RvR logo





# Attack Vector Name Attack Vector Short Name Also Known As Vector Type Severity Relevance Layer Platforms Target Type Attack Category I Attack Sub Category I D P M S View
1 SQL Injection SQL Injection Sequel Injection Attack Critical Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
2 SQL Syntax Execution SQL Execution Attack Critical Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y Y
3 HQL Injection HQL Injection ORM Injection Attack Major Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
4 SQL Filter Injection SQL Filter Injection SQL Rowset Injection Attack Medium Technology Specific Application-Level ASP.Net, Mono Application Server Side Syntax Injection Code Injection Y Y Y
5 Server Side Include Injection SSI Injection Attack Critical Generic Application-Level Any Web Application Server Side Syntax Injection Code Injection Y
6 Server Side Javascript Injection SSJS Injection NoSQL Injection - deprecated Attack Critical Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
7 Mongo NoSQL Injection 2014 Variant Mongo NoSQL Injection Attack Major Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
8 ASP Javascript Code Injection ASP-JS Injection ASP Remote Dynamic Code Evaluation Attack Critical Technology Specific Application-Level ASP Classic Web Application Server Side Syntax Injection Code Injection Y Y Y
9 ASP VBScript Code Injection ASP-VBS Injection ASP Remote Dynamic Code Evaluation Attack Critical Technology Specific Application-Level ASP Classic Web Application Server Side Syntax Injection Code Injection Y Y Y
10 PHP Code Injection PHP Injection PHP Dynamic Code Evaluation Attack Critical Technology Specific Application-Level PHP Web Application Server Side Syntax Injection Code Injection Y Y Y
11 Java Code Injection Java Injection JSP Code Injection, ScriptEngine Code Injection, Rhino Code Injection - Variation Attack Critical Technology Specific Application-Level Java, JEE, J2EE, JSP Application Server Side Syntax Injection Code Injection Y Y Y
12 Python Code Injection Python Injection Attack Critical Technology Specific Application-Level Python Application Server Side Syntax Injection Code Injection Y Y Y
13 Perl Code Injection Perl Injection Attack Critical Technology Specific Application-Level Perl Application Server Side Syntax Injection Code Injection Y Y Y
14 Ruby Code Injection Ruby Injection Attack Critical Technology Specific Application-Level Ruby Application Server Side Syntax Injection Code Injection Y Y Y
15 PHP Object Injection PHP Object Injection Attack Critical Technology Specific Application-Level PHP Web Application Server Side Syntax Injection Code Injection Y Y Y
16 PHP preg_replace Abuse PHP preg_replace Abuse Attack Critical Technology Specific Application-Level PHP Web Application Server Side Syntax Injection Code Injection Y Y Y
17 ABAP Code Injection ABAP Injection ABAP Dynamic Code Evaluation Attack Critical Technology Specific Application-Level ABAP, SAP Web Application, SAP GUI Application Server Side Syntax Injection Code Injection Y Y Y
18 OS Command Injection OS Command Injection OS Commanding, Shell Injection Attack Critical Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
19 LDAP Injection LDAP Injection Attack Major Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
20 Format String Injection Format String Injection String Format Overflow Attack Critical Technology Specific Application-Level C, CPP, ASM Application Server Side Syntax Injection Code Injection Y Y Y
21 Null Byte Injection Null-Byte Injection Poison Null Byte, Embedding Null Code Attack Medium Generic Application-Level Any Application Server Side Syntax Injection Delimiter Injection Y Y Y
22 SMTP Injection SMTP Injection MX Injection, Mail Command Injection, Email Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection CRLF Based Protocol Manipulation Y Y Y
23 IMAP Injection IMAP Injection MX Injection, Mail Command Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection CRLF Based Protocol Manipulation Y Y Y
24 POP3 Injection POP3 Injection POP3 MX Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection CRLF Based Protocol Manipulation Y Y Y
25 Email Header Injection Email Header Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection Protocol Manipulation Y Y Y
26 Escape Sequence Injection Escape Sequence Injection Attack Major Technology Version Specific Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
27 HTTP Request Injection HTTP Request Injection HRI Attack Major Generic Application-Level Any Application Server Side Syntax Injection CRLF Based Protocol Manipulation Y Y Y
28 HTTP Request Header Injection HTTP Request Header Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection CRLF Based Protocol Manipulation Y Y Y
29 Reflection Injection Reflection Injection Attack Major Technology Specific Application-Level Java, JEE, J2EE, JSP, ASP.Net, Mono Application Server Side Syntax Injection Code Injection Y Y Y
30 XML Injection XML Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection Protocol Manipulation Y Y Y
31 XQUERY Injection XQUERY Injection Attack Major Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
32 XPATH Injection XPATH Injection Attack Major Generic Application-Level Any Application Server Side Syntax Injection Code Injection Y Y Y
33 Connection String Parameter Pollution CSPP Attack Major Generic Application-Level Any Application Server Side Syntax Injection Protocol Manipulation Y Y Y
34 Special Element Injection Special Element Injection Parameter Delimiter Injection Attack Medium Generic Application-Level Any Application Server Side Syntax Injection Delimiter Injection Y Y Y
35 Windows DATA Alternate Data Stream Windows DATA ADS ADS Major Generic Application-Level Any Application Server Side Syntax Injection Protocol Manipulation Y Y Y
36 Expression Language Injection EL Injection Attack Critical Technology Specific Application-Level Spring Framework - Java Web Application Server Side Syntax Injection Code Injection Y Y Y
37 OGNL Expression Injection OGNL Expression Injection Attack Major Technology Version Specific Application-Level JSP Struts Web Application Server Side Syntax Injection Code Injection Y
38 RoR YAML Injection RoR YAML Injection RoR Code Execution, Ruby On Rails Code Execution Attack Critical Technology Version Specific Application-Level Ruby Web Application Server Side Syntax Injection Code Injection Y
39 Unsigned Server Side Control Property Injection Unsigned Server Control Property Injection EoDSeC Attack Major Technology Specific Application-Level ASP.Net, Mono, JSF Web Application Server Side Syntax Injection Protocol Manipulation Y
40 Path Traversal Path Traversal Directory Traversal, Relative Path Traversal Attack Major Generic Application-Level Any Application Logical Input Manipulation File Inclusion Y Y Y
41 Path Manipulation Path Manipulation Absoluste Path Traveral Attack Major Generic Application-Level Any Application Logical Input Manipulation Target Destination Manipulation Y Y Y
42 Reverse Proxy Bypass Reverse Proxy Bypass Attack Medium Generic Application-Level Any Web Application Logical Input Manipulation Target Destination Manipulation Y
43 PHP Remote File Inclusion PHP Remote File Inclusion Malicious File Execution Attack Critical Technology Specific Application-Level PHP Web Application Logical Input Manipulation File Inclusion Y Y Y
44 PHP Local File Inclusion PHP Local File Inclusion Attack Major Technology Specific Application-Level PHP Web Application Logical Input Manipulation File Inclusion Y Y Y
45 JSP Remote File Inclusion JSP Remote File Inclusion Attack Critical Technology Specific Application-Level JSP Web Application Logical Input Manipulation File Inclusion Y Y Y
46 JSP Local File Inclusion JSP Local File Inclusion Attack Major Technology Specific Application-Level JSP Web Application Logical Input Manipulation File Inclusion Y Y Y
47 XSS and Phishing via Remote File Inclusion XSS via Remote File Inclusion Remote File Inclusion, Phishing via Remote File Inclusion Attack Major Generic Application-Level Any Web Application Logical Input Manipulation File Inclusion Y Y Y
48 Server Side Request Forgery SSRF Resource Injection Attack Medium Generic Application-Level Any Application Logical Input Manipulation Target Destination Manipulation Y Y Y
49 MVC Mass Assignment MVC Mass Assignment Insecure Object Mapping Attack Major Generic Application-Level Any, MVC Web Application Logical Input Manipulation Parameter Tampering Y
50 HTTP Request Smuggling HTTP Request Smuggling HTTP Request Splitting Attack Medium Generic Web-Infrastructure-Level Any Web Application Logical Input Manipulation Protocol Manipulation Y
51 XML External Entity Processing XXE XML DTD External Entity Attack, XML DTD Injection Attack Major Generic Application-Level Any Web Application, Web Service Logical Input Manipulation File Inclusion Y
52 Server Side Control Signed Property Override Server Control Signed Property Override Control Property Override via Cache Reuse Attack Major Technology Specific Application-Level ASP.Net, Mono, JSF Web Application Logical Input Manipulation Parameter Tampering Y
53 Insecure Direct Object Reference Insecure Direct Object Reference Insufficient Authorization, Authorization Bypass Through User-Controlled Key, Resource Injection Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
54 Client Controlled Price Manipulation Client-Controlled Price Manipulation Web Parameter Tampering, eShoplifting Attack Critical Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
55 Client Controlled Sum Abuse Client-Controlled Sum Abuse Web Parameter Tampering Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
56 Client Controlled Quantity Manipulation Client-Controlled Quantity Manipulation Web Parameter Tampering Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
57 Client Controlled User Identifier Manipulation Client-Controlled User Identifier Manipulation User Impersonation via Parameter Tampering Attack Critical Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
58 Client Controlled Authentication Status Manipulation Client-Controlled Authentication Status Manipulation Authentication Bypass via Parameter Tampering Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y
59 Client Controlled Privilege Manipulation Client-Controlled Privilege Manipulation Client-Controlled Role Manipulation, Authorization Bypass via via Parameter Tampering Attack Critical Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
60 Client Controlled Multiphase Process State Flags Manipulation Client-Controlled Multiphase Process State Flags Manipulation Flow Bypass via Parameter Tampering Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y Y
61 Client Controlled Lock Counter Manipulation Client-Controlled Lock Counter Manipulation Account-Lock Bypass via Parameter Tampering Attack Medium Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y
62 Client Controlled Lock Flag Manipulation Client-Controlled Lock Flag Manipulation Account-Lock Bypass via Parameter Tampering Attack Medium Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y
63 Client Controlled Configuration Setting Manipulation Client-Controlled Configuration Setting Manipulation Setting Manipulation Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y
64 Authentication Bypass via Referer Spoofing Authentication Bypass via Referer Spoofing Referer Spoofing Attack Major Generic Application-Level Any Web Application Spoofing Source URL Spoofing Y
65 Authentication Bypass via IP Spoofing Authentication Bypass via IP Spoofing Attack Major Generic Application-Level Any Application Spoofing Source Address Spoofing Y
66 Authentication Bypass via Alternative IP Access Authentication Bypass via Alternative IP Access Alternative IP Address Encodings Attack Major Generic Application-Level Any Application Logical Input Manipulation Target Destination Manipulation Y
67 Authentication Bypass using an Alternate Path or Channel Authentication Bypass using an Alternate Path or Channel Authentication Bypass by Alternate Name Attack Major Generic Application-Level Any Application Logical Input Manipulation Target Destination Manipulation Y
68 Authentication Bypass via Forced Access Authentication Bypass via Forced Browsing Improper Authentication, Authentication Abuse Attack Major Generic Application-Level Any Application Forced Access Target Destination Manipulation Y
69 Authorization Bypass via Forced Browsing Authorization Bypass via Forced Browsing Improper Authorization, Privilege Abuse Attack Major Generic Application-Level Any Application Forced Access Target Destination Manipulation Y
70 Multiphase Process Bypass via Forced Browsing Multiphase Process Bypass via Forced Browsing Flow Bypass, Insufficient Process Validation Attack Major Generic Application-Level Any Application Forced Access Target Destination Manipulation Y
71 Authentication Bypass via HTTP Verb Tampering Authentication Bypass via HTTP Verb Tampering Attack Major Generic Application-Level Any Web Application Forced Access Target Destination Manipulation Y
72 Authorization Bypass via HTTP Verb Tampering Authorization Bypass via HTTP Verb Tampering Attack Major Generic Application-Level Any Web Application Forced Access Target Destination Manipulation Y
73 Authentication Bypass via Session Puzzling Authentication Bypass via Session Puzzling Session Variable Overloading, Session Poisoning Attack Major Generic Application-Level Any Application Forced Access Session Puzzling Y
74 User Impersonation via Session Puzzling User Impersonation via Session Puzzling Session Variable Overloading, Session Poisoning Attack Major Generic Application-Level Any Application Forced Access Session Puzzling Y
75 Privilege Elevation via Session Puzzling Privilege Elevation via Session Puzzling Session Variable Overloading, Session Poisoning Attack Major Generic Application-Level Any Application Forced Access Session Puzzling Y
76 Multiphase Process Bypass via Session Puzzling Multiphase Process Bypass via Session Puzzling Session Variable Overloading Attack Major Generic Application-Level Any Application Forced Access Session Puzzling Y
77 Password Recovery Destination Manipulation via Session Puzzling Password Recovery Destination Manipulation via Session Puzzling Session Variable Overloading Attack Major Generic Application-Level Any Application Forced Access Session Puzzling Y
78 Enumeration of Obsolete and Unreferenced Files Enumeration of Obsolete and Unreferenced Files Old, Backup and Unreferenced Files Attack Medium Generic Web-Infrastructure-Level Any Web Application Forced Access Target Destination Manipulation Y
79 Predictable Resource Location Enumeration Predictable Resource Location Enumeration Attack Medium Generic Web-Infrastructure-Level Any Web Application Forced Access Target Destination Manipulation Y
80 Secret Argument Injection Secret Argument Modification Secret Parameter, Argument Injection, Application Backdoor Attack Medium Generic Application-Level Any Application Forced Access Target Destination Manipulation Y
81 Generic Business Logic Attack Generic Business Logic Attack Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y
82 Generic Session Poisoning Attack Generic Session Poisoning Attack Session Poisoning, Session Data Pollution Attack Major Generic Application-Level Any Application Logical Input Manipulation Session Poisoning Y
83 Generic Session Puzzling Attack Generic Session Puzzling Attack Attack Critical Generic Application-Level Any Application Forced Access Session Puzzling Y
84 Remote XSLT Inclusion Remote XSL Inclusion XSL Remote File Inclusion, XSLT Injection, XSLT Transform Injection Attack Critical Generic Application-Level Any Application Logical Input Manipulation File Inclusion Y Y Y
85 Perl Local File Inclusion Perl Local File Inclusion Attack Major Technology Specific Application-Level Perl Web Application Logical Input Manipulation File Inclusion Y Y Y
86 Perl Remote File Inclusion Perl Remote File Inclusion Attack Critical Technology Specific Application-Level Perl Web Application Logical Input Manipulation Parameter Tampering Y Y Y
87 ABAP Process Control ABAP Process Control Process Control, Dynamic Calls, Call Injection Attack Major Technology Specific Application-Level ABAP, SAP Web Application, SAP GUI Application Logical Input Manipulation Parameter Tampering Y Y
88 Execution of Unsigned Dormant Server Controls Execution of Unsigned Dormant Server Controls EodSec Attack Major Technology Specific Application-Level ASP.Net, Mono, JSF Web Application Logical Input Manipulation Protocol Manipulation Y
89 Execution of Unvalidated Dormant Server Controls Execution of Unvalidated Dormant Server Controls EodSec Attack Major Technology Specific Application-Level ASP.Net, Mono, JSF Web Application Forced Access Target Destination Manipulation Y
90 Execution of Dormant Server Controls in Unprotected Callbacks Execution of Dormant Server Controls in Unprotected Callbacks EodSec Attack Major Technology Specific Application-Level ASP.Net, Mono, JSF Web Application Forced Access Target Destination Manipulation Y
91 Execution of Signed Dormant Server Controls via Cache Reuse Execution of Signed Dormant Server Controls via Cache Reuse EoDSeC Attack Major Technology Specific Application-Level ASP.Net, Mono, JSF Web Application Logical Input Manipulation Protocol Manipulation Y
92 Unauthorized Administrative Interface Access Unauthorized Administrative Interface Access Admin Interface Exposed to the Internet Attack Major Generic Application-Level Any Web Application Forced Access Target Destination Manipulation Y
93 Execution After Redirect Execution After Redirect EAR Attack Major Generic Application-Level Any Web Application Forced Access Target Destination Manipulation Y
94 Cross Site Scripting XSS Attack Major Generic Application-Level Any Web Application Client Targeted Syntax Reflection Browser Targeted Code Injection Y Y Y Y
95 DOM Cross Site Scripting DOM XSS DXSS Attack Major Generic Application-Level Any Web Application Client Targeted Syntax Reflection Browser Targeted Code Injection Y
96 Unvalidated Redirect Unvalidated Redirect Open Redirect, External Redirect, Phishing via Redirect, URL Redirector Abuse Attack Medium Generic Application-Level Any Web Application Client Targeted Syntax Reflection Target Destination Manipulation Y Y Y Y
97 Unvalidated Forward Unvalidated Forward Attack Minor Generic Application-Level Any Web Application Client Targeted Syntax Reflection Target Destination Manipulation Y Y Y Y
98 Cross Site Scripting using Flash Flash XSS Flash Injection Attack Major Technology Specific Application-Level Adobe Flash Player Web Application Client Targeted Syntax Reflection Browser Targeted Code Injection Y
99 Flash Parameter Injection Flash Parameter Injection FPI, Flash Injection Attack Major Technology Version Specific Application-Level Adobe Flash Player Web Application Client Targeted Syntax Reflection Flash Injection Y
100 Cross Site Flashing XSF Flash Injection Attack Major Technology Version Specific Application-Level Adobe Flash Player up to 9.0.124.0 Web Application Client Targeted Syntax Reflection Flash Injection Y
101 HTTP Response Splitting HTTP Response Splitting HTTP Response Header Injection, CRLF Injection Attack Medium Generic Application-Level Any Web Application Client Targeted Syntax Reflection CRLF Injection Y Y Y
102 Reflected File Download RFD Malicious File Download Attack Major Generic Application-Level Any Web Application Client Targeted Syntax Reflection Deceptive Interactions Y Y Y Y
103 HTTP Response Smuggling HTTP Response Smuggling Attack Medium Generic Web-Infrastructure-Level Any Web Application Client Targeted Syntax Reflection Protocol Manipulation Y
104 Content Spoofing Content Spoofing Content Injection Attack Minor Generic Application-Level Any Application Client Targeted Syntax Reflection Deceptive Interactions Y Y Y
105 Log Forging Log Forging Log Injection, Log Spoofing, Web Logs Tampering Attack Medium Generic Application-Level Any Application Client Targeted Syntax Reflection CRLF Injection Y Y Y
106 JSON Hijacking JSON Hijacking Javascript Hijacking Attack Medium Technology Version Specific Application-Level All Browsers before Firefox 21, Chrome 27, or IE 10. Web Application Client Targeted 3rd Party References Session Riding Y
107 Cross Site Script Inclusion XSSI Attack Medium Generic Application-Level Any Web Application Client Targeted 3rd Party References Session Riding Y
108 Cross Site Request Forgery CSRF XSRF, Session Riding Attack Medium Generic Application-Level Any Web Application Client Targeted 3rd Party References Session Riding Y
109 Dynamic Ajax CSRF Dynamic Ajax CSRF Attack Medium Technology Version Specific Application-Level Any Web Application Client Targeted 3rd Party References Session Riding Y
110 Same Domain Request Forgery SDRF Attack Medium Generic Application-Level Any Web Application Client Targeted 3rd Party References Session Riding Y
111 Clickjacking Clickjacking UI Redressing Attack Medium Generic Application-Level Any Web Application Client Targeted 3rd Party References UI Redressing Y
112 Frame Spoofing Frame Spoofing Attack Minor Technology Version Specific Web-Infrastructure-Level Outdated IE, Outdated Firefox, Netscape Web Application Client Targeted 3rd Party References UI Redressing Y
113 Cross Site WebSocket Hijacking CSWSH Attack Medium Generic Application-Level Any Web Application Client Targeted 3rd Party References Session Riding Y
114 DNS Rebinding DNS Rebinding Anti-DNS Pinning Attack Medium Technology Specific Web-Infrastructure-Level Any Web Application Spoofing Source Address Spoofing Y
115 Malicious File Upload Malicious File Upload Untrestricted File Upload, Malicious File Execution Attack Critical Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y
116 Unrestricted File Upload Unrestricted File Upload Attack Medium Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y
117 PHP Uploaded File Variables Abuse PHP Uploaded File Variables Abuse Attack Major Technology Version Specific Application-Level PHP prior to v4 Web Application Abuse of Functionality Abuse of Application Functionality Y
118 Account Lockout Abuse Account Lockout Abuse Account Lockout Attack, Overly Restrictive Account Lockout Policy, Inducing Account Lockout Attack Medium Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y
119 SQL Sorting SQL Sorting Attack Major Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y
120 Session Fixation Session Fixation Attack Medium Generic Application-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y Y
121 Remote Binary Planting Remote Binary Planting DLL Search Order Hijacking, Windows Insecure Library Loading Attack Critical Generic Application-Level Windows Application Abuse of Functionality Abuse of Infrastructure Functionality Y
122 Generic User Account Privilege Abuse Generic User Account Privilege Abuse Privilege Escalation Attack Major Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y
123 Logging of Excessive Data Logging of Excessive Data Attack Minor Generic Application-Level Any Application Abuse of Functionality Abuse of Application Functionality Y
124 HTTP PUT Method Abuse HTTP PUT Attack Attack Critical Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
125 HTTP DELETE Method Abuse HTTP DELETE Attack Attack Major Generic Application-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
126 Cross Site Tracing XST HTTP TRACE-TRACK Abuse, TRACE header reflection Exploitation Method Minor Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
127 HTTP WebDAV PROPPATCH Method Abuse HTTP PROPPATCH Method Abuse Attack Medium Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
128 HTTP WebDAV COPY Method Abuse HTTP COPY Method Abuse Attack Major Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
129 HTTP WebDAV MOVE Method Abuse HTTP MOVE Method Abuse Attack Major Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
130 HTTP WebDAV MKCOL Method Abuse HTTP MKCOL Method Abuse Attack Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
131 HTTP MKDIR Method Abuse HTTP MKDIR Method Abuse Attack Medium Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
132 HTTP WebDAV PROPFIND WebDav Method Abuse HTTP PROPFIND Method Abuse Attack Medium Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
133 HTTP CONNECT Method Abuse HTTP CONNECT Method Abuse Proxy Abuse Attack Minor Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
134 HTTP OPTIONS Method Information Disclosure HTTP OPTIONS Information Disclosure Attack Informative Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
135 HTTP WebDAV LOCK Method Abuse HTTP LOCK Method Abuse Attack Minor Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
136 HTTP WebDAV UNLOCK Method Abuse HTTP UNLOCK Method Abuse Attack Minor Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
137 HTTP WebDAV SEARCH Method Abuse HTTP SEARCH Method Abuse Attack Medium Generic Web-Infrastructure-Level Any Web Application Abuse of Functionality Abuse of Infrastructure Functionality Y
138 HTTP Parameter Pollution HPP Improper Handling of Extra Parameters Evasion Technique Medium Generic Application-Level Any Web Application Security Mechanism Bypass Evasion Technique Y
139 Predictable Session Identifier Abuse Predictable Session Identifier Abuse Predictable Session ID, Session Prediction, Session Credential Falsification Attack Major Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
140 CAPTCHA Re-Riding CAPTCHA Re-Riding CAPTCHA Accumulation Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Session Puzzling Y
141 Client-side CAPTCHA Logic Abuse Client-side CAPTCHA Logic Abuse Client-side storage and hidden fields, Client-side CAPTCHA Verification Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Client-Controlled Verification Abuse Y
142 Chosen CAPTCHA Text Abuse Chosen CAPTCHA Text Abuse Client-generated CAPTCHA, The Chosen CAPTCHA Text attack Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Client-Controlled Verification Abuse Y
143 Arithmetic CAPTCHA Abuse Arithmetic CAPTCHA Abuse Arithmetic CAPTCHA Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Client-Controlled Verification Abuse Y
144 Chosen CAPTCHA Identifier Abuse Chosen CAPTCHA Identifier Abuse Chosen CAPTCHA Identifier Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
145 CAPTCHA Rainbow Tables CAPTCHA Rainbow Tables Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Enumeration Y
146 CAPTCHA Fixation CAPTCHA Fixation Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Race Condition Y
147 In-Session CAPTCHA Brute-forcing In-Session CAPTCHA Brute-forcing Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
148 OCR-assisted CAPTCHA Brute-forcing OCR-assisted CAPTCHA Brute-forcing Weak CAPTCHA Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
149 Limited CAPTCHA Repository Abuse Limited CAPTCHA Repository Abuse Limited Set CAPTCHAs Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Enumeration Y
150 CAPTCHA Clipping CAPTCHA Clipping Impersonating CAPTCHA Providers Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Service Provider Impersonation Y
151 Missing CAPTCHA Abuse Missing CAPTCHA Abuse Excessive Feature Abuse, Missing CAPTCHA Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Enumeration Y
152 Missing Account Lockout Abuse Missing Account Lockout Abuse Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Enumeration Y
153 Session Stored Lockout Flags Abuse Session Stored Lockout Flags Abuse Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Session Puzzling Y
154 Session Stored Lockout Counter Abuse Session Stored Lockout Counter Abuse Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Session Puzzling Y
155 Weak Lockout Policy Abuse Weak Lockout Policy Abuse Weak Account Lockout Attack Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
156 Insecure Password Recovery Process Abuse Insecure Password Recovery Initiation Destination Weak Password Recovery, Insufficient Password Recovery, Insecure Password Recovery Process Vulnerability Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
157 EL3 Injection EL3 Injection Lambda Injection Attack Critical Technology Specific Application-Level Java, EL3 Application Server Side Syntax Injection Code Injection Y Y Y
158 Weak Recovery Answer Enumeration Weak Recovery Answer Enumeration Unrestricted Recovery Question Answer Attempts Abuse Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Enumeration Y
159 Insufficient Logging Abuse Insufficient Logging Abuse Insufficient Logging Vulnerability Minor Generic Application-Level, Web-Infrastructure-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
160 Log Repudiation Attack Log Repudiation Attack Repudiation Attack Attack Minor Generic Application-Level Any Application Security Mechanism Bypass Parameter Tampering Y
161 Credentials Enumeration in Login Username Enumeration in Login Email Enumeration in Login Attack Medium Generic Application-Level Any Application Resource Mapping Dictionary Attack Y
162 Credentials Enumeration in Password Recovery Username Enumeration in Password Recovery Email Enumeration in Password Recovery Attack Medium Generic Application-Level Any Application Resource Mapping Dictionary Attack Y
163 Credentials Enumeration in Registration Username Enumeration in Registration Email Enumeration in Registration Attack Medium Generic Application-Level Any Application Resource Mapping Dictionary Attack Y
164 Generic Credential Enumeration Generic Username Enumeration Generic Email Enumeration Attack Medium Generic Application-Level JEE Application Resource Mapping Dictionary Attack Y
165 Password Disclosure in Password Recovery Password Disclosure in Password Recovery Vulnerability Minor Generic Application-Level Any Application Server Side Information Exposure Credential Information Disclosure to Client Y
166 Generic Password Disclosure Generic Password Disclosure Vulnerability Minor Generic Application-Level Any Application Server Side Information Exposure Credential Information Disclosure to Client Y
167 Sensitive Information Disclosure in Log Files Sensitive Information Disclosure in Log Files Information Leak Through Log Files Vulnerability Minor Generic Application-Level Any Application Local Information Exposure Local Information Disclosure in Server Y
168 Missing Encryption of Sensitive Data Missing Encryption of Sensitive Data Insecure Storage Vulnerability Minor Generic Application-Level Any Application Local Information Exposure Local Credential Information Disclosure in Server Y
169 Inadequate Storage Encryption Key Strength Inadequate Storage Encryption Key Strength Weak Encryption, Insecure Encryption Key Length, Insecure Encryption Attributes Vulnerability Minor Generic Application-Level, Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
170 Insecure Storage Cryptographic Algorithm Insecure Storage Cryptographic Algorithm Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
171 Weak Credential Hashing Algorithm Insecure Credential Hashing Algorithm Reversible One-Way Hash, Insecure Storage, Weak Cryptographic Hash Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
172 Unsalted Hash Unsalted Hash Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
173 Hard-coded Cryptographic Key Hard-coded Cryptographic Key Vulnerability Minor Generic Application-Level Any Application Local Information Exposure Local Information Disclosure in Server Y
174 Hard-coded Credentials Hard-coded Credentials Hard-coded Password Vulnerability Minor Generic Application-Level Any Application Local Information Exposure Local Information Disclosure in Server Y
175 Missing Required Cryptographic Step Missing Required Cryptographic Step Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
176 Padding Oracle Padding Oracle Padding Oracle Crypto Attack Attack Major Generic Application-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
177 SSL Renegotiation SSL Renegotiation Attack Medium Technology Version Specific Web-Infrastructure-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
178 SSL Version Rollback SSL Version Rollback Cipher Suite Rollback Attack Medium Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
179 Browser Exploit Against SSL TLS BEAST BEAST Attack Attack Major Technology Version Specific Web-Infrastructure-Level Any Web Application Security Mechanism Bypass Cryptanalysis Attack Y
180 Compression Ratio Info-leak Made Easy CRIME CRIME Attack Attack Medium Generic Web-Infrastructure-Level Any Web Application Security Mechanism Bypass Cryptanalysis Attack Y
181 Timing Info-leak Made Easy TIME TIME Attack Attack Medium Generic Web-Infrastructure-Level Any Web Application Security Mechanism Bypass Cryptanalysis Attack Y
182 Browser Reconnaissance Exfiltration via Adaptive Compression of Hypertext BREACH BREACH Attack Attack Major Generic Web-Infrastructure-Level Any Web Application Security Mechanism Bypass Cryptanalysis Attack Y
183 RC4 TLS Attack RC4 Attack Attack Medium Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
184 Lucky 13 Attack Lucky 13 Lucky Thirteen Attack Medium Technology Version Specific Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
185 OpenSSL Change Cipher Spec MITM Injection SSL CCS MITM CCS Injection Attack Medium Technology Version Specific Web-Infrastructure-Level OpenSSL Application Security Mechanism Bypass Cryptanalysis Attack Y
186 Padding Oracle On Downgraded Legacy Encryption POODLE Attack Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
187 Unencrypted Communication Eavesdropping Unencrypted Communication Eavesdropping Insufficient Transport Layer Protection, Lack of Transport Layer Encryption Attack Medium Generic Web-Infrastructure-Level Any Application Insecure Communication Abuse Information Dislcosure in Insecure Communication Y
188 SSL Stripping SSL Stripping Attack Medium Generic Web-Infrastructure-Level Any Web Application Insecure Communication Abuse Man In The Middle Attack Y
189 Credentials Transported over Unencrypted Channel Credentials Eavesdropping from Unencrypted Channel Attack Major Generic Web-Infrastructure-Level Any Application Insecure Communication Abuse Information Dislcosure in Insecure Communication Y
190 Session Hijacking via Eavesdropping Session Hijacking Session Sidejacking Attack Major Generic Web-Infrastructure-Level Any Application Insecure Communication Abuse Information Dislcosure in Insecure Communication Y
191 Encryption Brute Forcing Weak Cipher Brute Forcing Weak Cipher Support Attack Medium Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
192 Weak X509 Asymmetric SSL Key-Pair Weak SSL Key-Pair Brute Forcing Insecure Transport Layer Protection Attack Medium Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
193 Insecure SSL Protocol Support Insecure SSL Protocol Support Vulnerability Medium Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
194 Invalid SSL Certificate Invalid SSL Certificate Vulnerability Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
195 Expired SSL Certificate Expired SSL Certificate Vulnerability Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
196 Stolen Expired Certificate Abuse Stolen Expired Certificate Abuse Improper Validation of Certificate Expiration Attack Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
197 Stolen Revoked Certificate Abuse Stolen Revoked Certificate Abuse Missing Check for Certificate Revocation after Initial Check Attack Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
198 Valid Certificate Abuse for Another Domain Valid Certificate Abuse for Another Domain Attack Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
199 Fake Chain-of-Trust Certificate Abuse Broken Chain-of-Trust Certificate Abuse Attack Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
200 Endpoint Impersonation in an Encrypted Communication Channel Endpoint Impersonation in an Encrypted Communication Channel Lack of Certificate Validation Attack Medium Generic Web-Infrastructure-Level Any Application Spoofing Signature Spoofing Y
201 Session Replay Session Replay Authentication Bypass by Capture-Replay, Reusing Session ID Attack Medium Generic Application-Level, Web-Infrastructure-Level Any Application Insecure Communication Abuse Replay Attack Y
202 Man-In-The-Middle MITM Attack Medium Generic Web-Infrastructure-Level Any Application Insecure Communication Abuse Man In The Middle Attack Y
203 Password Brute Forcing Weak Password Policy Exploitation Method Medium Generic Application-Level Any Application Resource Mapping Dictionary Attack Y
204 Weak Password Policy Weak Password Policy Vulnerability Medium Generic Application-Level Any Application Resource Mapping Dictionary Attack Y
205 Weak Default Password Generation Weak Initial Password Generation Vulnerability Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
206 Directory and File Brute Forcing Dir and File Brute Forcing Informative 404 Messages, Web-based Directory Enumeration Attack Minor Generic Web-Infrastructure-Level Any Application Resource Mapping Dictionary Attack Y
207 Ineffective Session Termination Ineffective Session Termination Ineffective Logout Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
208 Weak Password Recovery Question Selection Weak Recovery Question Selection Vulnerability Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
209 Unrestricted Password Recovery Initiation Attempts Abuse Unrestricted Recovery Initiation Unlimited Password Recovery Initiation Attack Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
210 Predictable Password Recovery Initiation Challenge Predictable Password Recovery Token Enumeration Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
211 Persistent Password Recovery Token Persistent Password Recovery Token Ineffective Password Recovery Process Termination Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
212 Password Recovery Destination Manipulation via Parameter Tampering Recovery Destination Manipulation via Parameter Tampering Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y
213 Incomplete Session Termination in SSO Incomplete Session Termination in SSO Attack Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
214 Persistent Session Lifespan Persistent Session Lifespan Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
215 Cross Context Scripting XCS Attack Critical Generic Custom Browser Extension, Browser Any Application Client Targeted Syntax Reflection Browser Targeted Code Injection Y Y Y
216 Insufficient Logout Visibility Insufficient Logout Visibility Vulnerability Minor Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
217 Insufficient Session Expiration Insufficient Session Expiration Vulnerability Minor Generic Web-Infrastructure-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
218 Predictable Anti-CSRF Token Abuse Predictable Anti-CSRF Token Abuse Attack Medium Generic Application-Level Any Web Application Security Mechanism Bypass Weak Mechanism Abuse Y
219 Anti-CSRF Verification Bypass Anti-CSRF Verification Bypass Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Weak Mechanism Abuse Y
220 Buffer Overflow via Malicious Input Buffer Overflow Stack Overflow, Heap Overflow Attack Critical Generic Application-Level Any, Except managed code without external calls Application Memory Level Attacks Memory Overflow Y Y Y
221 Buffer Overflow via Client Extension Initialization Params Buffer Overflow against Custom Browser Controls Overflow Variables and Tags Attack Major Generic Custom Browser Extension, Browser, Client Application Any Web Application Memory Level Attacks Memory Overflow Y
222 Use After Free Use After Free Vulnerability Major Generic Application-Level Any, Excluding managed code without external calls Application Memory Level Attacks Memory Corruption Y
223 SOAP Array Overflow SOAP Array Overflow SOAP Array Attack Attack Major Generic Application-Level Any Web Application, Web Service Memory Level Attacks Memory Overflow Y
224 Double Free Double Free Vulnerability Medium Generic Application-Level Any, Excluding managed code without external calls Application Memory Level Attacks Memory Corruption Y
225 Memory Leak Memory Leak Vulnerability Medium Generic Application-Level Any Application Memory Level Attacks Memory Corruption Y
226 Null Dereference Null Dereference Vulnerability Medium Generic Application-Level Any Application Memory Level Attacks Memory Corruption Y
227 Expired Pointer Dereference Expired Pointer Dereference Vulnerability Medium Generic Application-Level Any, Excluding managed code without external calls Application Memory Level Attacks Memory Corruption Y
228 Buffer Underwrite Buffer Underwrite Vulnerability Medium Generic Application-Level Any, Excluding managed code without external calls Application Memory Level Attacks Memory Overflow Y
229 User Controlled Memory Pointer Reference User Controlled Memory Pointer Reference Attack Major Generic Application-Level Any Application Memory Level Attacks Memory Corruption Y
230 Integer Overflow Integer Overflow Attack Medium Generic Application-Level Any Application Memory Level Attacks Memory Corruption Y
231 Time of Check to Time of Use Transaction Race Condition TOCTTOU Transaction Race Condition TOCTTOU Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
232 IIS Short File Name Disclosure IIS Short File Name Enumeration Attack Major Technology Version Specific Web-Infrastructure-Level IIS Web Application Insecure Configuration Abuse Web Server Misconfiguration Abuse Y
233 Cross-Domain Search Timing Cross-Domain Search Timing Pixel Perfect Timing Attacks Attack Minor Generic Application-Level Any Web Application Timed Attacks Response Time Analysis Y
234 Context Switching Race Condition Context Switching Race Condition Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
235 Time of Check to Time of Use File Access Race Condition TOCTTOU File Access Race Condition TOCTTOU, Race Condition Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
236 Exposure of Data Element to Wrong Session via Data Race Condition Member Field Race Condition Exposure of Data Element to Wrong Session, Singleton Member Field Race Condition, Shared Field Race Condition, Static Field Race Condition Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
237 Temporal Session Race Conditions via Line Targeted ADoS Temporal Session Race Conditions Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
238 Single Handler Race Condition Single Handler Race Condition Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
239 Switch-Case Race Condition Switch-Case Race Condition Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
240 Alternate Channel Race Condition Alternate Channel Race Condition Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
241 Link Following Race Condition Link Following Race Condition Attack Medium Generic Application-Level Any Application Timed Attacks Race Condition Y
242 Permission Race Condition During Resource Copy Permission Race Condition During Resource Copy Attack Major Generic Application-Level Any Application Timed Attacks Race Condition Y
243 Generic Race Condition within a Thread Generic Race Condition within a Thread Attack Medium Generic Application-Level Any Application Timed Attacks Race Condition Y
244 Regular Expression DoS ReDOS RegEx DoS Attack Medium Generic Application-Level Any Application Application Denial of Service Application Resource Consumption Y
245 Forced Deadlock Forced Deadlock Unrestricted Externally Accessible Lock Attack Major Generic Application-Level Any Application Application Denial of Service Application Resource Consumption Y
246 Database Connection Pool Consumption Database Connection Pool Consumption Insufficient Resource Pool Attack Medium Generic Application-Level Any Application Application Denial of Service Application Resource Consumption Y
247 Web Server Thread Pool Occupation Web Server Thread Occupation Slowloris DoS Attack, RUDY Attack Attack Major Generic Web-Infrastructure-Level Any Web Application Application Denial of Service Application Resource Consumption Y
248 HTTP Fragmentation Attack HTTP Fragmentation Attack RUDY Attack, R U Dead Yet Attack Attack Major Generic Web-Infrastructure-Level Any Web Application Application Denial of Service Application Resource Consumption Y
249 THC SSL Denial of Service THC-SSL-DoS Attack Major Generic Web-Infrastructure-Level Any Application Application Denial of Service Application Resource Consumption Y
250 XML Bomb XML Bomb Billion Laughs Attack, XML Quadratic Blowup - Variation Attack Major Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
251 Client Controlled Action Type Manipulation via Parameter Tampering Client Controlled Action Type Manipulation via Parameter Tampering Attack Major Generic Application-Level Any Application Logical Input Manipulation Parameter Tampering Y Y
252 Floating Point DoS Floating Point DoS Magic Number DoS, PHP 2.2250738585072011e-308 Vulnerability, Java Numeric DoS, Mark-of-the-Beast Attack Medium Technology Version Specific Application-Level PHP, Java, JSP Application Application Denial of Service Application Resource Consumption Y
253 Hash Flooding DoS Hash Collision DoS Magic Hash DoS, HashDoS Attack Medium Generic Application-Level Any Application Application Denial of Service Application Resource Consumption Y
254 Directory Indexing Directory Listing Directory Browsing Attack Medium Generic Application-Level Any Web Application Server Side Information Exposure Server side Information Disclosure to Client Y
255 HTTP Flood HTTP Flood HTTP GET Flood, HTTP POST Flood, XML Flood, SSL Flood Attack Minor Generic Application-Level Any Web Application Application Denial of Service Application Resource Consumption Y
256 Generic Resource Exhaustion Resource Exhaustion XML Ping of Death - Variant Attack Medium Generic Application-Level Any Application Application Denial of Service Application Resource Consumption Y
257 ShellShock ShellShock Attack Critical Technology Version Specific Web-Infrastructure-Level Any Application Prominent Known Vulnerabilities Shared Library Exploit Y
258 HeartBleed HeartBleed Attack Critical Technology Version Specific Web-Infrastructure-Level OpenSSL Web Application, Web Service Prominent Known Vulnerabilities Shared Library Exploit Y
259 XML Schema Poisoning XML Schema Poisoning WSDL Metadata Spoofing Attack Medium Generic Application-Level Any Web Application, Web Service Logical Input Manipulation Protocol Manipulation Y
260 XML Signature - Key Retrieval Cross Site Attack XML Signature - Key Retrieval XSA Attack Major Generic Application-Level Any Web Application, Web Service Logical Input Manipulation File Inclusion Y
261 SOAP Coercive Parsing SOAP Coercive Parsing Attack Medium Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
262 SOAPAction Spoofing SOAPAction Spoofing Attack Major Generic Application-Level Any Web Application, Web Service Forced Access Target Destination Manipulation Y
263 WSDL Disclosure WSDL Disclosure Vulnerability Minor Generic Application-Level Any Web Application, Web Service Server Side Information Exposure Server side Information Disclosure to Client Y
264 XML Rewriting XML Signature Wrapping Attack Medium Generic Application-Level Any Web Application, Web Service Security Mechanism Bypass Weak Mechanism Abuse Y
265 XML Routing Detour XML Routing Detour Attack Major Generic Application-Level Any Web Application, Web Service Logical Input Manipulation Protocol Manipulation Y
266 XML Signature and Encryption Transformation DOS XML Transformation DOS C14N DOS, XSLT DOS, Xpath DOS Attack Medium Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
267 XML Signature - Key Retrieval DOS XML Signature - Key Retrieval DOS Attack Medium Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
268 XML Entity Reference Attack XML Entity Reference Attack DTD Entity Reference Attack Attack Minor Generic Application-Level Any Web Application, Web Service Server Side Information Exposure Server side Information Disclosure to Client Y
269 Remote Timing Attack Remote Timing Attack Cache-timing Attack - Cryptography Variant, Remote side channel attack Attack Medium Generic Application-Level Any Application Resource Mapping Enumeration Y
270 Winshock Winshock MS14-066, CVE-2014-6321 Attack Critical Generic Web-Infrastructure-Level Any Application Prominent Known Vulnerabilities Shared Library Exploit Y
271 HTML5 Cross Origin Resource Sharing Functionality Abuse CORS Functionality Abuse Attack Major Generic Application-Level Any Web Application Insecure Configuration Abuse Web Application Misconfiguration Abuse Y
272 WebView Injection WebView Injection Attack Medium Generic Application-Level Android Mobile Application Client Targeted Syntax Reflection Browser Targeted Code Injection Y
273 Intent Intercept Intent Intercept Unauthorized Intent Receipt Attack Medium Technology Specific Application-Level Android Mobile Application Malicious Client Application Information Dislcosure in Insecure Communication Y
274 Intent Spoof Intent Spoof Intent Injection Attack Medium Technology Specific Application-Level Android Mobile Application Malicious Client Application Source Address Spoofing Y
275 Unauthorized WebSocket Access Unauthorized WebSocket Access Attack Major Generic Application-Level Any Web Application Forced Access Target Destination Manipulation Y
276 Oversized XML DoS Over-sized XML DoS XML Document Size Attack Attack Medium Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
277 XML Reference Redirect DoS XML Reference Redirect DoS Attack Medium Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
278 SOAP Recursive Cryptography DoS SOAP Recursive Cryptography DoS Attack Medium Generic Application-Level Any Web Application, Web Service Application Denial of Service Application Resource Consumption Y
279 Referral Flood of Trusted Entities Referral Flood of Trusted Entities WS-Addressing Spoofing - Variant, Anti-DDoS Service Abuse for Blocking Trusted Entities Attack Medium Generic Application-Level Any Application Application Denial of Service Application Resource Consumption Y
280 UDDI Impersonation UDDI Spoofing ebXML Spoofing Attack Medium Generic Social-Level Any Web Service Phishing Web Service Consumer Phishing Y
281 Memcached Injection Memcached Injection Attack Critical Generic Application-Level Any Web Application Server Side Syntax Injection Code Injection Y Y Y
282 Source Code Disclosure via Accessible Source Code Folder Source Code Disclosure via Accessible Folder WEB-INF Directory Information Disclosure, bin Directory Information Disclosure Attack Major Generic Application-Level ASP.Net, JSP Web Application Forced Access Target Destination Manipulation Y
283 User Impersonation via Social Login Design Flaw SpoofedMe Attack Major Generic Application-Level Any Web Application Abuse of Functionality Abuse of Application Functionality Y
284 Hash Length Extension Attack Hash Length Extension Signature Forgery, Hash Function Extension Attack Medium Generic Application-Level Any Application Security Mechanism Bypass Cryptanalysis Attack Y
285 Surf Jacking Surf Jacking Attack Medium Generic Application-Level Any Web Application Insecure Communication Abuse Man In The Middle Attack Y
286 Browser User Agent Impersonation User Agent Impersonation Attack Minor Generic Application-Level Any Web Application Spoofing Type Spoofing Y
287 Subdomain Takeover via Abuse of Domain Service Provider Subdomain Claims Subdomain Takeover via Abuse of Subdomain Claims Attack Major Generic Infrastructure-Level Any Domain Abuse of Functionality Abuse of Infrastructure Functionality Y
288 Search Engine Impersonation Search Engine Impersonation Evasion Technique Medium Generic Web-Infrastructure-Level Any Web Application Spoofing Type Spoofing Y