackers to inject malicious code into the page that is generated. According to the Common Weakness...
Server-side JavaScript code injection is a type of security vulnerability that occurs when a malicious entity is able to inject malicious code into a web or API server that is then executed on the server side. The vulnerability is categorized in the Common Weakness Enumeration (CWE) directory as CWE-95, Improper...

/ Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is a type of input validation vulnerability that occurs when an attacker is able to manipulate a request from a vulnerable server-side application to access resources that are not intended to be accessed by the attacker, such as internal services and files. This vulnerability is classified...
Description Server-side template injection (SSTI) is a type of vulnerability that occurs when user-supplied data is passed to a web application template engine (CWE-943). It occurs when an application takes user input and uses it to generate and execute a template. This vulnerability can be used to inject malicious code and...
Showing entries 1 to 50 of 66 entries.