When an attacker gains unauthorized access to a user’s account, often via stolen credentials, phishing, or brute force. Protect with MFA and strong password policies.
Sensitive API keys or tokens exposed in code, logs, or public repos can let attackers access backend services. Always keep secrets out of client code and version control.
Attackers upload malicious files by bypassing file type checks, often using double extensions or MIME tricks. Validate and sanitize all uploads on the server side.
Tricking users into clicking something different from what they perceive, often by overlaying transparent frames. Use X-Frame-Options and frame busting scripts.
Manipulating file paths on the client to access restricted files. Always validate and sanitize file paths on the server, never trust client input.
Injecting system commands via unsanitized input, allowing attackers to execute arbitrary code. Always validate and escape user input before passing to system calls.
Injecting malicious content (HTML, scripts) into web pages, often leading to XSS or defacement. Sanitize all user-generated content before rendering.
Improper CORS settings can expose APIs to unauthorized domains. Always restrict allowed origins and use secure OAuth flows.
Injecting carriage return and line feed characters to manipulate HTTP headers or responses. Sanitize all input used in headers.
Malicious formulas injected into CSV files can execute when opened in spreadsheet software. Prefix user input with a single quote to neutralize formulas.
Exploiting WebSocket or cross-site request forgery to perform actions as a user. Use CSRF tokens and proper WebSocket origin checks.
Tricking browsers into interacting with internal network resources by rebinding a domain to a local IP. Use network segmentation and browser security features.
Manipulating DOM objects to override built-in properties or methods, leading to unexpected behavior or XSS. Avoid using predictable IDs and always validate DOM changes.
Attackers publish malicious packages with the same name as internal dependencies, tricking build systems. Use private registries and pin dependency versions.
Accessing files outside the intended directory by manipulating file paths (e.g., ../). Always sanitize and validate file paths on the server.
Changing environment variables or config values via user input, leading to privilege escalation or misbehavior. Never trust user input for critical configs.
Including files based on user input, which can lead to code execution or data leaks. Restrict file paths and validate all input.
Injecting malicious queries or mutations into GraphQL endpoints. Use query depth limiting and strict schema validation.
Manipulating HTTP requests to bypass security controls or poison caches. Use strict request parsing and avoid ambiguous parameter handling.
Unsafe deserialization can let attackers execute code or tamper with objects. Use safe serialization formats and validate all input.
Injecting malicious LDAP queries to bypass authentication or extract data. Always sanitize and escape input used in LDAP queries.
Injecting LaTeX code to execute commands or render malicious content. Sanitize all user input before processing with LaTeX engines.
Allowing users to set unintended object properties via bulk updates. Use allow-lists and never bind user input directly to models.
Attackers exhaust server memory with large or infinite requests, causing denial of service. Implement resource limits and input validation.
Injecting malicious queries into NoSQL databases to bypass auth or extract data. Always validate and sanitize input for database queries.
Leaking sensitive data or logic via misconfigured Object-Relational Mappers. Review ORM configs and restrict data exposure.
Allowing user-controlled redirects can be abused for phishing. Always validate redirect URLs and use allow-lists.
Manipulating prompts in AI or chatbot systems to change their behavior or leak data. Sanitize and filter user input before passing to LLMs.
Altering JavaScript object prototypes via user input, leading to unexpected behavior or vulnerabilities. Use libraries that guard against this and validate input.
Exploiting timing issues in code to perform actions out of order, often to bypass checks. Use locks and atomic operations for critical sections.
Complex regex patterns can be abused to consume excessive CPU, causing DoS. Use safe regex patterns and limit input length.
Injecting malicious data into SAML assertions to bypass authentication. Validate and sign all SAML data.
Injecting SQL queries via user input to access or modify data. Always use parameterized queries and ORM protections.
Injecting code into server-side templates or includes, leading to code execution. Sanitize all template input and use safe rendering engines.
Injecting newlines into email headers to send spam or spoof emails. Sanitize all input used in email headers.
Tricking users into switching tabs and capturing credentials. Use rel="noopener noreferrer" on external links.
Exploiting loose type comparisons in code (e.g., PHP) to bypass checks. Use strict type checks and comparisons.
Tricking web caches into storing sensitive content, making it accessible to others. Carefully configure cache rules and avoid caching user-specific data.
Injecting malicious XPATH, XSLT, or XML to access or modify data, or trigger XSS/XXE. Always sanitize XML input and use secure parsers.
Exploiting zip extraction to overwrite files or execute code by using crafted file paths. Use secure extraction libraries and validate file paths.