Bug Bounty Wiki

User Tools

Site Tools

Trace: web-based_attacks
web-based_attacks

Web-Based Attack Vectors:

Abuse of Callback Functionality

Access Control Bypass

Account Takeover

Adaptive-Chosen Ciphertext Attacks

Application-Level Denial-of-Service

Arbitrary/Unrestricted File Upload

Authentication Bypass

BPEL Instantiation Flooding

BPEL Indirect Flooding

BPEL State Deviation

BPEL Correlation Invalidation

BPEL State Invalidation

Broken Link Hijacking

Business Logic Vulnerabilities

Cache Deception

Cache Poisoning

Cache Probing

Clickjacking

Client Sided Template Injection (CSTI)

Coercive Parsing

Code Injection

Command Injection

Content Forgery

CORB (Cross-Origin Read Blocking) Leaks

CORP (Cross-Origin Resource Policy) Leaks

CORS Bypass

Cross Site Search (XS-Search)

Cross Site Scripting (XSS)

Cross Site Script Inclusion (XSSi)

Cross Site Framing

Cross Site History Manipulation (XSHM)

Cross Site Flashing (XSF)

Cross Site Tracing (XST)

Cross Site Request Forgery (CSRF)

Cross Site Timing Attack

Cross Site Port Attack (XSPA)

Cross Site WebSocket Hijacking

CRLF Injection

CSP (Content Security Policy) Bypass

CSS Injection

CSV Excel Macro Injection (CEMI)

Dangling Markup Injection

Directory Traversal

Direct Dynamic Code Evaluation

DNS Rebinding

DNS Zone Transfer Attacks

Edge-side inclusion injection

Element Leaks

Email Injections

Execution After Redirect (EAR)

Eval Injection

Forced Browsing

Full Path Disclosure (FPD)

Frame Counting

GraphQL Injection

Hop-by-hop header attacks

HTML Injection (HTMLi)

HTTP Host Header Injection

HTTP Parameter Pollution

HTTP Request Smuggling/Response Splitting

HTTP Verb Tampering

Information Disclosure

Insecure Cryptographic Storage

Insecure Deserialization (Mass Assignment / Object Injection)

Insecure Direct Object Reference (IDOR)

Insufficient Entropy / Insecure PRNG's

Java Remote Method Invocation (RMI) RCE

JSON Injection

JSONP Injection

JWT (JSON Web Token) Vulnerabilities

LaTeX Injection

Local File Disclosure (LFD)

Local File Inclusion (LFI)

Log Injection/Forgery

LDAP Injection

Malicious Morphing

Metadata Spoofing

NoSQL Injection

OAuth Misconfigurations

On-Site Request Forgery (OSRF)

Open Redirect

Oversized XML DoS

Padding Oracle Attacks

PostMessage Vulnerabilities

Privilege Escalation

Race Conditions

Rate Limit Bypass

Recursive Cryptography DoS

ReDoS (Regex-based DoS)

Reference Redirect

Reflected File Download (RFD)

Relative Path Overwrite (RPO)

Remote Command Execution (RCE)

Remote XSL Inclusion

Remote File Inclusion (RFI)

Resource Exhaustion

Resource Injection

Reverse Tabnabbing

Rogue SQL Server Attack

Routing Detour

Same Origin Method Execution (SOME)

SAML Injection

Session Fixation

Session Prediction

Session Puzzling

Session Splicing/Fragmentation

Server-Sided Request Forgery (SSRF)

Server-Sided Template Injection (SSTI)

SOAPAction Spoofing

SOAP Array Attack

SOAP Parameter DoS

SOAP Replay Attack

SOP (Same Origin Policy) Bypass

Special Element Injection

SSI Injection

SQL Injection (SQLi)

Subdomain Takeover

Timing Attacks

Type Juggling / Type Coercion

Unicode Normalization

Unsafe String Replacement

Unvalidated Automatic Library Activation

Upgrade Header Smuggling

WS-Addressing Spoofing

WSDL Disclosure

XML Document Size Attack

XML External Entity Injection (XXE)

XML Entity Expansion

XML Entity Reference Attack

XML Injection (XMLi)

XML Signature Exclusion

XML Signature-Transformations DoS

XML Signature Wrapping (XML Rewriting)

XPATH Injection

XSLT Server-Sided Injection

web-based_attacks.txt · Last modified: 2022/09/18 08:44 by shasec

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki