Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Home / Knowledge Base

Vulnerability Knowledge Base

Security vulnerability encyclopedia with real code examples, detection guidance, and remediation steps. Each entry maps to a vulnerability Offensive360 SAST detects automatically.

5 Critical 7 Medium 17 High 1 Low 30 total entries

Broken Access Control / IDOR

Critical

Broken access control and IDOR flaws let attackers read or modify resources they don't own. Learn detection patterns and secure authorization fixes.

CWE-639 A01:2021 Broken Access Control

Broken Authentication

Critical

Broken authentication lets attackers compromise passwords, session tokens, or user identities. Learn how to detect and fix weak login mechanisms.

CWE-287 A07:2021 Identification and Authentication Failures

Clickjacking / UI Redress Attack

Medium

Clickjacking tricks users into clicking invisible iframe overlays. Learn how X-Frame-Options and Content Security Policy prevent UI redress attacks.

CWE-1021 A05:2021 Security Misconfiguration

Cross-Site Request Forgery (CSRF)

High

CSRF tricks authenticated users into submitting malicious requests. Learn how CSRF tokens, SameSite cookies, and origin validation stop these attacks.

CWE-352 A01:2021 Broken Access Control

Cross-Site Scripting (XSS)

High

XSS occurs when applications include untrusted data in web pages without proper encoding, allowing attackers to execute malicious scripts in victims' browsers.

CWE-79 A03:2021 Injection

Hardcoded Credentials and Secrets

High

Hardcoded credentials embed passwords, API keys, and secrets in source code or configs. Learn how to detect leaked secrets and manage them securely.

CWE-798 A07:2021 Identification and Authentication Failures

HTTP Response Splitting

High

HTTP response splitting injects CRLF sequences into headers, enabling cache poisoning and XSS. Learn how to detect and prevent header injection.

CWE-113 A03:2021 Injection

Insecure Deserialization

High

Insecure deserialization of untrusted data lets attackers run arbitrary code or tamper with logic. Learn safe formats, validation, and detection tips.

CWE-502 A08:2021 Software and Data Integrity Failures

Insecure File Upload (CWE-434): Exploit & Fix

High

Insecure file upload (CWE-434) lets attackers upload webshells for RCE. Fix with extension allow-lists, magic byte checks, and safe storage paths.

CWE-434 A04:2021 Insecure Design

Insecure JWT Implementation

High

Insecure JWT implementations let attackers forge tokens and bypass authentication. Learn pitfalls like algorithm confusion, none alg, and weak secrets.

CWE-347 A02:2021 Cryptographic Failures

Insecure Randomness

Medium

Insecure randomness uses predictable generators for tokens, session IDs, and OTPs, letting attackers guess them. Learn which secure APIs to use.

CWE-330 A02:2021 Cryptographic Failures

LDAP Injection

High

LDAP injection lets attackers manipulate directory queries to bypass authentication and extract sensitive data. Learn how to detect and prevent it.

CWE-90 A03:2021 Injection

Log Injection / Log Forging

Medium

Log injection lets attackers forge log entries using newline characters, hiding malicious activity. Learn input sanitization and safe logging practices.

CWE-117 A09:2021 Security Logging and Monitoring Failures

Mass Assignment

High

Mass assignment lets attackers set unintended model properties via extra HTTP request fields. Learn how DTOs and property allow-lists prevent it.

CWE-915 A04:2021 Insecure Design

Missing Security Headers

Low

Missing security headers expose apps to clickjacking, MIME sniffing, and XSS. Learn which HTTP headers are essential and how to configure them.

CWE-693 A05:2021 Security Misconfiguration

NoSQL Injection (MongoDB)

High

NoSQL injection manipulates MongoDB queries via operator injection, enabling auth bypass and data theft. Learn detection and prevention techniques.

CWE-943 A03:2021 Injection

Open Redirect

Medium

Open redirect flaws send users from a trusted site to a malicious URL, enabling phishing and credential theft. Learn how to detect and prevent them.

CWE-601 A01:2021 Broken Access Control

OS Command Injection

Critical

OS command injection passes unsanitized input to a system shell, letting attackers run arbitrary commands. Learn detection and prevention by language.

CWE-78 A03:2021 Injection

Path Traversal

High

Path traversal lets attackers read files outside intended directories using ../ sequences in file paths. Learn detection and prevention by language.

CWE-22 A01:2021 Broken Access Control

Prototype Pollution

High

Prototype pollution lets attackers inject properties into JavaScript's Object.prototype, enabling RCE or privilege escalation. Learn how to prevent it.

CWE-1321 A03:2021 Injection

Race Condition / TOCTOU

High

Race conditions and TOCTOU flaws exploit gaps between check and use in concurrent code, enabling privilege escalation. Learn detection and safe patterns.

CWE-362 A04:2021 Insecure Design

Sensitive Data Exposure in Logs

Medium

Sensitive data in logs, like passwords, tokens, PII, and card numbers, creates security and compliance risk. Learn to detect and mask logged secrets.

CWE-532 A09:2021 Security Logging and Monitoring Failures

Server-Side Request Forgery (SSRF)

High

Server-Side Request Forgery makes a server send requests to attacker-chosen URLs, exposing internal services and cloud metadata. Learn how to prevent it.

CWE-918 A10:2021 Server-Side Request Forgery

Server-Side Template Injection (SSTI)

Critical

SSTI evaluates user input as template code on the server, leading to remote code execution. Learn detection and prevention in Jinja2, Twig, and Razor.

CWE-94 A03:2021 Injection

SQL Injection (SQLi)

Critical

SQL injection concatenates untrusted input into queries, letting attackers read or modify database contents. Learn detection and prevention by language.

CWE-89 A03:2021 Injection

Use of Broken or Weak Cryptographic Algorithms

Medium

Insecure cryptography uses broken or misconfigured algorithms, exposing data to decryption and tampering. Learn which algorithms to avoid and use.

CWE-327 A02:2021 Cryptographic Failures

Weak Password Hashing

High

Weak password hashing (MD5, SHA-1, unsalted hashes) lets attackers crack stolen hashes fast. Learn proper storage with bcrypt, Argon2, and PBKDF2.

CWE-916 A02:2021 Cryptographic Failures

XML External Entity (XXE) Injection

High

XML External Entity (XXE) injection abuses external entities in parsed XML to read local files or perform SSRF. Learn secure parser configuration.

CWE-611 A05:2021 Security Misconfiguration

XML Injection

Medium

XML injection inserts malicious content into XML documents, causing data corruption and access control bypass. Learn detection and validation fixes.

CWE-91 A03:2021 Injection

XPath Injection

High

XPath injection manipulates XML queries to bypass authentication and extract data. Learn how to detect it and use parameterized XPath safely.

CWE-643 A03:2021 Injection

Detect all of these in your code automatically

Offensive360 SAST scans your codebase for every vulnerability in this library — and hundreds more. Get a full security report in minutes.

Start a Free Scan