Introduction
This is a standardization of the set of weaknesses that serve as a basis for the security analysis performed by Fluid Attacks. This is an ever-evolving effort as new types arise every day.
Access Subversion
- 005 – Privilege escalation
- 006 – Authentication mechanism absence or evasion
- 007 – Cross-site request forgery
- 013 – Insecure object reference
- 018 – Improper authentication for shared folders
- 024 – Unrestricted access between network segments - AWS
- 027 – Insecure file upload
- 031 – Excessive privileges - AWS
- 039 – Improper authorization control for web services
- 042 – Insecurely generated cookies
- 051 – Cracked weak credentials
- 056 – Anonymous connection
- 057 – Asymmetric denial of service - Content length
- 062 – Concurrent sessions
- 068 – Insecure session expiration time
- 075 – Unauthorized access to files - APK Content Provider
- 076 – Insecure session management
- 081 – Lack of multi-factor authentication
- 115 – Security controls bypass or absence
- 126 – Lack of isolation methods
- 128 – Insecurely generated cookies - HttpOnly
- 129 – Insecurely generated cookies - SameSite
- 130 – Insecurely generated cookies - Secure
- 157 – Unrestricted access between network segments
- 158 – Unrestricted access between network segments - Azure AD
- 159 – Excessive privileges
- 160 – Excessive privileges - Temporary Files
- 163 – Insecure digital certificates
- 201 – Unauthorized access to files
- 202 – Unauthorized access to files - Debug APK
- 203 – Unauthorized access to files - Cloud Storage Services
- 205 – Insufficient Physical Access Controls
- 206 – Security controls bypass or absence - Anti hooking
- 207 – Security controls bypass or absence - SSLPinning
- 208 – Security controls bypass or absence - Antivirus
- 209 – Security controls bypass or absence - Emulator
- 210 – Security controls bypass or absence - Facial Recognition
- 212 – Security controls bypass or absence - Cloudflare
- 240 – Authentication mechanism absence or evasion - OTP
- 241 – Authentication mechanism absence or evasion - AWS
- 242 – Authentication mechanism absence or evasion - WiFi
- 243 – Authentication mechanism absence or evasion - Admin Console
- 244 – Authentication mechanism absence or evasion - BIOS
- 279 – Root detection control bypass
- 280 – Session Fixation
- 286 – Insecure object reference - Personal information
- 287 – Insecure object reference - Corporate information
- 288 – Insecure object reference - Financial information
- 295 – Insecure session management - Change Password
- 298 – Authentication mechanism absence or evasion - Redirect
- 299 – Authentication mechanism absence or evasion - JFROG
- 300 – Authentication mechanism absence or evasion - Azure
- 301 – Concurrent sessions control bypass
- 305 – Security controls bypass or absence - Data creation
- 306 – Insecure object reference - Files
- 307 – Insecure object reference - Data
- 310 – Unauthorized access to screen
- 311 – Unrestricted access between network segments - JSch
- 325 – Excessive privileges - Wildcards
- 328 – Insecure object reference - Session management
- 337 – Insecure session management - CSRF Fixation
- 345 – Security controls bypass or absence - Session Invalidation
- 346 – Excessive privileges - Mobile App
- 348 – Insecure digital certificates - Lifespan
- 350 – Insecure digital certificates - Chain of trust
- 354 – Insecure file upload - Files Limit
- 368 – Unrestricted access between network segments - StrictHostKeyChecking
- 369 – Insecure object reference - User deletion
- 370 – Authentication mechanism absence or evasion - Security Image
- 374 – Security controls bypass or absence - Debug Protection
- 375 – Security controls bypass or absence - Tampering Protection
- 376 – Security controls bypass or absence - Reversing Protection
- 436 – Security controls bypass or absence - Fingerprint
- 455 – Excessive LLM agency
- 457 – Unrestricted access between network segments - databases
Data Manipulation
- 098 – External control of file name or path
- 103 – Insufficient data authenticity validation - APK signing
- 111 – Out-of-bounds read
- 123 – Local file inclusion
- 204 – Insufficient data authenticity validation
- 327 – Insufficient data authenticity validation - Images
- 355 – Insufficient data authenticity validation - Checksum verification
- 377 – Insufficient data authenticity validation - Device Binding
- 383 – Insecurely generated token - OTP
- 389 – Insufficient data authenticity validation - JAR signing
- 453 – Data and model poisoning
Deceptive Interactions
- 023 – Uncontrolled external site redirect - Host Header Injection
- 032 – Spoofing
- 078 – Insecurely generated token
- 084 – MDNS spoofing
- 086 – Missing subresource integrity check
- 097 – Reverse tabnabbing
- 100 – Server-side request forgery (SSRF)
- 114 – Phishing
- 156 – Uncontrolled external site redirect
- 182 – Email spoofing
- 309 – Insecurely generated token - JWT
- 318 – Insecurely generated token - Validation
- 322 – Insecurely generated token - Lifespan
- 360 – Clickjacking
- 408 – Traceability Loss - API Gateway
- 456 – AI misinformation
Functionality Abuse
- 002 – Asymmetric denial of service
- 003 – Symmetric denial of service
- 014 – Insecure functionality
- 033 – Password change without identity check
- 048 – Lack of root detection
- 055 – Insecure service configuration - ADB Backups
- 058 – Debugging enabled in production - APK
- 060 – Insecure service configuration - Host verification
- 061 – Remote File Inclusion
- 064 – Traceability loss - Server's clock
- 065 – Cached form fields
- 067 – Improper resource allocation
- 070 – Insecure service configuration - ELB
- 073 – Improper authorization control for web services - RDS
- 079 – Non-upgradable dependencies
- 087 – Account lockout
- 088 – Privacy violation
- 093 – Hidden fields manipulation
- 095 – Data uniqueness not properly verified
- 101 – Lack of protection against deletion
- 102 – Email uniqueness not properly verified
- 108 – Improper control of interaction frequency
- 109 – Unrestricted access between network segments - RDS
- 110 – HTTP request smuggling
- 113 – Improper type assignation
- 117 – Unverifiable files
- 118 – Regulation infringement
- 120 – Improper dependency pinning
- 122 – Email flooding
- 124 – Race condition
- 138 – Inappropriate coding practices
- 140 – Insecure exceptions - Empty or no catch
- 143 – Inappropriate coding practices - Eval function
- 145 – Inappropriate coding practices - Cyclomatic complexity
- 164 – Insecure service configuration
- 165 – Insecure service configuration - AWS
- 166 – Insecure service configuration - Kerberoast
- 167 – Insecure service configuration - Wireless Certificates
- 168 – Insecure service configuration - Keystore
- 169 – Insecure service configuration - Keys
- 170 – Insecure service configuration - Antivirus
- 171 – Insecure service configuration - Firewall
- 172 – Insecure service configuration - App Backup
- 173 – Insecure service configuration - Backup
- 174 – Insecure service configuration - Backdoor
- 175 – Insecure service configuration - DNS
- 176 – Insecure service configuration - SSH
- 177 – Insecure service configuration - Security Groups
- 178 – Insecure service configuration - RDP
- 179 – Insecure service configuration - SMB
- 180 – Insecure service configuration - SMTP
- 181 – Insecure service configuration - DynamoDB
- 183 – Debugging enabled in production
- 200 – Traceability loss
- 211 – Asymmetric denial of service - ReDoS
- 231 – Message flooding
- 233 – Incomplete funcional code
- 255 – Insecure functionality - Pass the hash
- 256 – Lack of protection against deletion - RDS
- 257 – Lack of protection against deletion - EC2
- 258 – Lack of protection against deletion - ELB
- 259 – Lack of protection against deletion - DynamoDB
- 260 – Insecure Binary compilation
- 267 – Excessive Privileges - Kubernetes
- 268 – Insecure service configuration - Webview
- 270 – Insecure functionality - File Creation
- 271 – Insecure functionality - Password management
- 272 – Insecure functionality - Masking
- 273 – Insecure functionality - Fingerprint
- 278 – Insecure exceptions - NullPointerException
- 285 – Insecure service configuration - App Transport Security
- 293 – Insecure service configuration - Key pair
- 294 – Insecure service configuration - OTP
- 302 – Insecure functionality - Session management
- 304 – Inappropriate coding practices - Performance
- 308 – Enabled default configuration
- 312 – Insecure service configuration - Signatures
- 313 – Insecure service configuration - Certificates
- 314 – Insecure service configuration - DB
- 315 – Insecure service configuration - CloudDB
- 316 – Improper resource allocation - Buffer overflow
- 317 – Improper resource allocation - Memory leak
- 319 – Insecure service configuration - Roles
- 320 – Insecure service configuration - LDAP
- 324 – Insecure functionality - User management
- 333 – Insecure service configuration - EC2
- 334 – Insecure service configuration - IAM
- 335 – Insecure service configuration - Bucket
- 338 – Insecure service configuration - Salt
- 339 – Insecure service configuration - Request Validation
- 343 – Insecure service configuration - BREACH Attack
- 347 – Insecure service configuration - Task Hijacking
- 352 – Insecure service configuration - Non Masked Variables
- 356 – Symmetric denial of service - SMTP
- 357 – Symmetric denial of service - FTP
- 358 – Insecure service configuration - DocumentBuilderFactory
- 366 – Inappropriate coding practices - Transparency Conflict
- 380 – Supply Chain Attack - Docker
- 381 – Supply Chain Attack - Terraform
- 382 – Insufficient data authenticity validation - Front bypass
- 384 – Inappropriate coding practices - Wildcard export
- 386 – Cross-Site Leak - Frame Counting
- 387 – Insecure service configuration - Object Reutilization
- 391 – Inappropriate coding practices - Unused properties
- 392 – Security controls bypass or absence - Firewall
- 393 – Use of software with known vulnerabilities in development
- 394 – Insufficient data authenticity validation - Cloudtrail Logs
- 395 – Insecure generation of random numbers - Static IV
- 396 – Insecure service configuration - KMS
- 398 – Fragment Injection
- 399 – Security controls absence - Monitoring
- 400 – Traceability Loss - AWS
- 401 – Insecure service configuration - AKV Secret Expiration
- 402 – Traceability Loss - Azure
- 403 – Insecure service configuration - usesCleartextTraffic
- 404 – OS Command Injection
- 405 – Excessive privileges - Access Mode
- 410 – Dependency Confusion
- 411 – Insecure encryption algorithm - Default encryption
- 412 – Lack of protection against deletion - Azure Key Vault
- 413 – Insecure file upload - DLL Injection
- 414 – Insecure service configuration - Header Checking
- 415 – Insecure service configuration - Container level access policy
- 416 – XAML injection
- 417 – Account Takeover
- 418 – Insecure service configuration - Docker
- 419 – Traceability Loss - Kubernetes
- 420 – Password reset poisoning
- 423 – Inappropriate coding practices - System exit
- 426 – Supply Chain Attack - Kubernetes
- 428 – Inappropriate coding practices - invalid file
- 431 – Supply Chain Attack - Lock Files
- 432 – Inappropriate coding practices - relative path command
- 437 – Supply Chain Attack - GitHub Actions
- 443 – Insecure service configuration - Business logic
- 444 – Sensitive Information in Auto-Generated Screenshots
- 445 – Bucket takeover
- 446 – Insecure service configuration - Azure
- 447 – Supply Chain Attack - Gradle
Information Collection
- 009 – Sensitive information in source code
- 011 – Use of software with known vulnerabilities
- 016 – Insecure encryption algorithm - SSL/TLS
- 017 – Sensitive information sent insecurely
- 019 – Administrative credentials stored in cache memory
- 020 – Non-encrypted confidential information
- 022 – Use of an insecure channel
- 025 – Call interception
- 026 – User enumeration
- 028 – Insecure temporary files
- 030 – Sensitive information sent via URL parameters
- 036 – ViewState not encrypted
- 037 – Technical information leak
- 038 – Business information leak
- 040 – Exposed web services
- 046 – Missing secure obfuscation - APK
- 047 – Automatic information enumeration
- 052 – Insecure encryption algorithm
- 054 – Exposed administrative services
- 059 – Sensitive information stored in logs
- 066 – Technical information leak - Console functions
- 069 – Weak CAPTCHA
- 080 – Business information leak - Customers or providers
- 082 – Insecurely deleted files
- 085 – Sensitive data stored in client-side storage
- 092 – Insecure encryption algorithm - Anonymous cipher suites
- 094 – Insecure encryption algorithm - Cipher Block Chaining
- 099 – Non-encrypted confidential information - S3 Server Side Encryption
- 116 – XS-Leaks
- 119 – Metadata with sensitive information
- 125 – Directory listing
- 133 – Insecure encryption algorithm - Perfect Forward Secrecy
- 142 – Sensitive information in source code - API Key
- 147 – Insecure encryption algorithm - SSLContext
- 148 – Use of an insecure channel - FTP
- 149 – Use of an insecure channel - SMTP
- 150 – Use of an insecure channel - useSslProtocol()
- 151 – Use of an insecure channel - Telnet
- 161 – Missing secure obfuscation
- 162 – Missing secure obfuscation - binary
- 213 – Business information leak - JWT
- 214 – Business information leak - Credentials
- 215 – Business information leak - Repository
- 216 – Business information leak - Source Code
- 217 – Business information leak - Credit Cards
- 218 – Business information leak - Network Unit
- 219 – Business information leak - Redis
- 220 – Business information leak - Token
- 221 – Business information leak - Users
- 222 – Business information leak - DB
- 223 – Business information leak - JFROG
- 224 – Business information leak - AWS
- 225 – Business information leak - Azure
- 226 – Business information leak - Personal Information
- 227 – Business information leak - NAC
- 228 – Business information leak - Analytics
- 229 – Business information leak - Power BI
- 230 – Business information leak - Firestore
- 232 – Technical information leak - Angular
- 234 – Technical information leak - Stacktrace
- 235 – Technical information leak - Headers
- 236 – Technical information leak - SourceMap
- 237 – Technical information leak - Print Functions
- 238 – Technical information leak - API
- 239 – Technical information leak - Errors
- 245 – Non-encrypted confidential information - Credit Cards
- 246 – Non-encrypted confidential information - DB
- 247 – Non-encrypted confidential information - AWS
- 248 – Non-encrypted confidential information - LDAP
- 249 – Non-encrypted confidential information - Credentials
- 250 – Non-encrypted hard drives
- 251 – Non-encrypted confidential information - JFROG
- 252 – Automatic information enumeration - Open ports
- 253 – Automatic information enumeration - AWS
- 254 – Automatic information enumeration - Credit Cards
- 261 – Insecure encryption algorithm - DSA
- 262 – Insecure encryption algorithm - SHA1
- 263 – Insecure encryption algorithm - MD5
- 264 – Insecure encryption algorithm - TripleDES
- 265 – Insecure encryption algorithm - AES
- 266 – Excessive Privileges - Docker
- 269 – Insecure encryption algorithm - Blowfish
- 275 – Non-encrypted confidential information - Local data
- 276 – Sensitive information sent via URL parameters - Session
- 281 – Use of an insecure channel - Cloud Infrastructure
- 282 – Insecure encryption algorithm - ECB
- 283 – Automatic information enumeration - Personal Information
- 284 – Non-encrypted confidential information - Base 64
- 289 – Technical information leak - Logs
- 290 – Technical information leak - IPs
- 291 – Business information leak - Financial Information
- 326 – Sensitive information in source code - Dependencies
- 331 – User Enumeration - Wordpress
- 332 – Use of insecure channel - Source code
- 336 – Business information leak - Corporate information
- 342 – Technical information leak - Alert
- 349 – Technical information leak - Credentials
- 351 – Automatic information enumeration - Corporate information
- 359 – Sensitive information in source code - Credentials
- 367 – Sensitive information in source code - Git history
- 372 – Use of an insecure channel - HTTP
- 373 – Use of an insecure channel - Oracle Database
- 378 – Non-encrypted confidential information - Hexadecimal
- 385 – Non-encrypted confidential information - Keys
- 406 – Non-encrypted confidential information - EFS
- 407 – Non-encrypted confidential information - EBS Volumes
- 409 – Non-encrypted confidential information - DynamoDB
- 421 – Insecure encryption algorithm - Insecure Elliptic Curve
- 427 – Use of an insecure channel - Docker
- 433 – Non-encrypted confidential information - Redshift Cluster
- 435 – Use of software with known vulnerabilities in environments
- 439 – Sensitive information in source code - IP
- 441 – Non-encrypted confidential information - Azure
- 448 – Use of software with malware
Probabilistic Techniques
- 034 – Insecure generation of random numbers
- 035 – Weak credential policy
- 041 – Enabled default credentials
- 050 – Guessed weak credentials
- 053 – Lack of protection against brute force attacks
- 277 – Weak credential policy - Password Expiration
- 296 – Weak credential policy - Password Change Limit
- 330 – Lack of protection against brute force attacks - Credentials
Protocol Manipulation
- 015 – Insecure authentication method - Basic
- 043 – Insecure or unset HTTP headers - Content-Security-Policy
- 044 – Insecure HTTP methods enabled
- 071 – Insecure or unset HTTP headers - Referrer-Policy
- 131 – Insecure or unset HTTP headers - Strict Transport Security
- 132 – Insecure or unset HTTP headers - X-Content-Type-Options
- 134 – Insecure or unset HTTP headers - CORS
- 135 – Insecure or unset HTTP headers - X-XSS Protection
- 136 – Insecure or unset HTTP headers - Cache Control
- 137 – Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
- 152 – Insecure or unset HTTP headers - X-Frame Options
- 153 – Insecure or unset HTTP headers - Accept
- 329 – Insecure or unset HTTP headers - Content-Type
- 388 – Insecure authentication method - NTLM
- 397 – Insecure authentication method - LDAP
- 440 – Insecure or unset HTTP headers - Permissions-Policy
- 449 – Insecure authentication method
System Manipulation
Unexpected Injection
- 001 – SQL injection - C Sharp SQL API
- 004 – Remote command execution
- 008 – Reflected cross-site scripting (XSS)
- 010 – Stored cross-site scripting (XSS)
- 012 – SQL injection - Java Persistence API
- 021 – XPath injection
- 045 – HTML code injection
- 063 – Lack of data validation - Path Traversal
- 083 – XML injection (XXE)
- 089 – Lack of data validation - Trust boundary violation
- 090 – CSV injection
- 096 – Insecure deserialization
- 105 – Apache lucene query injection
- 106 – NoSQL injection
- 107 – LDAP injection
- 112 – SQL injection - Java SQL API
- 121 – HTTP parameter pollution
- 127 – Lack of data validation - Type confusion
- 141 – Lack of data validation - URL
- 146 – SQL injection
- 154 – Time-based SQL Injection
- 155 – SQL Injection - Headers
- 184 – Lack of data validation
- 185 – Lack of data validation - Header x-amzn-RequestId
- 186 – Lack of data validation - Web Service
- 187 – Lack of data validation - Source Code
- 188 – Lack of data validation - Modify DOM Elements
- 189 – Lack of data validation - Content Spoofing
- 190 – Lack of data validation - Session Cookie
- 191 – Lack of data validation - Responses
- 192 – Lack of data validation - Reflected Parameters
- 193 – Lack of data validation - Host Header Injection
- 194 – Lack of data validation - Input Length
- 195 – Lack of data validation - Headers
- 196 – Lack of data validation - Dates
- 197 – Lack of data validation - Numbers
- 198 – Lack of data validation - Out of range
- 199 – Lack of data validation - Emails
- 274 – Restricted fields manipulation
- 297 – SQL injection - Code
- 321 – Lack of data validation - HTML code
- 323 – XML injection (XXE) - Unmarshaller
- 340 – Lack of data validation - Special Characters
- 341 – Lack of data validation - OTP
- 344 – Lack of data validation - Non Sanitized Variables
- 353 – Lack of data validation - Token
- 361 – Missing secure obfuscation - JavaScript
- 362 – Technical information leak - Content response
- 363 – Weak credential policy - Password strength
- 364 – Weak credential policy - Temporary passwords
- 365 – Authentication mechanism absence or evasion - Response tampering
- 371 – DOM-Based cross-site scripting (XSS)
- 390 – Prototype Pollution
- 422 – Server side template injection
- 425 – Server side cross-site scripting
- 429 – Universal cross-site scripting (UXSS)
- 430 – Serverless - one dedicated IAM role per function
- 434 – Client-side template injection
- 438 – Error-based SQL Injection
- 442 – SMTP header injection
- 450 – Blind-based SQL injection
- 451 – OData injection
- 452 – Prompt injection
- 454 – Improper output handling