Web Application Security

1. IDOR – Insecure Direct Object Reference

Improper access control leads to unauthorized access to user data by modifying object identifiers like user IDs, order numbers, or file references.

➤ Profile Access

Modifying a user ID in the URL gave access to other users' profiles.

GET /user/102 → Changed to /user/103
Result: Viewed another user's private data.

➤ Booking/Order Manipulation

Attacker could cancel someone else's booking due to lack of ownership validation.

GET /cancelBooking?id=ABC123 → Changed to another booking ID → booking cancelled

➤ File Download ID Manipulation

Changing the file ID parameter allowed unauthorized file downloads.

/download?file=confidential-report.pdf

➤ Invoice File Name Tampering

Invoices were named with usernames and stored under predictable URLs. Changing the filename revealed other users' invoices.

Original: /invoices/invoice-user1.pdf
Modified: /invoices/invoice-user2.pdf
→ Downloaded another user’s invoice without authorization.

2. Host Header Injection – Open Redirect

Application blindly trusted the Host header, leading to redirection to an arbitrary domain.

Host: attacker.com
→ Victim visits /redirect → lands on attacker.com (phishing or malware delivery)

3. Reflected Cross-Site Scripting (XSS)

User input is reflected in responses without sanitization, leading to script execution.

➤ Reflected Cross-Site Scripting (XSS)

User input is reflected in responses without sanitization, leading to script execution.

User input reflected in search page: /search?q=<script>alert(1)</script> → executed script in browser.

4. Stored Cross-Site Scripting (XSS)

Malicious scripts are stored on the server and executed when viewed by users.

➤ Stored Cross-Site Scripting (XSS)

Malicious scripts are stored on the server and executed when viewed by users.

Posted <script>alert('XSS')</script> in comment → triggered for all users viewing the post.

5. SQL Injection

Unvalidated SQL input allows attackers to manipulate queries and access unauthorized data.

➤ SQL Injection

Unvalidated SQL input allows attackers to manipulate queries and access unauthorized data.

Injected ' OR 1=1-- in login form → bypassed authentication and logged in as admin.

6. Sensitive Information Disclosure via Force Browsing (`application.ini`)

Application config file accessible via direct URL, revealing internal settings.

➤ Sensitive Information Disclosure via Force Browsing (`application.ini`)

Application config file accessible via direct URL, revealing internal settings.

Accessed internal config at /application.ini → exposed DB credentials and SMTP settings.

7. HTML Injection

User input is rendered as HTML, which can deface the page or create misleading elements.

➤ HTML Injection

User input is rendered as HTML, which can deface the page or create misleading elements.

Used <h1>Admin Access</h1> in input field → displayed manipulated heading in dashboard.

8. Broken Access Control via Force Browsing (Unauthorized Page Access)

Sensitive pages accessible directly without authentication or role validation.

➤ Broken Access Control via Force Browsing (Unauthorized Page Access)

Sensitive pages accessible directly without authentication or role validation.

Accessed /admin/reports without auth → full admin report panel visible.

9. Use of HTTP Protocol (Internal Network)

Application uses unencrypted HTTP, exposing data to interception.

➤ Use of HTTP Protocol (Internal Network)

Application uses unencrypted HTTP, exposing data to interception.

Logged in via http://intranet.company.com → captured credentials via MITM.

10. Weak Password Policy (e.g., allowing `1234567890`)

System accepts weak passwords lacking length or complexity requirements.

➤ Weak Password Policy (e.g., allowing `1234567890`)

System accepts weak passwords lacking length or complexity requirements.

Registered user using '1234567890' as password — no complexity or length validation.

11. Insufficient Logout (Session Token Still Valid After Logout)

Session remains valid even after logout, allowing re-use of token.

➤ Insufficient Logout (Session Token Still Valid After Logout)

Session remains valid even after logout, allowing re-use of token.

Logged out, reused session cookie in new browser — still active.

12. Missing Secure & HttpOnly Flags on Cookies

Cookies lack security attributes, increasing risk of theft via XSS or MITM.

➤ Missing Secure & HttpOnly Flags on Cookies

Cookies lack security attributes, increasing risk of theft via XSS or MITM.

Intercepted session cookie lacked HttpOnly flag — accessible via XSS payload.

13. User Impersonation via Form Field Tampering

Form fields can be modified to perform actions as another user.

➤ User Impersonation via Form Field Tampering

Form fields can be modified to perform actions as another user.

Changed hidden input 'user_id=101' to 'user_id=1' in POST request → action executed as admin.

14. Directory Listing Enabled (`/downloads`, `/icons/`, `/assets/`, `/vendor/`)

Web server displays list of files, which may include sensitive content.

➤ Directory Listing Enabled (`/downloads`, `/icons/`, `/assets/`, `/vendor/`)

Web server displays list of files, which may include sensitive content.

Accessed /assets/ → full file listing exposed with .env and config.zip.

15. Session Fixation

Attacker sets a session ID for the victim, allowing session hijack after login.

➤ Session Fixation

Attacker sets a session ID for the victim, allowing session hijack after login.

Set session ID in browser, logged in victim — attacker gained access using fixed session ID.

16. SQL Error Message Disclosure

SQL errors are displayed to the user, exposing query structure.

➤ SQL Error Message Disclosure

SQL errors are displayed to the user, exposing query structure.

Entered invalid input into form → server returned SQL syntax error with table structure.

17. Clickjacking

Application can be loaded in an iframe, tricking users into clicking hidden UI.

➤ Clickjacking

Application can be loaded in an iframe, tricking users into clicking hidden UI.

Loaded login page in iframe on attacker domain — tricked user into clicking invisible buttons.

18. Account Takeover via Misused Password Reset Parameters

Password reset logic can be manipulated to control other accounts.

➤ Account Takeover via Misused Password Reset Parameters

Password reset logic can be manipulated to control other accounts.

Reset link included user UUID: /reset?uid=123. Changed to /reset?uid=124 and successfully reset another user's password.

19. Open Redirection

Redirects use unvalidated user input, potentially sending users to malicious sites.

➤ Open Redirection

Redirects use unvalidated user input, potentially sending users to malicious sites.

URL /redirect?url=http://evil.com → redirected user to phishing page.

20. Missing Content Security Policy (CSP) Header

Lack of CSP allows broader scope for XSS and injection.

➤ Missing Content Security Policy (CSP) Header

Lack of CSP allows broader scope for XSS and injection.

No CSP header allowed inline scripts and untrusted JS from other domains to execute.

21. Application Exposed on HTTP Port (e.g., 6601)

App exposed via uncommon HTTP ports, potentially overlooked during testing.

➤ Application Exposed on HTTP Port (e.g., 6601)

App exposed via uncommon HTTP ports, potentially overlooked during testing.

Navigated to http://target:6601 → accessed internal debug interface.

22. Strict Transport Security (HSTS) Max-Age Too Low (`2592000`)

Short HSTS period weakens protection against SSL stripping.

➤ Strict Transport Security (HSTS) Max-Age Too Low (`2592000`)

Short HSTS period weakens protection against SSL stripping.

Max-age set to 30 days — downgraded HTTPS after expiration.

23. OTP Flooding Attack

Lack of rate-limiting allows spamming OTPs to user phone/email.

➤ OTP Flooding Attack

Lack of rate-limiting allows spamming OTPs to user phone/email.

Requested OTP repeatedly — no rate limiting blocked spamming.

24. Password Brute-Force on Login Attempts

Login has no protection against repeated failed attempts.

➤ Password Brute-Force on Login Attempts

Login has no protection against repeated failed attempts.

Used Hydra tool on /login → no CAPTCHA or lockout triggered.

25. Unrestricted File Upload (HTML File Allowed)

Application allows uploading of executable or web-accessible files.

➤ Unrestricted File Upload (HTML File Allowed)

Application allows uploading of executable or web-accessible files.

Uploaded .html file in profile upload → rendered script when visited.

26. Unauthenticated MongoDB Access

Database is exposed without authentication on public network.

➤ Unauthenticated MongoDB Access

Database is exposed without authentication on public network.

Connected to mongo://server:27017 → full DB access without password.

27. External DNS Interaction

Server sends DNS queries to attacker-controlled domains (e.g., SSRF detection).

➤ External DNS Interaction

Server sends DNS queries to attacker-controlled domains (e.g., SSRF detection).

Sent payload to internal server → triggered DNS lookup to attacker.dnslog.com.

28. Hardcoded Encryption Key in JavaScript

Key used for encryption is exposed in client-side JS files.

➤ Hardcoded Encryption Key in JavaScript

Key used for encryption is exposed in client-side JS files.

Found AES key in frontend.js → used it to decrypt token from app.

29. Exposed Camunda Login Page

Camunda dashboard is accessible and may allow brute-force login attempts.

➤ Exposed Camunda Login Page

Camunda dashboard is accessible and may allow brute-force login attempts.

Accessed /camunda/app → default login panel exposed to public.

30. Exposed Tomcat Manager Login Prompt

Tomcat Manager interface is exposed, often with default creds.

➤ Exposed Tomcat Manager Login Prompt

Tomcat Manager interface is exposed, often with default creds.

GET /manager/html prompted for Tomcat credentials — default creds worked.

31. Default Index Page Present (Tomcat)

Default Tomcat landing page indicates default configuration.

➤ Default Index Page Present (Tomcat)

Default Tomcat landing page indicates default configuration.

GET / returned Apache Tomcat welcome page — indicates default setup.

32. Improper Input Validation (`<script>` allowed)

User input is not validated or sanitized properly.

➤ Improper Input Validation (`<script>` allowed)

User input is not validated or sanitized properly.

Entered <script>alert(1)</script> into feedback form → triggered alert on admin panel.

33. Exposed Configuration File (`/config.json`)

JSON config file exposed via direct access reveals credentials or internal paths.

➤ Exposed Configuration File (`/config.json`)

JSON config file exposed via direct access reveals credentials or internal paths.

Accessed /config.json — included base URL and API secrets.

34. Exposed Swagger API Documentation

API documentation publicly available, exposing internal endpoints.

➤ Exposed Swagger API Documentation

API documentation publicly available, exposing internal endpoints.

GET /swagger-ui/ showed all available API endpoints with test access.

35. Missing HSTS Header

Application does not enforce HTTPS via HTTP Strict Transport Security.

➤ Missing HSTS Header

Application does not enforce HTTPS via HTTP Strict Transport Security.

HTTP response lacked Strict-Transport-Security — downgraded to HTTP with MITM.

36. System Health Disclosure Page (e.g., CPU, RAM, NAS Stats)

System metrics page is accessible and may reveal infrastructure data.

➤ System Health Disclosure Page (e.g., CPU, RAM, NAS Stats)

System metrics page is accessible and may reveal infrastructure data.

Accessed /metrics or /system-status → showed CPU load, disk space.

37. `.user.ini` File Disclosure (Wordfence WAF config)

Short description not found.

➤ `.user.ini` File Disclosure (Wordfence WAF config)

Short description not found.

Verified scenario observed for: `.user.ini` File Disclosure (Wordfence WAF config)

38. WordPress `license.txt` Disclosure

Reveals WordPress version and license info — useful for attackers.

➤ WordPress `license.txt` Disclosure

Reveals WordPress version and license info — useful for attackers.

GET /license.txt → revealed WordPress version and license type.

39. WordPress `readme.html` Disclosure

Exposes version info and system details.

➤ WordPress `readme.html` Disclosure

Exposes version info and system details.

GET /readme.html — exposed WordPress version info for fingerprinting.

40. Publicly Accessible `wp-login.php`

Login page accessible publicly, allows brute-force and enum attacks.

➤ Publicly Accessible `wp-login.php`

Login page accessible publicly, allows brute-force and enum attacks.

Login portal open at /wp-login.php — brute-force and enum attack surface.

41. Exposed `/wp-json` Endpoint (Sensitive APIs)

WordPress REST APIs are accessible and may leak data.

➤ Exposed `/wp-json` Endpoint (Sensitive APIs)

WordPress REST APIs are accessible and may leak data.

GET /wp-json/wp/v2/users → dumped all usernames.

42. XML-RPC Enabled on WordPress

XML-RPC enabled, allowing brute-force via pingbacks.

➤ XML-RPC Enabled on WordPress

XML-RPC enabled, allowing brute-force via pingbacks.

Pingback and brute force accessible via /xmlrpc.php.

43. Host Header Injection Leading to Unvalidated Redirect

Host header is not validated, causing open redirection.

➤ Host Header Injection Leading to Unvalidated Redirect

Host header is not validated, causing open redirection.

Modified Host to evil.com and visited /redirect — redirected to attacker site.

44. Missing Security Headers:

Short description not found.

➤ Missing Security Headers:

Short description not found.

Verified scenario observed for: Missing Security Headers:

54. SSL/TLS Certificate Validity Less Than 30 Days

Short certificate life may indicate misconfiguration or impending expiration.

➤ SSL/TLS Certificate Validity Less Than 30 Days

Short certificate life may indicate misconfiguration or impending expiration.

SSL cert expiring in 7 days — triggered alerts on scanners.

55. Captcha Text and Entered Captcha Both Sent in Plain Base64

Captcha bypass possible due to visible encoded text.

➤ Captcha Text and Entered Captcha Both Sent in Plain Base64

Captcha bypass possible due to visible encoded text.

Captured encoded captcha + plain user input — decoded match easily.

56. Sensitive Google Maps API Key Disclosure & Abuse

API key exposed and vulnerable to abuse (e.g., map queries, billing).

➤ Sensitive Google Maps API Key Disclosure & Abuse

API key exposed and vulnerable to abuse (e.g., map queries, billing).

Exposed key used in JS — queried Google Maps API without billing lock.

57. Improper Session Management (Access Without Valid Session)

Endpoints accept unauthenticated requests with no token checks.

➤ Improper Session Management (Access Without Valid Session)

Endpoints accept unauthenticated requests with no token checks.

Accessed /dashboard without token — app still served content.

58. Password Change Without Session Authentication

Users can change password without being logged in.

➤ Password Change Without Session Authentication

Users can change password without being logged in.

POST /change-password worked without active login token.

59. Insecure Direct Object Reference (IDOR) – Report Injection to Admin

Attacker changes object ID to escalate or manipulate data.

➤ Insecure Direct Object Reference (IDOR) – Report Injection to Admin

Attacker changes object ID to escalate or manipulate data.

Changed report ID in /admin/view?report=45 to 46 — saw another user's confidential data.

60. Internal API Endpoints Disclosed in JavaScript

API URLs visible in frontend JS files give insight into backend structure.

➤ Internal API Endpoints Disclosed in JavaScript

API URLs visible in frontend JS files give insight into backend structure.

Frontend JS revealed endpoints like /admin/getLogs — not linked in UI.

61. Exposed `/help/` API Documentation

API help documentation exposed without access control.

➤ Exposed `/help/` API Documentation

API help documentation exposed without access control.

GET /help/ showed full API list and example usage.

62. Encryption Key Disclosure via `/GetEncryptKey`

Key is directly retrievable via a GET endpoint.

➤ Encryption Key Disclosure via `/GetEncryptKey`

Key is directly retrievable via a GET endpoint.

GET /GetEncryptKey returned hardcoded key used for client-side encryption.

63. Commented-Out HTML Revealing Internal HRMS URLs

HTML contains commented URLs pointing to internal apps.

➤ Commented-Out HTML Revealing Internal HRMS URLs

HTML contains commented URLs pointing to internal apps.

Source of page showed .

64. SQL Statement in Request Parameter (`Select ...`)

Raw SQL passed through parameters without validation.

➤ SQL Statement in Request Parameter (`Select ...`)

Raw SQL passed through parameters without validation.

URL contained SQL keywords in GET param: ?query=select+*+from+users — no sanitization.

65. Default ASP.NET Error Page Disclosure

ASP.NET stack trace and errors disclosed to end users.

➤ Default ASP.NET Error Page Disclosure

ASP.NET stack trace and errors disclosed to end users.

Accessed malformed route — .NET stack trace revealed internal file paths.

66. WordPress REST API User Enumeration

Usernames can be enumerated via /wp-json/wp/v2/users.

➤ WordPress REST API User Enumeration

Usernames can be enumerated via /wp-json/wp/v2/users.

GET /wp-json/wp/v2/users listed all users with IDs and display names.

67. Sensitive Information Logged in Application Logs

Tokens, credentials, or user data printed in server logs.

➤ Sensitive Information Logged in Application Logs

Tokens, credentials, or user data printed in server logs.

Logs exposed session tokens and email addresses on login errors.

68. Unintended File Downloads of Empty Files

Downloadable links return empty or placeholder files, often unused.

➤ Unintended File Downloads of Empty Files

Downloadable links return empty or placeholder files, often unused.

Clicked download button → received 0-byte PDF from /docs/report.pdf

Vulnerabilities