Vulnerability Knowledge Base
Security vulnerability encyclopedia with real code examples, detection guidance, and remediation steps. Each entry maps to a vulnerability Offensive360 SAST detects automatically.
Broken Access Control / IDOR
CriticalBroken access control and IDOR flaws let attackers read or modify resources they don't own. Learn detection patterns and secure authorization fixes.
Broken Authentication
CriticalBroken authentication lets attackers compromise passwords, session tokens, or user identities. Learn how to detect and fix weak login mechanisms.
Clickjacking / UI Redress Attack
MediumClickjacking tricks users into clicking invisible iframe overlays. Learn how X-Frame-Options and Content Security Policy prevent UI redress attacks.
Cross-Site Request Forgery (CSRF)
HighCSRF tricks authenticated users into submitting malicious requests. Learn how CSRF tokens, SameSite cookies, and origin validation stop these attacks.
Cross-Site Scripting (XSS)
HighXSS occurs when applications include untrusted data in web pages without proper encoding, allowing attackers to execute malicious scripts in victims' browsers.
Hardcoded Credentials and Secrets
HighHardcoded credentials embed passwords, API keys, and secrets in source code or configs. Learn how to detect leaked secrets and manage them securely.
HTTP Response Splitting
HighHTTP response splitting injects CRLF sequences into headers, enabling cache poisoning and XSS. Learn how to detect and prevent header injection.
Insecure Deserialization
HighInsecure deserialization of untrusted data lets attackers run arbitrary code or tamper with logic. Learn safe formats, validation, and detection tips.
Insecure File Upload (CWE-434): Exploit & Fix
HighInsecure file upload (CWE-434) lets attackers upload webshells for RCE. Fix with extension allow-lists, magic byte checks, and safe storage paths.
Insecure JWT Implementation
HighInsecure JWT implementations let attackers forge tokens and bypass authentication. Learn pitfalls like algorithm confusion, none alg, and weak secrets.
Insecure Randomness
MediumInsecure randomness uses predictable generators for tokens, session IDs, and OTPs, letting attackers guess them. Learn which secure APIs to use.
LDAP Injection
HighLDAP injection lets attackers manipulate directory queries to bypass authentication and extract sensitive data. Learn how to detect and prevent it.
Log Injection / Log Forging
MediumLog injection lets attackers forge log entries using newline characters, hiding malicious activity. Learn input sanitization and safe logging practices.
Mass Assignment
HighMass assignment lets attackers set unintended model properties via extra HTTP request fields. Learn how DTOs and property allow-lists prevent it.
Missing Security Headers
LowMissing security headers expose apps to clickjacking, MIME sniffing, and XSS. Learn which HTTP headers are essential and how to configure them.
NoSQL Injection (MongoDB)
HighNoSQL injection manipulates MongoDB queries via operator injection, enabling auth bypass and data theft. Learn detection and prevention techniques.
Open Redirect
MediumOpen redirect flaws send users from a trusted site to a malicious URL, enabling phishing and credential theft. Learn how to detect and prevent them.
OS Command Injection
CriticalOS command injection passes unsanitized input to a system shell, letting attackers run arbitrary commands. Learn detection and prevention by language.
Path Traversal
HighPath traversal lets attackers read files outside intended directories using ../ sequences in file paths. Learn detection and prevention by language.
Prototype Pollution
HighPrototype pollution lets attackers inject properties into JavaScript's Object.prototype, enabling RCE or privilege escalation. Learn how to prevent it.
Race Condition / TOCTOU
HighRace conditions and TOCTOU flaws exploit gaps between check and use in concurrent code, enabling privilege escalation. Learn detection and safe patterns.
Sensitive Data Exposure in Logs
MediumSensitive data in logs, like passwords, tokens, PII, and card numbers, creates security and compliance risk. Learn to detect and mask logged secrets.
Server-Side Request Forgery (SSRF)
HighServer-Side Request Forgery makes a server send requests to attacker-chosen URLs, exposing internal services and cloud metadata. Learn how to prevent it.
Server-Side Template Injection (SSTI)
CriticalSSTI evaluates user input as template code on the server, leading to remote code execution. Learn detection and prevention in Jinja2, Twig, and Razor.
SQL Injection (SQLi)
CriticalSQL injection concatenates untrusted input into queries, letting attackers read or modify database contents. Learn detection and prevention by language.
Use of Broken or Weak Cryptographic Algorithms
MediumInsecure cryptography uses broken or misconfigured algorithms, exposing data to decryption and tampering. Learn which algorithms to avoid and use.
Weak Password Hashing
HighWeak password hashing (MD5, SHA-1, unsalted hashes) lets attackers crack stolen hashes fast. Learn proper storage with bcrypt, Argon2, and PBKDF2.
XML External Entity (XXE) Injection
HighXML External Entity (XXE) injection abuses external entities in parsed XML to read local files or perform SSRF. Learn secure parser configuration.
XML Injection
MediumXML injection inserts malicious content into XML documents, causing data corruption and access control bypass. Learn detection and validation fixes.
XPath Injection
HighXPath injection manipulates XML queries to bypass authentication and extract data. Learn how to detect it and use parameterized XPath safely.
Detect all of these in your code automatically
Offensive360 SAST scans your codebase for every vulnerability in this library — and hundreds more. Get a full security report in minutes.
Start a Free Scan