Functionality Abuse

The server is rendered unresponsive as a result of one of the following: - An amplification attack, which uses a single request to produce multiple responses. - A single malicious request that breaks the application or consumes an enormous amount of resources.

Functionality Abuse

The server is rendered unresponsive by successively repeating a request which consumes a lot of resources or takes too long to be processed.

Unexpected Injection

The system builds OS commands using inputs that can be manipulated externally, it does not correctly neutralize special elements that could modify the OS command.

Access Subversion

Due to an insecure role configuration, it is possible to obtain administrative access or privileges using a standard user account.

Access Subversion

The system lacks an authentication mechanism or has one that can be bypassed. Therefore, an attacker can access resources that should be protected without having an active session.

Access Subversion

The applications configuration allows an attacker to trick authenticated users into executing actions without their consent.

Unexpected Injection

The web application dynamically generates web content without validating the source of the potentially untrusted data.

Information Collection

The source code repository contains sensitive information such as usernames, passwords, email addresses and IP addresses, among others. Alternatively, while values may be password=123 o aws.secret_key=test, they reveal the bad practice of storing sensitive information in the repository with no encryption, and sooner or later they can be replaced for real sensitive values.

Unexpected Injection

It is possible to persistently inject JavaScript code into the application fields. This could allow an attacker to compromise the session of any user who enters the platform or to distribute malicious software.

Information Collection

The system uses the version of a software or dependency with known vulnerabilities.

Unexpected Injection

Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. When using LIKE-conditions with values that are coming from a not secure source in the Java Persistence API, the values should be sanitized so they can't contain any wildcards and thereby allow attackers to select more data than they should be able to. For this purpose the escape(String) method is available.

Access Subversion

The systems authorization mechanism does not prevent one user from accessing another users data by modifying the key value that identifies it.

Functionality Abuse

A functionality that is part of the system can be leveraged by an attacker in order to negatively impact it.

Protocol Manipulation

The server uses Basic authentication over an insecure channel.

Information Collection

The server allows the usage of insecure TLS protocol versions.

Information Collection

The system sends sensitive information through a channel or method which does not guarantee its confidentiality or integrity.

Access Subversion

The folders that are shared over the network do not require any authentication to be accessed.

Information Collection

It is possible to retrieve administrative credentials from the systems cache memory.

Information Collection

Confidential information is stored in plain text allowing an attacker to view it without any type of encryption.

Unexpected Injection

Dynamic XPath statements are generated without the required data validation.

Information Collection

The system transmits information through a channel without encryption.

Deceptive Interactions

The server processes requests with the Host header set and redirects clients to any destination.

Access Subversion

The infrastructure definition for network segments in the AWS context is too permissive.

Information Collection

It is possible to intercept calls made using the VoIP platform because the communication is not encrypted.

Information Collection

The system provides different responses for existent and non-existent users, allowing an attacker to enumerate valid users via error messages, response times, frames count, among other techniques.

Access Subversion

The system allows the upload of files with two extensions or with unsafe ones, such as .html, .php or .exe. Furthermore, the system does not validate whether or not the file is free from malicious code.

Information Collection

The system uses temporary files to store sensitive information. Alternatively, the system deploys sensitive temporary files to the production environment.

System Manipulation

The system does not perform an adequate control of the size of the files that can be uploaded to the server.

Information Collection

The system sends sensitive information via URL parameters using the GET method. These parameters are: - Stored in clear text in the browser history. - Sent to external sites via the referrer HTTP header. - Sent to external sites via the search bar if the browser interprets the URL as a query. - Visible to scripts running on the browser that may belong to third-parties.

Access Subversion

The application, a user or a role have more privileges than they require. This can be leveraged by an attacker to execute normally restricted actions on a system.

Deceptive Interactions

It is possible to perform actions in the application and make it look as if they were performed by the system or another user. Examples include sending messages that appear to come from the system and modifying data in the name of other users (who may have more privileges).

Functionality Abuse

The system allows a user to change their password without requesting the previous one or enforcing another identity verification mechanism.

Probabilistic Techniques

The system uses insecure functions, insufficient ranges or low-entropy components to generate random numbers. This could allow an attacker to guess the generation sequence after a short time or predict results using probabilistic methods.

Probabilistic Techniques

The systems credential policy is not compliant with security regulations.

Information Collection

The state information of application forms that is stored in the ViewState is not encrypted.

Information Collection

It is possible to obtain technical information such as: - System component versions (HTTP headers, service banner, etc.) - Specific information about the configuration of server components (php.ini, web.config)

Information Collection

It is possible to obtain business information, such as: - Username list - Strategic information - Employees information - Clients information - Providers information

Access Subversion

The systems web services do not have an authorization control mechanism or the one in place can be bypassed.

Information Collection

The systems WSDL file contains sensitive information and is exposed to a larger audience than required.

Probabilistic Techniques

It is possible to use low-strength, default credentials to access system resources, such as the database.

Access Subversion

The system does not set security attributes for sensitive cookies, which could cause them to be sent in plain text or disclosed by unauthorized users on the client side.

Protocol Manipulation

The application has unsafe configurations regarding the Content-Security-Policy header. This may be because: - Header is missing from server responses. - The header has not defined mandatory security policies. - Defined security policies contain insecure values.

Protocol Manipulation

HTTP methods such as TRACE, PUT and DELETE are enabled on the server. These methods may allow an attacker to include and/or delete files, or perform cross-site tracing attacks.

Unexpected Injection

The applications fields allow the injection of HTML code. This could enable attackers to modify the applications appearance in order to trick its users into performing undesired actions.

Information Collection

It is possible to obtain source code of the application because it has not been obfuscated using a secure mechanism. This could allow an attacker to understand the inner workings of the application or get technical or sensitive information.

Information Collection

It is possible to automatically enumerate system information such as open ports, available services and users personal data.

Functionality Abuse

The application does not check whether the Android system on which it is running has been rooted.

Probabilistic Techniques

The system credentials low complexity considerably reduces the amount of time required to guess them. This allows an attacker to have quicker success when executing a brute force attack.

Access Subversion

The low complexity of the hashes stored in the database considerably reduces the amount of time required to crack them.

Information Collection

The application uses insecure encryption algorithms.

Probabilistic Techniques

The system does not have appropriate protection mechanisms against automated attacks designed to guess credentials.

Information Collection

One or more of the systems administration consoles are exposed (possibly on the internet), which may lead to unauthorized access attempts.

Functionality Abuse

The application allows backups via ADB (Android Debug Bridge). The backups performed by this functionality are not encrypted. Sensitive data of authenticated users can be included in the backup, and this data can be extracted by a non-authenticated attacker. Additionally, data can be copied into a USB stick and be moved out of the sphere of control of the application.

Access Subversion

Due to an improper configuration of the server (e.g., an FTP service with username: anonymous and password: guest or an SMTP open relay), it is possible to make anonymous connections to it and access otherwise protected resources.

Access Subversion

The Content-Length field specifies the size of the transmitted form of data after the request header. In an attack, the Content-Length field contains a very high value, meaning the server will expect to receive a large amount of data. The header of the spoofed request is then validly terminated, then an attacker waits and sends another small piece of data before the connection termination timer expires. In this way, the connection keeps dangerously active.

Functionality Abuse

The system has debugging enabled in the production environment, which can cause technical information leaks when an error occurs.

Information Collection

The system stores sensitive information such as credentials, bank accounts and file paths in log files.

Functionality Abuse

The system does not properly restrict incoming connections from unknown external hosts.

Functionality Abuse

The application allows to load and execute malicious files from remote locations. This practice may allow an attacker to retrieve sensitive data from the server or execute commands remotely.

Access Subversion

The application does not validate the number of active sessions each user has, thus a user can login more than once at the same time. Furthermore, the application does not notify the user when a session has already been initiated nor when a second one commences from a different location.

Unexpected Injection

The software uses external input to construct a pathname that is intended to identify a file or directory but it does not properly neutralize or validate special elements within the pathname.

Functionality Abuse

The systems internal clock is not synced with NTP servers.

Functionality Abuse

The application does not disable caching of input fields, thus the information will be stored in the browser's cache.

Information Collection

The application uses console functions: log, info, warning. The usage of these functions in productions environments may lead to information leakages and reveal vulnerable methods, technologies, or logic.

Functionality Abuse

The system allocates unnecessary resources due to the use of improper programming practices or inefficient algorithms. Alternatively, the allocation can be controlled by an external source (e.g., user input), and hence, requests that consume an enormous amount of resources are processed without any restriction.

Access Subversion

User sessions do not expire after 5 minutes of inactivity.

Information Collection

The system uses an insecure CAPTCHA implementation that allows the usage of optical recognition tools to automatically pass it.

Functionality Abuse

A misconfiguration or default setting on Elastic Load Balancers that can cause to unintentionally increase the attack surface of the company cloud infrastructure.

Protocol Manipulation

The server is missing the Referrer-Policy HTTP header. Alternatively, the headers configuration is unsafe.

Functionality Abuse

Some RDS instances can be publicly accessible, which can compromise the stored information.

Access Subversion

The Content Provider API allows third party applications installed in the device to retrieve data stored by the application. Access to this data must not be allowed to all applications by default. Instead, (and only if required) specific allow-lists must be used.

Access Subversion

The session token does not expire when the user terminates the session and can be used to post requests afterwards.

System Manipulation

It is possible to supersede other MAC addresses in the network because the associated switch lacks protection mechanisms, such as PortSecurity.

Deceptive Interactions

It is possible to crack the token's hash and obtain the information it is masking because it is not generated using a secure cryptographic mechanism.

Functionality Abuse

Dependencies are not explicitly declared (name and version) within the source code. They are copied directly into the repositories.

Information Collection

Sensitive information such as customer or providers lists, emails, phone numbers or identifiers can be obtained from the application.

Access Subversion

Critical services of the system, such as databases, shared resources containing sensitive information and web services, are not protected by a multi-factor authentication mechanism. This makes it easier for an attacker who has compromised a user's account to access those resources.

Information Collection

It is possible to retrieve deleted files with sensitive information because they were merely sent to the Recycle Bin or removed using insecure protocols.

Unexpected Injection

It is possible to inject XML code into the application's requests, which is then interpreted by the server. This could allow an attacker to perform data exfiltration or execute commands remotely.

Deceptive Interactions

The configuration of the MDNS services allows an attacker to spoof IP addresses effectively hijacking them or causing a denial-of-service. Alternatively, due to a lack of certain security measures, it is possible to intercept requests to mDNS services and obtain information about the connected devices.

Information Collection

The application stores sensitive information in the client-side storage (localStorage or sessionStorage). This exposes the information to unauthorized read operations.

Deceptive Interactions

The application does not properly check the integrity of resources loaded from third-party servers.

Functionality Abuse

It is possible to cause account lockouts, effectively blocking users from accessing the system.

Functionality Abuse

The system violates one or more privacy requirements.

Unexpected Injection

The system mixes trusted and untrusted data in the same data structure or structured message.

Unexpected Injection

It is possible to inject formulas into fields that are later exported as part of CSV files and can be interpreted by Excel.

System Manipulation

The system logs entries that contain input from untrusted sources without properly validating, sanitizing or escaping their content.

Information Collection

The application allows connections with anonymous cipher suites.

Functionality Abuse

It is possible to modify fields that are invisible to the regular user and cause undesired behaviors in the application.

Information Collection

The application uses algorithms with insecure cipher block chaining.

Functionality Abuse

The application does not properly validate the uniqueness of the data, allowing an attacker to reuse or regenerate information that should be valid for one use only.

Unexpected Injection

The system deserializes objects without first validating their content nor casting them to a specific type.

Deceptive Interactions

The system allows the introduction of a link to an external site controlled by a malicious actor. This site can then redirect the user to a different site in the original tab, making it look like a legitimate redirect performed by the system.

Data Manipulation

It is possible to modify the path to which an uploaded file will be saved.

Information Collection

Some S3 buckets do not explicitly enable the Server-Side-Encryption (SSE) property. So the stored objects are not encrypted at rest, exposing their content to leaks by attackers or unauthorized users.

Deceptive Interactions

It is possible to induce the application's server into making requests to an arbitrary domain.

Functionality Abuse

The system does not prevent critical objects from being deleted accidentally.

Functionality Abuse

The system allows the plus character in the email registration process. An attacker could abuse this feature to create several accounts pointing to the same email.