Browsing 31 concepts
Restrictions on what authenticated users are allowed to do are not properly enforced.
Failures permitting attackers to compromise passwords, keys, or session tokens.
Code and infrastructure that does not protect against unauthorized modification.
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens.
Complex access control policies with different hierarchies, groups, and roles.
Weaknesses in authentication mechanisms allowing attackers to compromise passwords or keys.
A condition where a program attempts to write data beyond the end of a fixed-length buffer.
A malicious technique of tricking a user into clicking on something different from what the user perceives, effectively revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
An attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
Improper neutralization of input during web page generation ('Cross-site Scripting').
Insecure deserialization of untrusted data leading to remote code execution.
An exploit where a malicious actor can access restricted directories and execute commands outside of the web server's root directory.
An information stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes.
A banking trojan capable of stealing credentials for a variety of services.
An event that could lead to loss of, or disruption to, an organization's operations, services or functions.
A type of access control vulnerability that arises when an application provides direct access to objects based on user-supplied input.
Lack of adequate logging and monitoring allows attackers to maintain persistence.
An attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.
A failure to verify function level access rights before making that functionality visible in the UI or processed on the server.
The act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
A vulnerability that allows an attacker to execute arbitrary code on a remote device.
Insecure default settings, incomplete or ad hoc configurations, and open cloud storage.
Failure to properly protect sensitive data such as financial, healthcare, or PII.
A web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Improper neutralization of special elements used in an SQL command ('SQL Injection').
A banking Trojan designed to steal financial details, account credentials, and personally identifiable information.
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.
A hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it.
