This is my own hierarchy of the most common web application vulnerabilities and their sub-variations, explained in one-sentence summaries.
Injection : entering content into the application that gets executed by the app in some way, resulting in a security problem SQL Injection : submitting malicious SQL injection designed to get the application’s database to yield information it shouldn’t Error-based : the application gives a clear error that you can use to improve your attack Blind : the application only indicates whether a given query was successful or unsuccessful, resulting in the need for many requests to extract information Command Injection : submitting input such that the application runs it as operating system commands, resulting in a security problem XML External Entity Processing (XXE) : injecting malicious XML into a target application that targets the XML parser and forces it to disclose sensitive information or results in other undesired outcomes, including denial of service Server-side Request Forgery (SSRF) : you access an internal, firewall-protected resource by tricking an externally-facing system to make that request itself, and then give you the results. Can be stacked with other vulns, such as XXE, to extract sensitive internal information. Redirection : submit content to the app that causes it to redirect users to an unintended location in an potentially unsafe way Access Control : bypassing how the application ensures that only authorized people are able to perform authorized actions Authentication : bypassing the security of the explicit authentication process Session Management : bypassing session management controls that are supposed to maintain proper authentication Resource Access : determining whether it’s possible to interact with resources that you should not be able to given your context Object Identifier Rotation : a number or ID within an application that can be rotated to pull various records without requiring additional authentication Forceful Browsing : determine a list of sensitive resources that restricted users have access to, and then determining whether lower users can also access them Cross-site Scripting (XSS) : tricking a user into executing a javascript payload that you control Reflected : you send the target user a link, and they execute your payload, which interacts with the target application Stored : you find a way to store your payload in the application itself, and when victims browse that page the payload executes DOM-based : you are able to modify something in the application that results in your payload being executed by the DOM Blind : you send payloads into the application with no exact knowledge of how, when, or by who they’ll be executed. You set up a persistent listener to catch evidence of execution when it does happen Logic Flaws : flaws in the application designers’ assumptions of legitimate usage that allow an attacker to compromise its security Step Bypass : bypassing certain pieces of a multi-step process, such as skipping payment and moving right to shipping Negative Number Parsing : prices are changed to negative numbers, which the application accepts as non-malicious, and which later steps then process as refunds to the attacker Inventory Exhaustion : taking ecommerce items out of circulation so that they cannot be purchased, without actually purchasing them yourself, e.g., adding 10,000 items to a cart that keeps them from being sold Application DoS : submitting input to built-in functionality, such as in-app map displays or resource-intensive database lookups, that causes the application to become unresponsive for other users cross-site request forgery (csrf) : tricking a user into making a particular request into an application, which runs with their context Misconfiguration : determining whether a misconfiguration in the application or its stack can lead to a security issue Default Content : presence of insecure default content or functionality Default/Known Credentials : the credentials for this application are default and/or well-known Information Disclosure : application/system features like debugging or other verbose messages are enabled that disclose too much information about the application or system Directory Listings : the ability to see the contents of directories Visible Access Files : the showing of access control files that can give information on how to bypass the security of the system HTTP Security Headers : failure to use HTTP header protections Use of Known-vulnerable Components : the application uses components that have known vulnerabilities
