List of Attack Vectors

#	Attack Vector Name	Attack Vector Short Name	Also Known As	Vector Type	Severity	Relevance	Layer	Platforms	Target Type	Attack Category I	Attack Sub Category I	D	P	M	S
1	SQL Injection	SQL Injection	Sequel Injection	Attack	Critical	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
2	SQL Syntax Execution	SQL Execution		Attack	Critical	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y			Y
3	HQL Injection	HQL Injection	ORM Injection	Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
4	SQL Filter Injection	SQL Filter Injection	SQL Rowset Injection	Attack	Medium	Technology Specific	Application-Level	ASP.Net, Mono	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
5	Server Side Include Injection	SSI Injection		Attack	Critical	Generic	Application-Level	Any	Web Application	Server Side Syntax Injection	Code Injection	Y
6	Server Side Javascript Injection	SSJS Injection	NoSQL Injection - deprecated	Attack	Critical	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
7	Mongo NoSQL Injection 2014 Variant	Mongo NoSQL Injection		Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
8	ASP Javascript Code Injection	ASP-JS Injection	ASP Remote Dynamic Code Evaluation	Attack	Critical	Technology Specific	Application-Level	ASP Classic	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
9	ASP VBScript Code Injection	ASP-VBS Injection	ASP Remote Dynamic Code Evaluation	Attack	Critical	Technology Specific	Application-Level	ASP Classic	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
10	PHP Code Injection	PHP Injection	PHP Dynamic Code Evaluation	Attack	Critical	Technology Specific	Application-Level	PHP	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
11	Java Code Injection	Java Injection	JSP Code Injection, ScriptEngine Code Injection, Rhino Code Injection - Variation	Attack	Critical	Technology Specific	Application-Level	Java, JEE, J2EE, JSP	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
12	Python Code Injection	Python Injection		Attack	Critical	Technology Specific	Application-Level	Python	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
13	Perl Code Injection	Perl Injection		Attack	Critical	Technology Specific	Application-Level	Perl	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
14	Ruby Code Injection	Ruby Injection		Attack	Critical	Technology Specific	Application-Level	Ruby	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
15	PHP Object Injection	PHP Object Injection		Attack	Critical	Technology Specific	Application-Level	PHP	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
16	PHP preg_replace Abuse	PHP preg_replace Abuse		Attack	Critical	Technology Specific	Application-Level	PHP	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
17	ABAP Code Injection	ABAP Injection	ABAP Dynamic Code Evaluation	Attack	Critical	Technology Specific	Application-Level	ABAP, SAP	Web Application, SAP GUI Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
18	OS Command Injection	OS Command Injection	OS Commanding, Shell Injection	Attack	Critical	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
19	LDAP Injection	LDAP Injection		Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
20	Format String Injection	Format String Injection	String Format Overflow	Attack	Critical	Technology Specific	Application-Level	C, CPP, ASM	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
21	Null Byte Injection	Null-Byte Injection	Poison Null Byte, Embedding Null Code	Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Delimiter Injection	Y	Y		Y
22	SMTP Injection	SMTP Injection	MX Injection, Mail Command Injection, Email Injection	Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	CRLF Based Protocol Manipulation	Y	Y		Y
23	IMAP Injection	IMAP Injection	MX Injection, Mail Command Injection	Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	CRLF Based Protocol Manipulation	Y	Y		Y
24	POP3 Injection	POP3 Injection	POP3 MX Injection	Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	CRLF Based Protocol Manipulation	Y	Y		Y
25	Email Header Injection	Email Header Injection		Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Protocol Manipulation	Y	Y		Y
26	Escape Sequence Injection	Escape Sequence Injection		Attack	Major	Technology Version Specific	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
27	HTTP Request Injection	HTTP Request Injection	HRI	Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	CRLF Based Protocol Manipulation	Y	Y		Y
28	HTTP Request Header Injection	HTTP Request Header Injection		Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	CRLF Based Protocol Manipulation	Y	Y		Y
29	Reflection Injection	Reflection Injection		Attack	Major	Technology Specific	Application-Level	Java, JEE, J2EE, JSP, ASP.Net, Mono	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
30	XML Injection	XML Injection		Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Protocol Manipulation	Y	Y		Y
31	XQUERY Injection	XQUERY Injection		Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
32	XPATH Injection	XPATH Injection		Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
33	Connection String Parameter Pollution	CSPP		Attack	Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Protocol Manipulation	Y	Y		Y
34	Special Element Injection	Special Element Injection	Parameter Delimiter Injection	Attack	Medium	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Delimiter Injection	Y	Y		Y
35	Windows DATA Alternate Data Stream	Windows DATA ADS	ADS		Major	Generic	Application-Level	Any	Application	Server Side Syntax Injection	Protocol Manipulation	Y	Y		Y
36	Expression Language Injection	EL Injection		Attack	Critical	Technology Specific	Application-Level	Spring Framework - Java	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
37	OGNL Expression Injection	OGNL Expression Injection		Attack	Major	Technology Version Specific	Application-Level	JSP Struts	Web Application	Server Side Syntax Injection	Code Injection	Y
38	RoR YAML Injection	RoR YAML Injection	RoR Code Execution, Ruby On Rails Code Execution	Attack	Critical	Technology Version Specific	Application-Level	Ruby	Web Application	Server Side Syntax Injection	Code Injection	Y
39	Unsigned Server Side Control Property Injection	Unsigned Server Control Property Injection	EoDSeC	Attack	Major	Technology Specific	Application-Level	ASP.Net, Mono, JSF	Web Application	Server Side Syntax Injection	Protocol Manipulation	Y
40	Path Traversal	Path Traversal	Directory Traversal, Relative Path Traversal	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
41	Path Manipulation	Path Manipulation	Absoluste Path Traveral	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Target Destination Manipulation	Y	Y		Y
42	Reverse Proxy Bypass	Reverse Proxy Bypass		Attack	Medium	Generic	Application-Level	Any	Web Application	Logical Input Manipulation	Target Destination Manipulation	Y
43	PHP Remote File Inclusion	PHP Remote File Inclusion	Malicious File Execution	Attack	Critical	Technology Specific	Application-Level	PHP	Web Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
44	PHP Local File Inclusion	PHP Local File Inclusion		Attack	Major	Technology Specific	Application-Level	PHP	Web Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
45	JSP Remote File Inclusion	JSP Remote File Inclusion		Attack	Critical	Technology Specific	Application-Level	JSP	Web Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
46	JSP Local File Inclusion	JSP Local File Inclusion		Attack	Major	Technology Specific	Application-Level	JSP	Web Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
47	XSS and Phishing via Remote File Inclusion	XSS via Remote File Inclusion	Remote File Inclusion, Phishing via Remote File Inclusion	Attack	Major	Generic	Application-Level	Any	Web Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
48	Server Side Request Forgery	SSRF	Resource Injection	Attack	Medium	Generic	Application-Level	Any	Application	Logical Input Manipulation	Target Destination Manipulation	Y	Y		Y
49	MVC Mass Assignment	MVC Mass Assignment	Insecure Object Mapping	Attack	Major	Generic	Application-Level	Any, MVC	Web Application	Logical Input Manipulation	Parameter Tampering	Y
50	HTTP Request Smuggling	HTTP Request Smuggling	HTTP Request Splitting	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Logical Input Manipulation	Protocol Manipulation	Y
51	XML External Entity Processing	XXE	XML DTD External Entity Attack, XML DTD Injection	Attack	Major	Generic	Application-Level	Any	Web Application, Web Service	Logical Input Manipulation	File Inclusion	Y
52	Server Side Control Signed Property Override	Server Control Signed Property Override	Control Property Override via Cache Reuse	Attack	Major	Technology Specific	Application-Level	ASP.Net, Mono, JSF	Web Application	Logical Input Manipulation	Parameter Tampering	Y
53	Insecure Direct Object Reference	Insecure Direct Object Reference	Insufficient Authorization, Authorization Bypass Through User-Controlled Key, Resource Injection	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
54	Client Controlled Price Manipulation	Client-Controlled Price Manipulation	Web Parameter Tampering, eShoplifting	Attack	Critical	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
55	Client Controlled Sum Abuse	Client-Controlled Sum Abuse	Web Parameter Tampering	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
56	Client Controlled Quantity Manipulation	Client-Controlled Quantity Manipulation	Web Parameter Tampering	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
57	Client Controlled User Identifier Manipulation	Client-Controlled User Identifier Manipulation	User Impersonation via Parameter Tampering	Attack	Critical	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
58	Client Controlled Authentication Status Manipulation	Client-Controlled Authentication Status Manipulation	Authentication Bypass via Parameter Tampering	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y			Y
59	Client Controlled Privilege Manipulation	Client-Controlled Privilege Manipulation	Client-Controlled Role Manipulation, Authorization Bypass via via Parameter Tampering	Attack	Critical	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
60	Client Controlled Multiphase Process State Flags Manipulation	Client-Controlled Multiphase Process State Flags Manipulation	Flow Bypass via Parameter Tampering	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
61	Client Controlled Lock Counter Manipulation	Client-Controlled Lock Counter Manipulation	Account-Lock Bypass via Parameter Tampering	Attack	Medium	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y
62	Client Controlled Lock Flag Manipulation	Client-Controlled Lock Flag Manipulation	Account-Lock Bypass via Parameter Tampering	Attack	Medium	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y
63	Client Controlled Configuration Setting Manipulation	Client-Controlled Configuration Setting Manipulation	Setting Manipulation	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y			Y
64	Authentication Bypass via Referer Spoofing	Authentication Bypass via Referer Spoofing	Referer Spoofing	Attack	Major	Generic	Application-Level	Any	Web Application	Spoofing	Source URL Spoofing	Y
65	Authentication Bypass via IP Spoofing	Authentication Bypass via IP Spoofing		Attack	Major	Generic	Application-Level	Any	Application	Spoofing	Source Address Spoofing	Y
66	Authentication Bypass via Alternative IP Access	Authentication Bypass via Alternative IP Access	Alternative IP Address Encodings	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Target Destination Manipulation	Y
67	Authentication Bypass using an Alternate Path or Channel	Authentication Bypass using an Alternate Path or Channel	Authentication Bypass by Alternate Name	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Target Destination Manipulation	Y
68	Authentication Bypass via Forced Access	Authentication Bypass via Forced Browsing	Improper Authentication, Authentication Abuse	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Target Destination Manipulation	Y
69	Authorization Bypass via Forced Browsing	Authorization Bypass via Forced Browsing	Improper Authorization, Privilege Abuse	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Target Destination Manipulation	Y
70	Multiphase Process Bypass via Forced Browsing	Multiphase Process Bypass via Forced Browsing	Flow Bypass, Insufficient Process Validation	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Target Destination Manipulation	Y
71	Authentication Bypass via HTTP Verb Tampering	Authentication Bypass via HTTP Verb Tampering		Attack	Major	Generic	Application-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
72	Authorization Bypass via HTTP Verb Tampering	Authorization Bypass via HTTP Verb Tampering		Attack	Major	Generic	Application-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
73	Authentication Bypass via Session Puzzling	Authentication Bypass via Session Puzzling	Session Variable Overloading, Session Poisoning	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Session Puzzling	Y
74	User Impersonation via Session Puzzling	User Impersonation via Session Puzzling	Session Variable Overloading, Session Poisoning	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Session Puzzling	Y
75	Privilege Elevation via Session Puzzling	Privilege Elevation via Session Puzzling	Session Variable Overloading, Session Poisoning	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Session Puzzling	Y
76	Multiphase Process Bypass via Session Puzzling	Multiphase Process Bypass via Session Puzzling	Session Variable Overloading	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Session Puzzling	Y
77	Password Recovery Destination Manipulation via Session Puzzling	Password Recovery Destination Manipulation via Session Puzzling	Session Variable Overloading	Attack	Major	Generic	Application-Level	Any	Application	Forced Access	Session Puzzling	Y
78	Enumeration of Obsolete and Unreferenced Files	Enumeration of Obsolete and Unreferenced Files	Old, Backup and Unreferenced Files	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
79	Predictable Resource Location Enumeration	Predictable Resource Location Enumeration		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
80	Secret Argument Injection	Secret Argument Modification	Secret Parameter, Argument Injection, Application Backdoor	Attack	Medium	Generic	Application-Level	Any	Application	Forced Access	Target Destination Manipulation	Y
81	Generic Business Logic Attack	Generic Business Logic Attack		Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y
82	Generic Session Poisoning Attack	Generic Session Poisoning Attack	Session Poisoning, Session Data Pollution	Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Session Poisoning	Y
83	Generic Session Puzzling Attack	Generic Session Puzzling Attack		Attack	Critical	Generic	Application-Level	Any	Application	Forced Access	Session Puzzling	Y
84	Remote XSLT Inclusion	Remote XSL Inclusion	XSL Remote File Inclusion, XSLT Injection, XSLT Transform Injection	Attack	Critical	Generic	Application-Level	Any	Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
85	Perl Local File Inclusion	Perl Local File Inclusion		Attack	Major	Technology Specific	Application-Level	Perl	Web Application	Logical Input Manipulation	File Inclusion	Y	Y		Y
86	Perl Remote File Inclusion	Perl Remote File Inclusion		Attack	Critical	Technology Specific	Application-Level	Perl	Web Application	Logical Input Manipulation	Parameter Tampering	Y	Y		Y
87	ABAP Process Control	ABAP Process Control	Process Control, Dynamic Calls, Call Injection	Attack	Major	Technology Specific	Application-Level	ABAP, SAP	Web Application, SAP GUI Application	Logical Input Manipulation	Parameter Tampering	Y			Y
88	Execution of Unsigned Dormant Server Controls	Execution of Unsigned Dormant Server Controls	EodSec	Attack	Major	Technology Specific	Application-Level	ASP.Net, Mono, JSF	Web Application	Logical Input Manipulation	Protocol Manipulation	Y
89	Execution of Unvalidated Dormant Server Controls	Execution of Unvalidated Dormant Server Controls	EodSec	Attack	Major	Technology Specific	Application-Level	ASP.Net, Mono, JSF	Web Application	Forced Access	Target Destination Manipulation	Y
90	Execution of Dormant Server Controls in Unprotected Callbacks	Execution of Dormant Server Controls in Unprotected Callbacks	EodSec	Attack	Major	Technology Specific	Application-Level	ASP.Net, Mono, JSF	Web Application	Forced Access	Target Destination Manipulation	Y
91	Execution of Signed Dormant Server Controls via Cache Reuse	Execution of Signed Dormant Server Controls via Cache Reuse	EoDSeC	Attack	Major	Technology Specific	Application-Level	ASP.Net, Mono, JSF	Web Application	Logical Input Manipulation	Protocol Manipulation	Y
92	Unauthorized Administrative Interface Access	Unauthorized Administrative Interface Access	Admin Interface Exposed to the Internet	Attack	Major	Generic	Application-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
93	Execution After Redirect	Execution After Redirect	EAR	Attack	Major	Generic	Application-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
94	Cross Site Scripting	XSS		Attack	Major	Generic	Application-Level	Any	Web Application	Client Targeted Syntax Reflection	Browser Targeted Code Injection	Y	Y	Y	Y
95	DOM Cross Site Scripting	DOM XSS	DXSS	Attack	Major	Generic	Application-Level	Any	Web Application	Client Targeted Syntax Reflection	Browser Targeted Code Injection	Y
96	Unvalidated Redirect	Unvalidated Redirect	Open Redirect, External Redirect, Phishing via Redirect, URL Redirector Abuse	Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted Syntax Reflection	Target Destination Manipulation	Y	Y	Y	Y
97	Unvalidated Forward	Unvalidated Forward		Attack	Minor	Generic	Application-Level	Any	Web Application	Client Targeted Syntax Reflection	Target Destination Manipulation	Y	Y	Y	Y
98	Cross Site Scripting using Flash	Flash XSS	Flash Injection	Attack	Major	Technology Specific	Application-Level	Adobe Flash Player	Web Application	Client Targeted Syntax Reflection	Browser Targeted Code Injection	Y
99	Flash Parameter Injection	Flash Parameter Injection	FPI, Flash Injection	Attack	Major	Technology Version Specific	Application-Level	Adobe Flash Player	Web Application	Client Targeted Syntax Reflection	Flash Injection	Y
100	Cross Site Flashing	XSF	Flash Injection	Attack	Major	Technology Version Specific	Application-Level	Adobe Flash Player up to 9.0.124.0	Web Application	Client Targeted Syntax Reflection	Flash Injection	Y
101	HTTP Response Splitting	HTTP Response Splitting	HTTP Response Header Injection, CRLF Injection	Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted Syntax Reflection	CRLF Injection	Y	Y		Y
102	Reflected File Download	RFD	Malicious File Download	Attack	Major	Generic	Application-Level	Any	Web Application	Client Targeted Syntax Reflection	Deceptive Interactions	Y	Y	Y	Y
103	HTTP Response Smuggling	HTTP Response Smuggling		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Client Targeted Syntax Reflection	Protocol Manipulation	Y
104	Content Spoofing	Content Spoofing	Content Injection	Attack	Minor	Generic	Application-Level	Any	Application	Client Targeted Syntax Reflection	Deceptive Interactions	Y	Y		Y
105	Log Forging	Log Forging	Log Injection, Log Spoofing, Web Logs Tampering	Attack	Medium	Generic	Application-Level	Any	Application	Client Targeted Syntax Reflection	CRLF Injection	Y	Y		Y
106	JSON Hijacking	JSON Hijacking	Javascript Hijacking	Attack	Medium	Technology Version Specific	Application-Level	All Browsers before Firefox 21, Chrome 27, or IE 10.	Web Application	Client Targeted 3rd Party References	Session Riding	Y
107	Cross Site Script Inclusion	XSSI		Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted 3rd Party References	Session Riding	Y
108	Cross Site Request Forgery	CSRF	XSRF, Session Riding	Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted 3rd Party References	Session Riding	Y
109	Dynamic Ajax CSRF	Dynamic Ajax CSRF		Attack	Medium	Technology Version Specific	Application-Level	Any	Web Application	Client Targeted 3rd Party References	Session Riding	Y
110	Same Domain Request Forgery	SDRF		Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted 3rd Party References	Session Riding	Y
111	Clickjacking	Clickjacking	UI Redressing	Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted 3rd Party References	UI Redressing	Y
112	Frame Spoofing	Frame Spoofing		Attack	Minor	Technology Version Specific	Web-Infrastructure-Level	Outdated IE, Outdated Firefox, Netscape	Web Application	Client Targeted 3rd Party References	UI Redressing	Y
113	Cross Site WebSocket Hijacking	CSWSH		Attack	Medium	Generic	Application-Level	Any	Web Application	Client Targeted 3rd Party References	Session Riding	Y
114	DNS Rebinding	DNS Rebinding	Anti-DNS Pinning	Attack	Medium	Technology Specific	Web-Infrastructure-Level	Any	Web Application	Spoofing	Source Address Spoofing	Y
115	Malicious File Upload	Malicious File Upload	Untrestricted File Upload, Malicious File Execution	Attack	Critical	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y
116	Unrestricted File Upload	Unrestricted File Upload		Attack	Medium	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y
117	PHP Uploaded File Variables Abuse	PHP Uploaded File Variables Abuse		Attack	Major	Technology Version Specific	Application-Level	PHP prior to v4	Web Application	Abuse of Functionality	Abuse of Application Functionality	Y
118	Account Lockout Abuse	Account Lockout Abuse	Account Lockout Attack, Overly Restrictive Account Lockout Policy, Inducing Account Lockout	Attack	Medium	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y
119	SQL Sorting	SQL Sorting		Attack	Major	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y
120	Session Fixation	Session Fixation		Attack	Medium	Generic	Application-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y	Y
121	Remote Binary Planting	Remote Binary Planting	DLL Search Order Hijacking, Windows Insecure Library Loading	Attack	Critical	Generic	Application-Level	Windows	Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
122	Generic User Account Privilege Abuse	Generic User Account Privilege Abuse	Privilege Escalation	Attack	Major	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y
123	Logging of Excessive Data	Logging of Excessive Data		Attack	Minor	Generic	Application-Level	Any	Application	Abuse of Functionality	Abuse of Application Functionality	Y
124	HTTP PUT Method Abuse	HTTP PUT Attack		Attack	Critical	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
125	HTTP DELETE Method Abuse	HTTP DELETE Attack		Attack	Major	Generic	Application-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
126	Cross Site Tracing	XST	HTTP TRACE-TRACK Abuse, TRACE header reflection	Exploitation Method	Minor	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
127	HTTP WebDAV PROPPATCH Method Abuse	HTTP PROPPATCH Method Abuse		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
128	HTTP WebDAV COPY Method Abuse	HTTP COPY Method Abuse		Attack	Major	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
129	HTTP WebDAV MOVE Method Abuse	HTTP MOVE Method Abuse		Attack	Major	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
130	HTTP WebDAV MKCOL Method Abuse	HTTP MKCOL Method Abuse		Attack		Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
131	HTTP MKDIR Method Abuse	HTTP MKDIR Method Abuse		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
132	HTTP WebDAV PROPFIND WebDav Method Abuse	HTTP PROPFIND Method Abuse		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
133	HTTP CONNECT Method Abuse	HTTP CONNECT Method Abuse	Proxy Abuse	Attack	Minor	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
134	HTTP OPTIONS Method Information Disclosure	HTTP OPTIONS Information Disclosure		Attack	Informative	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
135	HTTP WebDAV LOCK Method Abuse	HTTP LOCK Method Abuse		Attack	Minor	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
136	HTTP WebDAV UNLOCK Method Abuse	HTTP UNLOCK Method Abuse		Attack	Minor	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
137	HTTP WebDAV SEARCH Method Abuse	HTTP SEARCH Method Abuse		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
138	HTTP Parameter Pollution	HPP	Improper Handling of Extra Parameters	Evasion Technique	Medium	Generic	Application-Level	Any	Web Application	Security Mechanism Bypass	Evasion Technique	Y
139	Predictable Session Identifier Abuse	Predictable Session Identifier Abuse	Predictable Session ID, Session Prediction, Session Credential Falsification	Attack	Major	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
140	CAPTCHA Re-Riding	CAPTCHA Re-Riding	CAPTCHA Accumulation	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Session Puzzling	Y
141	Client-side CAPTCHA Logic Abuse	Client-side CAPTCHA Logic Abuse	Client-side storage and hidden fields, Client-side CAPTCHA Verification	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Client-Controlled Verification Abuse	Y
142	Chosen CAPTCHA Text Abuse	Chosen CAPTCHA Text Abuse	Client-generated CAPTCHA, The Chosen CAPTCHA Text attack	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Client-Controlled Verification Abuse	Y
143	Arithmetic CAPTCHA Abuse	Arithmetic CAPTCHA Abuse	Arithmetic CAPTCHA	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Client-Controlled Verification Abuse	Y
144	Chosen CAPTCHA Identifier Abuse	Chosen CAPTCHA Identifier Abuse	Chosen CAPTCHA Identifier	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
145	CAPTCHA Rainbow Tables	CAPTCHA Rainbow Tables		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Enumeration	Y
146	CAPTCHA Fixation	CAPTCHA Fixation		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Race Condition	Y
147	In-Session CAPTCHA Brute-forcing	In-Session CAPTCHA Brute-forcing		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
148	OCR-assisted CAPTCHA Brute-forcing	OCR-assisted CAPTCHA Brute-forcing	Weak CAPTCHA	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
149	Limited CAPTCHA Repository Abuse	Limited CAPTCHA Repository Abuse	Limited Set CAPTCHAs	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Enumeration	Y
150	CAPTCHA Clipping	CAPTCHA Clipping	Impersonating CAPTCHA Providers	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Service Provider Impersonation	Y
151	Missing CAPTCHA Abuse	Missing CAPTCHA Abuse	Excessive Feature Abuse, Missing CAPTCHA	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Enumeration	Y
152	Missing Account Lockout Abuse	Missing Account Lockout Abuse		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Enumeration	Y
153	Session Stored Lockout Flags Abuse	Session Stored Lockout Flags Abuse		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Session Puzzling	Y
154	Session Stored Lockout Counter Abuse	Session Stored Lockout Counter Abuse		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Session Puzzling	Y
155	Weak Lockout Policy Abuse	Weak Lockout Policy Abuse	Weak Account Lockout	Attack	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
156	Insecure Password Recovery Process Abuse	Insecure Password Recovery Initiation Destination	Weak Password Recovery, Insufficient Password Recovery, Insecure Password Recovery Process	Vulnerability	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
157	EL3 Injection	EL3 Injection	Lambda Injection	Attack	Critical	Technology Specific	Application-Level	Java, EL3	Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
158	Weak Recovery Answer Enumeration	Weak Recovery Answer Enumeration	Unrestricted Recovery Question Answer Attempts Abuse	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Enumeration	Y
159	Insufficient Logging Abuse	Insufficient Logging Abuse	Insufficient Logging	Vulnerability	Minor	Generic	Application-Level, Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
160	Log Repudiation Attack	Log Repudiation Attack	Repudiation Attack	Attack	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Parameter Tampering	Y
161	Credentials Enumeration in Login	Username Enumeration in Login	Email Enumeration in Login	Attack	Medium	Generic	Application-Level	Any	Application	Resource Mapping	Dictionary Attack	Y
162	Credentials Enumeration in Password Recovery	Username Enumeration in Password Recovery	Email Enumeration in Password Recovery	Attack	Medium	Generic	Application-Level	Any	Application	Resource Mapping	Dictionary Attack	Y
163	Credentials Enumeration in Registration	Username Enumeration in Registration	Email Enumeration in Registration	Attack	Medium	Generic	Application-Level	Any	Application	Resource Mapping	Dictionary Attack	Y
164	Generic Credential Enumeration	Generic Username Enumeration	Generic Email Enumeration	Attack	Medium	Generic	Application-Level	JEE	Application	Resource Mapping	Dictionary Attack	Y
165	Password Disclosure in Password Recovery	Password Disclosure in Password Recovery		Vulnerability	Minor	Generic	Application-Level	Any	Application	Server Side Information Exposure	Credential Information Disclosure to Client	Y
166	Generic Password Disclosure	Generic Password Disclosure		Vulnerability	Minor	Generic	Application-Level	Any	Application	Server Side Information Exposure	Credential Information Disclosure to Client	Y
167	Sensitive Information Disclosure in Log Files	Sensitive Information Disclosure in Log Files	Information Leak Through Log Files	Vulnerability	Minor	Generic	Application-Level	Any	Application	Local Information Exposure	Local Information Disclosure in Server	Y
168	Missing Encryption of Sensitive Data	Missing Encryption of Sensitive Data	Insecure Storage	Vulnerability	Minor	Generic	Application-Level	Any	Application	Local Information Exposure	Local Credential Information Disclosure in Server	Y
169	Inadequate Storage Encryption Key Strength	Inadequate Storage Encryption Key Strength	Weak Encryption, Insecure Encryption Key Length, Insecure Encryption Attributes	Vulnerability	Minor	Generic	Application-Level, Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
170	Insecure Storage Cryptographic Algorithm	Insecure Storage Cryptographic Algorithm		Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
171	Weak Credential Hashing Algorithm	Insecure Credential Hashing Algorithm	Reversible One-Way Hash, Insecure Storage, Weak Cryptographic Hash	Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
172	Unsalted Hash	Unsalted Hash		Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
173	Hard-coded Cryptographic Key	Hard-coded Cryptographic Key		Vulnerability	Minor	Generic	Application-Level	Any	Application	Local Information Exposure	Local Information Disclosure in Server	Y
174	Hard-coded Credentials	Hard-coded Credentials	Hard-coded Password	Vulnerability	Minor	Generic	Application-Level	Any	Application	Local Information Exposure	Local Information Disclosure in Server	Y
175	Missing Required Cryptographic Step	Missing Required Cryptographic Step		Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
176	Padding Oracle	Padding Oracle	Padding Oracle Crypto Attack	Attack	Major	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
177	SSL Renegotiation	SSL Renegotiation		Attack	Medium	Technology Version Specific	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
178	SSL Version Rollback	SSL Version Rollback	Cipher Suite Rollback	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
179	Browser Exploit Against SSL TLS	BEAST	BEAST Attack	Attack	Major	Technology Version Specific	Web-Infrastructure-Level	Any	Web Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
180	Compression Ratio Info-leak Made Easy	CRIME	CRIME Attack	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
181	Timing Info-leak Made Easy	TIME	TIME Attack	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
182	Browser Reconnaissance Exfiltration via Adaptive Compression of Hypertext	BREACH	BREACH Attack	Attack	Major	Generic	Web-Infrastructure-Level	Any	Web Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
183	RC4 TLS Attack	RC4 Attack		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
184	Lucky 13 Attack	Lucky 13	Lucky Thirteen	Attack	Medium	Technology Version Specific	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
185	OpenSSL Change Cipher Spec MITM Injection	SSL CCS MITM	CCS Injection	Attack	Medium	Technology Version Specific	Web-Infrastructure-Level	OpenSSL	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
186	Padding Oracle On Downgraded Legacy Encryption	POODLE		Attack		Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
187	Unencrypted Communication Eavesdropping	Unencrypted Communication Eavesdropping	Insufficient Transport Layer Protection, Lack of Transport Layer Encryption	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Insecure Communication Abuse	Information Dislcosure in Insecure Communication	Y
188	SSL Stripping	SSL Stripping		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Insecure Communication Abuse	Man In The Middle Attack	Y
189	Credentials Transported over Unencrypted Channel	Credentials Eavesdropping from Unencrypted Channel		Attack	Major	Generic	Web-Infrastructure-Level	Any	Application	Insecure Communication Abuse	Information Dislcosure in Insecure Communication	Y
190	Session Hijacking via Eavesdropping	Session Hijacking	Session Sidejacking	Attack	Major	Generic	Web-Infrastructure-Level	Any	Application	Insecure Communication Abuse	Information Dislcosure in Insecure Communication	Y
191	Encryption Brute Forcing	Weak Cipher Brute Forcing	Weak Cipher Support	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
192	Weak X509 Asymmetric SSL Key-Pair	Weak SSL Key-Pair Brute Forcing	Insecure Transport Layer Protection	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
193	Insecure SSL Protocol Support	Insecure SSL Protocol Support		Vulnerability	Medium	Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
194	Invalid SSL Certificate	Invalid SSL Certificate		Vulnerability	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
195	Expired SSL Certificate	Expired SSL Certificate		Vulnerability	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
196	Stolen Expired Certificate Abuse	Stolen Expired Certificate Abuse	Improper Validation of Certificate Expiration	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
197	Stolen Revoked Certificate Abuse	Stolen Revoked Certificate Abuse	Missing Check for Certificate Revocation after Initial Check	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
198	Valid Certificate Abuse for Another Domain	Valid Certificate Abuse for Another Domain		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
199	Fake Chain-of-Trust Certificate Abuse	Broken Chain-of-Trust Certificate Abuse		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
200	Endpoint Impersonation in an Encrypted Communication Channel	Endpoint Impersonation in an Encrypted Communication Channel	Lack of Certificate Validation	Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Spoofing	Signature Spoofing	Y
201	Session Replay	Session Replay	Authentication Bypass by Capture-Replay, Reusing Session ID	Attack	Medium	Generic	Application-Level, Web-Infrastructure-Level	Any	Application	Insecure Communication Abuse	Replay Attack	Y
202	Man-In-The-Middle	MITM		Attack	Medium	Generic	Web-Infrastructure-Level	Any	Application	Insecure Communication Abuse	Man In The Middle Attack	Y
203	Password Brute Forcing		Weak Password Policy	Exploitation Method	Medium	Generic	Application-Level	Any	Application	Resource Mapping	Dictionary Attack	Y
204	Weak Password Policy	Weak Password Policy		Vulnerability	Medium	Generic	Application-Level	Any	Application	Resource Mapping	Dictionary Attack	Y
205	Weak Default Password Generation	Weak Initial Password Generation		Vulnerability	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
206	Directory and File Brute Forcing	Dir and File Brute Forcing	Informative 404 Messages, Web-based Directory Enumeration	Attack	Minor	Generic	Web-Infrastructure-Level	Any	Application	Resource Mapping	Dictionary Attack	Y
207	Ineffective Session Termination	Ineffective Session Termination	Ineffective Logout	Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
208	Weak Password Recovery Question Selection	Weak Recovery Question Selection		Vulnerability	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
209	Unrestricted Password Recovery Initiation Attempts Abuse	Unrestricted Recovery Initiation	Unlimited Password Recovery Initiation	Attack	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
210	Predictable Password Recovery Initiation Challenge	Predictable Password Recovery Token Enumeration		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
211	Persistent Password Recovery Token	Persistent Password Recovery Token	Ineffective Password Recovery Process Termination	Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
212	Password Recovery Destination Manipulation via Parameter Tampering	Recovery Destination Manipulation via Parameter Tampering		Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y
213	Incomplete Session Termination in SSO	Incomplete Session Termination in SSO		Attack	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
214	Persistent Session Lifespan	Persistent Session Lifespan		Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
215	Cross Context Scripting	XCS		Attack	Critical	Generic	Custom Browser Extension, Browser	Any	Application	Client Targeted Syntax Reflection	Browser Targeted Code Injection	Y	Y		Y
216	Insufficient Logout Visibility	Insufficient Logout Visibility		Vulnerability	Minor	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
217	Insufficient Session Expiration	Insufficient Session Expiration		Vulnerability	Minor	Generic	Web-Infrastructure-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
218	Predictable Anti-CSRF Token Abuse	Predictable Anti-CSRF Token Abuse		Attack	Medium	Generic	Application-Level	Any	Web Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
219	Anti-CSRF Verification Bypass	Anti-CSRF Verification Bypass		Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Weak Mechanism Abuse	Y
220	Buffer Overflow via Malicious Input	Buffer Overflow	Stack Overflow, Heap Overflow	Attack	Critical	Generic	Application-Level	Any, Except managed code without external calls	Application	Memory Level Attacks	Memory Overflow	Y	Y		Y
221	Buffer Overflow via Client Extension Initialization Params	Buffer Overflow against Custom Browser Controls	Overflow Variables and Tags	Attack	Major	Generic	Custom Browser Extension, Browser, Client Application	Any	Web Application	Memory Level Attacks	Memory Overflow	Y
222	Use After Free	Use After Free		Vulnerability	Major	Generic	Application-Level	Any, Excluding managed code without external calls	Application	Memory Level Attacks	Memory Corruption	Y
223	SOAP Array Overflow	SOAP Array Overflow	SOAP Array Attack	Attack	Major	Generic	Application-Level	Any	Web Application, Web Service	Memory Level Attacks	Memory Overflow	Y
224	Double Free	Double Free		Vulnerability	Medium	Generic	Application-Level	Any, Excluding managed code without external calls	Application	Memory Level Attacks	Memory Corruption	Y
225	Memory Leak	Memory Leak		Vulnerability	Medium	Generic	Application-Level	Any	Application	Memory Level Attacks	Memory Corruption	Y
226	Null Dereference	Null Dereference		Vulnerability	Medium	Generic	Application-Level	Any	Application	Memory Level Attacks	Memory Corruption	Y
227	Expired Pointer Dereference	Expired Pointer Dereference		Vulnerability	Medium	Generic	Application-Level	Any, Excluding managed code without external calls	Application	Memory Level Attacks	Memory Corruption	Y
228	Buffer Underwrite	Buffer Underwrite		Vulnerability	Medium	Generic	Application-Level	Any, Excluding managed code without external calls	Application	Memory Level Attacks	Memory Overflow	Y
229	User Controlled Memory Pointer Reference	User Controlled Memory Pointer Reference		Attack	Major	Generic	Application-Level	Any	Application	Memory Level Attacks	Memory Corruption	Y
230	Integer Overflow	Integer Overflow		Attack	Medium	Generic	Application-Level	Any	Application	Memory Level Attacks	Memory Corruption	Y
231	Time of Check to Time of Use Transaction Race Condition	TOCTTOU Transaction Race Condition	TOCTTOU	Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
232	IIS Short File Name Disclosure	IIS Short File Name Enumeration		Attack	Major	Technology Version Specific	Web-Infrastructure-Level	IIS	Web Application	Insecure Configuration Abuse	Web Server Misconfiguration Abuse	Y
233	Cross-Domain Search Timing	Cross-Domain Search Timing	Pixel Perfect Timing Attacks	Attack	Minor	Generic	Application-Level	Any	Web Application	Timed Attacks	Response Time Analysis	Y
234	Context Switching Race Condition	Context Switching Race Condition		Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
235	Time of Check to Time of Use File Access Race Condition	TOCTTOU File Access Race Condition	TOCTTOU, Race Condition	Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
236	Exposure of Data Element to Wrong Session via Data Race Condition	Member Field Race Condition	Exposure of Data Element to Wrong Session, Singleton Member Field Race Condition, Shared Field Race Condition, Static Field Race Condition	Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
237	Temporal Session Race Conditions via Line Targeted ADoS	Temporal Session Race Conditions		Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
238	Single Handler Race Condition	Single Handler Race Condition		Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
239	Switch-Case Race Condition	Switch-Case Race Condition		Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
240	Alternate Channel Race Condition	Alternate Channel Race Condition		Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
241	Link Following Race Condition	Link Following Race Condition		Attack	Medium	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
242	Permission Race Condition During Resource Copy	Permission Race Condition During Resource Copy		Attack	Major	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
243	Generic Race Condition within a Thread	Generic Race Condition within a Thread		Attack	Medium	Generic	Application-Level	Any	Application	Timed Attacks	Race Condition	Y
244	Regular Expression DoS	ReDOS	RegEx DoS	Attack	Medium	Generic	Application-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
245	Forced Deadlock	Forced Deadlock	Unrestricted Externally Accessible Lock	Attack	Major	Generic	Application-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
246	Database Connection Pool Consumption	Database Connection Pool Consumption	Insufficient Resource Pool	Attack	Medium	Generic	Application-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
247	Web Server Thread Pool Occupation	Web Server Thread Occupation	Slowloris DoS Attack, RUDY Attack	Attack	Major	Generic	Web-Infrastructure-Level	Any	Web Application	Application Denial of Service	Application Resource Consumption	Y
248	HTTP Fragmentation Attack	HTTP Fragmentation Attack	RUDY Attack, R U Dead Yet Attack	Attack	Major	Generic	Web-Infrastructure-Level	Any	Web Application	Application Denial of Service	Application Resource Consumption	Y
249	THC SSL Denial of Service	THC-SSL-DoS		Attack	Major	Generic	Web-Infrastructure-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
250	XML Bomb	XML Bomb	Billion Laughs Attack, XML Quadratic Blowup - Variation	Attack	Major	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
251	Client Controlled Action Type Manipulation via Parameter Tampering	Client Controlled Action Type Manipulation via Parameter Tampering		Attack	Major	Generic	Application-Level	Any	Application	Logical Input Manipulation	Parameter Tampering	Y			Y
252	Floating Point DoS	Floating Point DoS	Magic Number DoS, PHP 2.2250738585072011e-308 Vulnerability, Java Numeric DoS, Mark-of-the-Beast	Attack	Medium	Technology Version Specific	Application-Level	PHP, Java, JSP	Application	Application Denial of Service	Application Resource Consumption	Y
253	Hash Flooding DoS	Hash Collision DoS	Magic Hash DoS, HashDoS	Attack	Medium	Generic	Application-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
254	Directory Indexing	Directory Listing	Directory Browsing	Attack	Medium	Generic	Application-Level	Any	Web Application	Server Side Information Exposure	Server side Information Disclosure to Client	Y
255	HTTP Flood	HTTP Flood	HTTP GET Flood, HTTP POST Flood, XML Flood, SSL Flood	Attack	Minor	Generic	Application-Level	Any	Web Application	Application Denial of Service	Application Resource Consumption	Y
256	Generic Resource Exhaustion	Resource Exhaustion	XML Ping of Death - Variant	Attack	Medium	Generic	Application-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
257	ShellShock	ShellShock		Attack	Critical	Technology Version Specific	Web-Infrastructure-Level	Any	Application	Prominent Known Vulnerabilities	Shared Library Exploit	Y
258	HeartBleed	HeartBleed		Attack	Critical	Technology Version Specific	Web-Infrastructure-Level	OpenSSL	Web Application, Web Service	Prominent Known Vulnerabilities	Shared Library Exploit	Y
259	XML Schema Poisoning	XML Schema Poisoning	WSDL Metadata Spoofing	Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Logical Input Manipulation	Protocol Manipulation	Y
260	XML Signature - Key Retrieval Cross Site Attack	XML Signature - Key Retrieval XSA		Attack	Major	Generic	Application-Level	Any	Web Application, Web Service	Logical Input Manipulation	File Inclusion	Y
261	SOAP Coercive Parsing	SOAP Coercive Parsing		Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
262	SOAPAction Spoofing	SOAPAction Spoofing		Attack	Major	Generic	Application-Level	Any	Web Application, Web Service	Forced Access	Target Destination Manipulation	Y
263	WSDL Disclosure	WSDL Disclosure		Vulnerability	Minor	Generic	Application-Level	Any	Web Application, Web Service	Server Side Information Exposure	Server side Information Disclosure to Client	Y
264	XML Rewriting	XML Signature Wrapping		Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Security Mechanism Bypass	Weak Mechanism Abuse	Y
265	XML Routing Detour	XML Routing Detour		Attack	Major	Generic	Application-Level	Any	Web Application, Web Service	Logical Input Manipulation	Protocol Manipulation	Y
266	XML Signature and Encryption Transformation DOS	XML Transformation DOS	C14N DOS, XSLT DOS, Xpath DOS	Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
267	XML Signature - Key Retrieval DOS	XML Signature - Key Retrieval DOS		Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
268	XML Entity Reference Attack	XML Entity Reference Attack	DTD Entity Reference Attack	Attack	Minor	Generic	Application-Level	Any	Web Application, Web Service	Server Side Information Exposure	Server side Information Disclosure to Client	Y
269	Remote Timing Attack	Remote Timing Attack	Cache-timing Attack - Cryptography Variant, Remote side channel attack	Attack	Medium	Generic	Application-Level	Any	Application	Resource Mapping	Enumeration	Y
270	Winshock	Winshock	MS14-066, CVE-2014-6321	Attack	Critical	Generic	Web-Infrastructure-Level	Any	Application	Prominent Known Vulnerabilities	Shared Library Exploit	Y
271	HTML5 Cross Origin Resource Sharing Functionality Abuse	CORS Functionality Abuse		Attack	Major	Generic	Application-Level	Any	Web Application	Insecure Configuration Abuse	Web Application Misconfiguration Abuse	Y
272	WebView Injection	WebView Injection		Attack	Medium	Generic	Application-Level	Android	Mobile Application	Client Targeted Syntax Reflection	Browser Targeted Code Injection	Y
273	Intent Intercept	Intent Intercept	Unauthorized Intent Receipt	Attack	Medium	Technology Specific	Application-Level	Android	Mobile Application	Malicious Client Application	Information Dislcosure in Insecure Communication	Y
274	Intent Spoof	Intent Spoof	Intent Injection	Attack	Medium	Technology Specific	Application-Level	Android	Mobile Application	Malicious Client Application	Source Address Spoofing	Y
275	Unauthorized WebSocket Access	Unauthorized WebSocket Access		Attack	Major	Generic	Application-Level	Any	Web Application	Forced Access	Target Destination Manipulation	Y
276	Oversized XML DoS	Over-sized XML DoS	XML Document Size Attack	Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
277	XML Reference Redirect DoS	XML Reference Redirect DoS		Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
278	SOAP Recursive Cryptography DoS	SOAP Recursive Cryptography DoS		Attack	Medium	Generic	Application-Level	Any	Web Application, Web Service	Application Denial of Service	Application Resource Consumption	Y
279	Referral Flood of Trusted Entities	Referral Flood of Trusted Entities	WS-Addressing Spoofing - Variant, Anti-DDoS Service Abuse for Blocking Trusted Entities	Attack	Medium	Generic	Application-Level	Any	Application	Application Denial of Service	Application Resource Consumption	Y
280	UDDI Impersonation	UDDI Spoofing	ebXML Spoofing	Attack	Medium	Generic	Social-Level	Any	Web Service	Phishing	Web Service Consumer Phishing	Y
281	Memcached Injection	Memcached Injection		Attack	Critical	Generic	Application-Level	Any	Web Application	Server Side Syntax Injection	Code Injection	Y	Y		Y
282	Source Code Disclosure via Accessible Source Code Folder	Source Code Disclosure via Accessible Folder	WEB-INF Directory Information Disclosure, bin Directory Information Disclosure	Attack	Major	Generic	Application-Level	ASP.Net, JSP	Web Application	Forced Access	Target Destination Manipulation	Y
283	User Impersonation via Social Login Design Flaw	SpoofedMe		Attack	Major	Generic	Application-Level	Any	Web Application	Abuse of Functionality	Abuse of Application Functionality	Y
284	Hash Length Extension Attack	Hash Length Extension	Signature Forgery, Hash Function Extension	Attack	Medium	Generic	Application-Level	Any	Application	Security Mechanism Bypass	Cryptanalysis Attack	Y
285	Surf Jacking	Surf Jacking		Attack	Medium	Generic	Application-Level	Any	Web Application	Insecure Communication Abuse	Man In The Middle Attack	Y
286	Browser User Agent Impersonation	User Agent Impersonation		Attack	Minor	Generic	Application-Level	Any	Web Application	Spoofing	Type Spoofing	Y
287	Subdomain Takeover via Abuse of Domain Service Provider Subdomain Claims	Subdomain Takeover via Abuse of Subdomain Claims		Attack	Major	Generic	Infrastructure-Level	Any	Domain	Abuse of Functionality	Abuse of Infrastructure Functionality	Y
288	Search Engine Impersonation	Search Engine Impersonation		Evasion Technique	Medium	Generic	Web-Infrastructure-Level	Any	Web Application	Spoofing	Type Spoofing	Y