Security Vulnerabilities

Attackers manipulate database queries through user input to steal or destroy data.

Hardcoded Secrets

API keys and passwords embedded directly in source code, exposed in repositories.

OWASP A02:2021

Cross-Site Scripting (XSS)

Malicious scripts injected into web pages, stealing user data or hijacking sessions.

Missing Authentication

Endpoints accessible without login, exposing sensitive data or functionality.

OWASP A07:2021

IDOR

Users access other users' data by changing IDs in URLs or requests.

Broken Access Control

Users perform actions or access data beyond their permissions.

CSRF

Attackers trick users into performing unwanted actions on authenticated sites.

Insecure CORS

Overly permissive cross-origin settings allow unauthorized data access.

OWASP A05:2021

Missing Rate Limiting

No limits on API requests, enabling brute force and DoS attacks.

OWASP A04:2021

Sensitive Data Exposure

Personal or financial data transmitted or stored without proper protection.

OWASP A02:2021

Insecure Deserialization

Untrusted data deserialized without validation, enabling code execution.

OWASP A08:2021

JWT Vulnerabilities

Weak JWT implementation allowing token forgery or session hijacking.

OWASP A02:2021

Mass Assignment

Users modify restricted fields by adding extra parameters to requests.

OWASP A04:2021

Open Redirect

Low

Attackers redirect users to malicious sites via trusted URLs.

Path Traversal

Attackers access files outside intended directories using ../ sequences.

SSRF

Server makes requests to attacker-controlled URLs, accessing internal resources.

OWASP A10:2021

SSTI

User input in templates enables server-side code execution.

XXE

Malicious XML exploits parsers to read files or make server requests.

OWASP A05:2021

Command Injection

User input executed as system commands, giving attackers server access.

NoSQL Injection

Query operators injected into MongoDB/Firestore queries to bypass auth or extract data.