Your handy all in one vulnerability cheat sheet

Unrestricted File Upload

File upload vulnerability arises when a web server allows users to upload files to its filesystem without any restrictions or validation against things like file content, file type, and size. Failing to apply these restrictions may result that the attacker can upload some malicious files into the web server

Missing Session Timeout

A session timeout is an event occurring when a user does not perform any action on a website during a time frame which leads to making the session status invalid and instructs the web server to destroy it. Missing Session Timeout happens when the application doesn't time out the session or the time frame is very long thus allowing an attacker having the user session to use it without limitations

Remote Command Execution (RCE)

Remote Command Execution also known as Arbitrary Code Execution, is a vulnerability that allows an attacker to remotely run malicious code within the target system on the local network or over the Internet. RCE can be exploited if the user's input is injected into a File or a String and executed (evaluated) by the programming language's parser, thus possibly giving the attackers a chance to fully compromise the vulnerable server/application. Usually, this behavior is not intended by the developers. The attack is usually prefaced by reconnaissance and information gathering, in which the attacker uses automated scanning tools to identify the vulnerable version of the software. Once identified, the attacker tries to leverage exploitation scripts to execute commands hoping to gain local administrative access on the host

Directory Traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application by manipulating variables that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). This attack is also known as "dot-dot-slash", "directory traversal", "directory climbing" and "backtracking".

Insecure Direct Object References (IDOR)

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application provides direct access to objects based on user-supplied input. This can occur when a web application or API uses an identifier for direct access to an object in an internal database but does not check for any type of access control or authentication.

HTTP Request Smuggling

HTTP request smuggling is an attack technique that is conducted by interfering with the processing of requests between the frontend and backend servers. The attacker exploits the vulnerability by modifying the request to include another request in the first request’s body. The severity of this issue depends on the system and the attack scenario, it can be used to bypass security controls, attack other users, etc..

Denial of Service

A denial of Service attack, also known as DoS attack is a type of cyber attack targeting machine or network resources availability. It can range in duration and may target one system or more at a time. It's intended to prevent legitimate users from using the system as in normal conditions. Generally, there are two methods of DoS attack: flooding services or crashing services. Flood attacks occur when a system or network receives too much traffic that can’t be handled by the current resources, causing them to slow down, or completely become unavailable. Crashing services attacks, simply exploit vulnerabilities that can cause the target system to crash or become unstable to use.

Concurrent Sessions

The application does not validate the number of active sessions each user has, thus a user can log in more than once at the same time.

Insecure Authentication

Insecure or weak authentication for mobile applications allows an attacker to authenticate himself anonymously, it is fairly prevalent due to the common weak mobile devices input factor, 4-digit PINs are a great example of it. Either a weak password policy due to usability requirements or authentication based on features like TouchID makes your application vulnerable. Contrary to what you may think, unlike passwords, you may be forced to give up your fingerprint.

Insufficient Cryptography

Insufficient Cryptography is common in most systems that leverage encryption whether it is a mobile, desktop, or even firmware. There are two fundamental ways that broken cryptography is manifested within apps, The first depends on processes used to encrypt and decrypt, and the second depends on the encryption and decryption algorithm. which both result in the unauthorized retrieval of sensitive information from the system. The severity of this issue is highly dependent on the system and exploitation method.

UnProtected Console Port

An unprotected console port vulnerability refers to a security weakness in a network device's console port, which is used for administrative access and management purposes. If left unsecured, unauthorized individuals may be able to access sensitive information or make unauthorized changes to the device's configuration, potentially causing harm to the network or disrupting operations. Console Ports can exist in different forms for example: (RJ-45, USB Type A , B , C or USB Mini)

Exposed UART Interfaces

UART interface is a hardware device (physical circuit in the controller or a standalone IC) used for asynchronous serial communication. It enables the translation of data between the serial and parallel interfaces utilizing a shift register. It is the most commonly used in embedded devices. The communication directly takes place between two UARTs. The UART interface on the transmitting side handles the parallel data and covers it in serial form. It then transmits the data serially to the UART interface on the receiving side. The receiving UART interface takes in the serial data and converts it back to the parallel to give it to the receiving side's controlling device. It communicates using two signal lines RX (receiver) and TX (transmitter). The data from the TX pin on the transmitting UART interface is received at the RX pin on the receiving UART interface.

Error-Based SQL Injection

Error Based SQL Injection is an in-band SQL injection technique that allows hackers to take advantage of the database’s error output. One of the communication channels of the server is utilized to launch an attack and retrieve information using in-band injections. This is the easiest and most common intrusion technique used by an attacker. You can force data extraction by using a vulnerability in which the code will output a SQL error rather than the required data from the server.

Server-Side Request Forgery (SSRF)

A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs or send requests externally. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal. Typically, attackers supply a URL (or modify an existing one) and the code running on the server reads or submits data to it or even generate empty request to it. Attackers can manipulate URLs to gain access to internal data and services that were not meant to be exposed – including HTTP-enabled databases and server configuration data.

DOM-Based Cross-Site Scripting (DXSS)

DOM-based XSS (also known as DOM XSS or type-0 XSS ) arises when an application contains some client-side JavaScript that's being executed as a result of modifying the DOM “environment” in the victim’s browser by passing malicious JavaScript payload to a sink that supports dynamic code execution, such as `eval()` or `innerHTML`. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.

Blind SQL Injection

Blind SQL Injection is a type of SQL Injection attack that exists when the application doesn’t necessarily return the return of a SQL query to the front end, unlike in-band SQL Injection, the SQLi query doesn’t return direct output to the application thus it may take longer for the attacker to exploit. Blind SQL Injection has three types: Boolean-Based SQLi Boolean-Based (Content-Based) Blind SQLi technique asks the database True or False questions and determines the answer based on the application's response. Depending on the result, the content within the HTTP response will change, or remain the same. Time-Based SQLi Time-Based SQLi technique analyzes and checks if there is a delay in the request-response based on injecting a time-intensive operation payload, and by performing a boolean check and performing a delay or not, the main down back of this type is that it requires a stable internet connection to differentiate extract data correctly. Out-of-Band (OOB) SQLi Out-of-Band (OOB) SQLi technique where an attacker uses external resources to exfiltrate data from the database by performing HTTP or DNS requests to an external server, the main down back of this technique is that it depends on the capability of a database system to initiate outbound DNS or HTTP request may need to rely on the function available.

Stored Cross Site Scripting

Stored Cross-Site Scripting (also known as second-order or persistent XSS) arises when the vulnerable web application receives user-supplied input from untrusted sources and stores it in places such as database, message forum, visitor log, comment field. The malicious content also gets included in later HTTP responses sent by the server. It’s the most damaging type of XSS , If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user browser for the same origin that is vulnerable to XSS .

Cross-Site Request Forgery (CSRF)

'Cross-site Request Forgery' is an attack that forces authenticated users to submit an unwanted request to a Web application against which they are currently authenticated. CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests.

Improper Error Handling

Improper Error Handling, also known as Error Handling Flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates. It would be a serious risk when detailed internal error messages such as database dumps, stack traces, and error codes are displayed to the user (attacker). Even if the error message doesn't provide a lot of details, inconsistencies in such messages can still reveal important clues on how a site works or what system/back-end is present. Sometimes it may also lead to sensitive information disclosure. The severity of improper error handling is scenario dependent, means in some scenarios this error exposes critical information and in other scenarios non-sensitive information thus the severity must be calculated for each scenario.

Reflected Cross Site Scripting (RXSS)

'Reflection' is when a web application returns the data entered by a user via request into the web application response. 'Reflected Cross-Site Scripting' or 'RXSS' is a type of 'Browser Side Attacks or Client Side Attacks' attack where an attacker abuse the reflection and inexistence of input sanitization to inject JavaScript code into victim's responses to take control of their browsers, execute malicious code to steal session cookies, or even redirect them to other pages. Any reflected parameter of an application is suspected to be vulnerable but the most severe parameters are 'GET' parameters where an attacker can simply use the nature of 'GET' parameters where is being sent inside the URL to reflect malicious code into the victim responses. If the reflection happens via 'POST' parameter or what is sometimes referred to as 'Self Cross-Site Scripting' or 'SXSS' an attacker may not be able to exploit the reflection scenario unless there's no 'CSRF' protection. Sometimes an attacker may not be able to injection JavaScript Code, hence an attacker may try to inject another type of code such as HTML which is known as 'HTML Injection' to trick users into performing actions, or CSS code which is known as 'CSS Injection'