Links
Comment on page

Common Web Attack and Prevention List

OWASP Top 10

Broken Access Control

Broken Access Control occurs when a user is able to access or perform actions they shouldn't have permission for.
  • Attackers can exploit these flaws to access unauthorized functionality or sensitive data.
  • Prevention:
    • Update and enforce access control policies regularly.
    • Implement deny-by-default approach and principle of least privilege.
    • Implement rate limiting for API and controller access.
    • Use server-side authorization checks.

Cryptographic Failures

Cryptographic Failures happen when weak algorithms or improper implementation are used.
  • Weak encryption can expose sensitive data to attackers.
  • Prevention:
    • Encrypt sensitive data at rest and in transit.
    • Store keys securely and rotate them regularly.
    • Use strong and up-to-date algorithms.

Injection

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query.
  • Attackers exploit injection flaws to execute unintended commands or access unauthorized data.
  • Prevention:
    • Use safe APIs that avoid interpreters or provide parameterized interfaces.
    • Escape special characters using specific syntax for the interpreter.

Insecure Design

Insecure design flaws are foundational issues that lead to other vulnerabilities.
  • Design software with security in mind from the beginning.
  • Minimize attack surface area and follow the principle of least privilege.
  • Implement defense in depth and balance usability with security.
  • Perform threat modeling to identify potential attacks.

Security Misconfiguration

Security misconfiguration can occur at any level of the application stack.
  • Improper configurations can expose default settings, open storage, or sensitive information.
  • Prevention:
    • Regularly verify security settings using automated tools.
    • Keep software and configurations up to date.
    • Follow secure hardening guides for servers.

Vulnerable and Outdated Components

Vulnerable and outdated components can be exploited to run arbitrary code or access sensitive data.
  • Avoid using components with known vulnerabilities.
  • Remove unused dependencies and features.
  • Continuously monitor for new vulnerabilities and update components.

Identification and Authentication Failures

Identification and Authentication failures can lead to compromise of credentials or impersonation.
  • Implement multi-factor authentication and strong password policies.
  • Don't store passwords in plaintext.
  • Secure session management and avoid exposing session IDs.

Software and Data Integrity Failures

Software and Data Integrity Failures occur when attackers can modify or tamper with data.
  • Verify and validate all data on the client and server side.
  • Use strong encryption and hashing to protect data.
  • Implement version control and backup systems.

Security Logging and Monitoring Failures

Security Logging and Monitoring Failures result in unidentified security events.
  • Ensure all important security events are logged with sufficient details.
  • Establish effective monitoring and alerting mechanisms.

Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) allows attackers to make requests on behalf of the server.
  • Prevent outgoing traffic from backend systems to restrict SSRF attacks.
  • Use allow-lists for server-side fetched resources.
  • Validate and sanitize input to prevent SSRF vulnerabilities.

Notable Web Attack Vectors

Table of Contents

  1. 1.
    Cross-Site Scripting (XSS)
  2. 2.
    Session Hijacking
  3. 3.
    Injection Attacks
  4. 4.
    Cross-Site Request Forgery (CSRF)
  5. 5.
    Server-Side Template Injection (SSTI)
  6. 6.
    Remote File Inclusion (RFI)
  7. 7.
    Cross-Origin Resource Sharing (CORS) Misconfiguration
  8. 8.
    Clickjacking
  9. 9.
    XML External Entity (XXE) Attacks
  10. 10.
    Server-Side Code Injection
  11. 11.
    Content Spoofing
  12. 12.
    Open Redirect
  13. 13.
    HTTP Header Injection
  14. 14.
    Server-Side Request Forgery (SSRF)
  15. 15.
    Path Traversal
  16. 16.
    Insecure Direct Object References (IDOR)
  17. 17.
    LDAP Injection
  18. 18.
    Cross-Site Script Inclusion (XSSI)
  19. 19.
    Remote Code Execution (RCE)
  20. 20.
    Session Fixation
  21. 21.
    Username Enumeration
  22. 22.
    HTTP Verb Tampering
  23. 23.
    Server-Side Request Cache Poisoning
  24. 24.
    Server-Side Prototype Pollution
  25. 25.
    HTML Injection
  26. 26.
    Server-Side File Upload
  27. 27.
    JavaScript Hijacking
  28. 28.
    Server-Side Event Injection
  29. 29.
    Cross-Site WebSocket Hijacking
  30. 30.
    Cross-Site Flashing
  31. 31.
    Remote Command Execution
  32. 32.
    Server-Side Denial of Service (DoS)
  33. 33.
    XML Injection
  34. 34.
    Cross-Site Request Smuggling (XRS)
  35. 35.
    Server-Side Web Cache Poisoning
  36. 36.
    HTTP Parameter Pollution
  37. 37.
    Server-Side Content Spoofing
  38. 38.
    Blind SQL Injection
  39. 39.
    Cross-Site Search Engine Optimization (SEO) Spam
  40. 40.
    Server-Side URL Redirect
  41. 41.
    XML Attribute Blowup
  42. 42.
    Cross-Site Port Attacks
  43. 43.
    Server-Side Cross-Site Scripting (XSS)
  44. 44.
    HTTP Response Splitting
  45. 45.
    Cross-Site Content Hijacking
  46. 46.
    Server-Side Formula Injection
  47. 47.
    Server-Side Header Injection
  48. 48.
    Object Injection
  49. 49.
    Cross-Site Printing
  50. 50.
    Server-Side Server-Side Template Injection (SSTI)
  51. 51.
    Clickjacking with Cursorjacking
  52. 52.
    SOAP Array Abuse
  53. 53.
    Server-Side Resource Injection
  54. 54.
    Cross-Site Session Transfer
  55. 55.
    Server-Side HTTP Parameter Pollution
  56. 56.
    Cross-Site Tracking
  57. 57.
    Server-Side Template Manipulation
  58. 58.
    Cross-Site JSONP Hijacking
  59. 59.
    Server-Side Server-Side Code Injection
  60. 60.
    HTML5 Storage XSS
  61. 61.
    Server-Side XML Injection
  62. 62.
    Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch
  63. 63.
    Server-Side Code Injection via Content-Type
  64. 64.
    Session Sidejacking
  65. 65.
    Server-Side Server-Side Request Forgery (SSRF)
  66. 66.
    JavaScript Security
  67. 67.
    Server-Side Server-Side Request Splitting
  68. 68.
    Cross-Site WebSocket Hijacking via DNS Rebinding
  69. 69.
    Server-Side Web Cache Poisoning via Content Spoofing
  70. 70.
    XML Attribute Tampering
  71. 71.
    Server-Side Server-Side Content Spoofing
  72. 72.
    HTTP Parameter Tampering
  73. 73.
    Server-Side XML External Entity (XXE) Attacks
  74. 74.
    Cross-Site Server-Side Request Forgery (SSRF)
  75. 75.
    Server-Side SQL Injection
  76. 76.
    Server-Side Web Cache Poisoning via HTTP Parameter Pollution
  77. 77.
    LDAP Injection via DNS Rebinding
  78. 78.
    Server-Side Inclusion Attacks
  79. 79.
    Client-Side Clickjacking
  80. 80.
    Server-Side Command Injection
  81. 81.
    Server-Side Server-Side XML Injection
  82. 82.
    Cross-Site JSONP Hijacking via DNS Rebinding
  83. 83.
    Server-Side JSONP Hijacking
  84. 84.
    Cross-Domain Search Timing Attacks
  85. 85.
    Server-Side Server-Side Request Splitting via HTTP Parameter Pollution
  86. 86.
    Server-Side SOAP Array Abuse
  87. 87.
    Server-Side Server-Side Template Injection (SSTI) via Template Injection
  88. 88.
    Cross-Site Content Spoofing
  89. 89.
    Server-Side Server-Side Code Injection via MIME Type
  90. 90.
    Server-Side Session Fixation
  91. 91.
    Cross-Site CSRF Scanners
  92. 92.
    Server-Side Template Injection via Document Builder
  93. 93.
    Server-Side Server-Side HTTP Parameter Pollution
  94. 94.
    Cross-Site Server-Side Request Forgery (SSRF) via DNS Rebinding
  95. 95.
    Server-Side Remote File Inclusion (RFI)
  96. 96.
    Server-Side Code Execution via File Upload
  97. 97.
    Cross-Domain Web Storage Abuse
  98. 98.
    Server-Side Server-Side HTTP Response Splitting
  99. 99.
    Server-Side Server-Side XML External Entity (XXE) Attacks
  100. 100.
    Cross-Site Content Injection

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users.
  • Types of XSS attacks: Stored XSS, Reflected XSS, DOM-based XSS.
  • Prevention:
    • Input validation and output encoding.
    • Content Security Policy (CSP) to restrict scripts execution.

Session Hijacking

Session Hijacking is the exploitation of a valid user session by an attacker.
  • Attackers can gain unauthorized access to user sessions and perform actions on their behalf.
  • Prevention:
    • Use HTTPS for entire site.
    • Regenerate session after login.
    • Implement session timeout.

Injection Attacks

Injection attacks occur when untrusted data is sent to an interpreter, leading to unintended commands or data access.
  • Types of injection attacks: SQL Injection, Command Injection, LDAP Injection.
  • Prevention:
    • Input validation and sanitization.
    • Use parameterized queries or prepared statements.
    • Utilize ORM tools.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) tricks users into performing unwanted actions on a website.
  • Attackers exploit the trust of a user's authenticated session to execute undesired actions.
  • Prevention:
    • Use anti-CSRF tokens.
    • Implement SameSite Cookie attribute.
    • Re-authenticate for sensitive operations.

Server-Side Template Injection (SSTI)

Server-Side Template Injection allows an attacker to inject malicious templates into a server-side template engine.
  • Attackers can execute arbitrary code and gain control over the server.
  • Prevention:
    • Input validation and sanitization of user-supplied templates.
    • Avoid executing user-supplied templates.

Remote File Inclusion (RFI)

Remote File Inclusion (RFI) is an attack that allows an attacker to include remote files on a server.
  • Attackers can execute malicious code or gain unauthorized access to server files.
  • Prevention:
    • Avoid dynamic file inclusion from user input.
    • Whitelist allowed file paths.

Cross-Origin Resource Sharing (CORS) Misconfiguration

CORS Misconfiguration allows unauthorized access to restricted resources by misconfiguring the CORS policy.
  • Attackers can bypass browser restrictions and access sensitive data.
  • Prevention:
    • Set appropriate CORS policies.
    • Validate and sanitize user input.

Clickjacking

Clickjacking is a technique that tricks users into clicking on malicious elements hidden within legitimate web pages.
  • Attackers can perform actions on behalf of the user without their knowledge.
  • Prevention:
    • Implement X-Frame-Options header.
    • Use frame-busting techniques.

XML External Entity (XXE) Attacks

XML External Entity (XXE) Attacks exploit the way XML parsers handle external entity references.
  • Attackers can read local files, perform remote requests, or launch denial-of-service attacks.
  • Prevention:
    • Disable XML entity expansion.
    • Use secure XML parsing libraries.

Server-Side Code Injection

Server-Side Code Injection allows an attacker to inject and execute arbitrary code on the server-side.
  • Attackers can gain unauthorized access, escalate privileges, or execute malicious commands.
  • Prevention:
    • Input validation and sanitization of user input.
    • Use secure coding practices.

Content Spoofing

Content Spoofing involves modifying the appearance of a website to deceive users.
  • Attackers can impersonate legitimate websites and steal sensitive information.
  • Prevention:
    • Implement strong validation and sanitization of user-generated content.
    • Ensure secure communication (HTTPS).

Open Redirect

Open Redirect allows an attacker to redirect users to a malicious website while disguising the URL.
  • Attackers can trick users into visiting malicious websites and perform phishing attacks.
  • Prevention:
    • Implement strict input validation and sanitization.
    • Use server-side redirect mechanisms.

HTTP Header Injection

HTTP Header Injection allows attackers to manipulate or inject malicious headers in HTTP requests or responses.
  • Attackers can perform various attacks, including cache poisoning and session hijacking.
  • Prevention:
    • Properly validate and sanitize user input.
    • Implement secure coding practices.
    • Utilize web application firewalls (WAFs) for additional protection.

Path Traversal

Path Traversal allows attackers to access files or directories outside the intended directory.
  • Attackers can access sensitive files, execute arbitrary code, or escalate privileges.
  • Prevention:
    • Implement proper input validation and sanitization.
    • Use secure coding practices.
    • Avoid user input in file paths or use strict file access controls.

Insecure Direct Object References (IDOR)

Insecure Direct Object References (IDOR) occur when a user can access and manipulate unauthorized objects.
  • Attackers can access sensitive data or perform unauthorized actions.
  • Prevention:
    • Implement proper access controls and authorization checks.
    • Use indirect object references instead of exposing internal identifiers.

LDAP Injection

LDAP Injection occurs when untrusted data is inserted into LDAP statements, allowing attackers to manipulate LDAP queries.
  • Attackers can bypass authentication, extract sensitive information, or perform unauthorized actions.
  • Prevention:
    • Use parameterized queries or prepared statements specific to LDAP.
    • Properly validate and sanitize user input.

Cross-Site Script Inclusion (XSSI)

Cross-Site Script Inclusion (XSSI) allows attackers to include external scripts into a web page.
  • Attackers can steal sensitive information or perform malicious actions on behalf of the user.
  • Prevention:
    • Implement strict input validation and output encoding.
    • Use Content Security Policy (CSP) to restrict script inclusion.

Remote Code Execution (RCE)

Remote Code Execution (RCE) enables attackers to execute arbitrary code on a remote server.
  • Attackers can gain full control over the server, execute malicious commands, or perform lateral movement.
  • Prevention:
    • Keep software and libraries up to date.
    • Implement proper input validation and sanitization.
    • Apply least privilege principles.

Session Fixation

Session Fixation is an attack where an attacker forces a user's session ID to a known value.
  • Attackers can hijack user sessions and gain unauthorized access to sensitive data.
  • Prevention:
    • Use session management techniques that regenerate session IDs after authentication.

Username Enumeration

Username Enumeration allows attackers to determine valid usernames on a system.
  • Attackers can use this information for further attacks such as brute-forcing passwords.
  • Prevention:
    • Implement consistent error messages for both valid and invalid usernames.
    • Use strong account lockout policies to mitigate brute-force attacks.

HTTP Verb Tampering

HTTP Verb Tampering involves modifying or manipulating HTTP methods used in requests.
  • Attackers can perform unauthorized actions or bypass security measures.
  • Prevention:
    • Implement proper access controls and authorization checks.
    • Use HTTP methods appropriate for the intended operation.

Server-Side Request Cache Poisoning

Server-Side Request Cache Poisoning occurs when an attacker manipulates server-side cache mechanisms to serve malicious content.
  • Attackers can poison the cache and serve malicious content to other users.
  • Prevention:
    • Implement secure cache control mechanisms.
    • Use input validation and sanitization before storing data in the cache.

Server-Side Prototype Pollution

Server-Side Prototype Pollution is a vulnerability that allows attackers to modify or manipulate JavaScript objects' prototypes on the server-side.
  • Attackers can modify the behavior of server-side code and execute arbitrary code.
  • Prevention:
    • Use input validation and sanitization to prevent user-supplied data from polluting prototypes.
    • Keep software and libraries up to date to address known vulnerabilities.

HTML Injection

HTML Injection occurs when untrusted data is inserted into HTML code without proper validation or encoding.
  • Attackers can inject malicious code, steal sensitive information, or perform phishing attacks.
  • Prevention:
    • Properly validate and sanitize user-generated content.
    • Use output encoding techniques to prevent code injection.

Server-Side File Upload

Server-Side File Upload vulnerabilities allow attackers to upload and execute arbitrary files on a server.
  • Attackers can upload malicious files and gain unauthorized access or execute arbitrary code.
  • Prevention:
    • Validate file extensions and content types.
    • Store uploaded files in a secure location with proper access controls.

JavaScript Hijacking

JavaScript Hijacking occurs when an attacker intercepts or manipulates JavaScript code sent from the server to the client.
  • Attackers can steal sensitive information, modify web page behavior, or perform unauthorized actions.
  • Prevention:
    • Implement secure communication channels (HTTPS).
    • Use mechanisms such as Subresource Integrity (SRI) to ensure the integrity of loaded scripts.

Server-Side Event Injection

Server-Side Event Injection allows attackers to inject malicious event handlers into server-side events.
  • Attackers can execute arbitrary code or perform unauthorized actions.
  • Prevention:
    • Implement strict input validation and sanitization of event handler parameters.
    • Avoid executing user-supplied event handlers.

Cross-Site WebSocket Hijacking

Cross-Site WebSocket Hijacking enables attackers to hijack WebSocket connections between clients and servers.
  • Attackers can steal sensitive information or perform unauthorized actions.
  • Prevention:
    • Implement authentication and authorization mechanisms for WebSocket connections.
    • Use secure communication channels (HTTPS).

Cross-Site Flashing

Cross-Site Flashing is a vulnerability that allows attackers to inject malicious Adobe Flash files into websites.
  • Attackers can execute arbitrary code or steal sensitive information.
  • Prevention:
    • Avoid the use of Adobe Flash, which is being phased out and has inherent security risks.
    • Keep plugins and libraries up to date.

Remote Command Execution

Remote Command Execution occurs when an attacker can execute commands on a remote server.
  • Attackers can execute arbitrary commands, gain unauthorized access, or perform further malicious actions.
  • Prevention:
    • Avoid executing user-supplied commands or data without proper validation and sanitization.
    • Use input filtering and output encoding to prevent command injection.

Server-Side Denial of Service (DoS)

Server-Side Denial of Service (DoS) attacks aim to disrupt the availability of server resources or services.
  • Attackers can exhaust server resources, causing service interruptions or complete unavailability.
  • Prevention:
    • Implement rate limiting and traffic monitoring to detect and mitigate DoS attacks.
    • Regularly update and patch software to address vulnerabilities.

XML Injection

XML Injection occurs when untrusted data is inserted into XML documents without proper validation or encoding.
  • Attackers can inject malicious XML content, modify data, or perform unauthorized actions.
  • Prevention:
    • Validate and sanitize user input before inserting it into XML documents.
    • Use secure XML parsing libraries and avoid executing user-supplied XML.

Cross-Site Request Smuggling (XRS)

Cross-Site Request Smuggling (XRS) attacks exploit inconsistencies in how different components handle HTTP requests.
  • Attackers can bypass security measures, manipulate requests, or gain unauthorized access to sensitive data.
  • Prevention:
    • Implement secure configurations and consistent handling of HTTP requests across components.
    • Regularly update and patch software to address vulnerabilities.

Server-Side Web Cache Poisoning

Server-Side Web Cache Poisoning involves manipulating server-side caches to serve malicious content to users.
  • Attackers can poison caches and serve malicious content or perform phishing attacks.
  • Prevention:
    • Implement secure cache control mechanisms.
    • Use proper input validation and sanitization before storing data in the cache.

HTTP Parameter Pollution

HTTP Parameter Pollution occurs when an attacker manipulates or injects additional parameters in HTTP requests.
  • Attackers can bypass security controls, manipulate data, or perform unauthorized actions.
  • Prevention:
    • Implement strict input validation and sanitization of parameters.
    • Use server-side checks to prevent parameter pollution.

Server-Side Content Spoofing

Server-Side Content Spoofing involves modifying server responses to deceive users or deliver malicious content.
  • Attackers can manipulate website content, perform phishing attacks, or distribute malware.
  • Prevention:
    • Implement secure configurations to prevent content tampering.
    • Validate and sanitize user input to prevent content injection.

Blind SQL Injection

Blind SQL Injection occurs when an attacker can inject malicious SQL statements without receiving direct feedback.
  • Attackers can extract sensitive information, modify data, or perform unauthorized actions.
  • Prevention:
    • Use parameterized queries or prepared statements.
    • Implement strict input validation and sanitization to prevent SQL injection.

Cross-Site Search Engine Optimization (SEO) Spam

Cross-Site SEO Spam involves injecting spam content into web pages to manipulate search engine rankings.
  • Attackers can promote malicious websites, distribute malware, or engage in other black hat SEO techniques.
  • Prevention:
    • Regularly monitor and review website content for SEO spam.
    • Implement proper input validation and sanitization.

Server-Side URL Redirect

Server-Side URL Redirect occurs when an attacker can manipulate or inject malicious URLs in server responses.
  • Attackers can redirect users to malicious websites, perform phishing attacks, or conduct further exploits.
  • Prevention:
    • Validate and sanitize user input before generating URLs.
    • Implement proper validation of redirect destinations.

XML Attribute Blowup

XML Attribute Blowup is an attack that exploits vulnerabilities in XML parsers, causing resource exhaustion.
  • Attackers can exhaust server resources, leading to denial of service or other security breaches.
  • Prevention:
    • Use secure XML parsing libraries that mitigate attribute blowup attacks.
    • Implement proper input validation and sanitization.

Cross-Site Port Attacks

Cross-Site Port Attacks involve exploiting vulnerabilities in cross-site scripting or other techniques to scan internal network ports.
  • Attackers can discover open ports and services, leading to potential further attacks.
  • Prevention:
    • Implement strong input validation and output encoding to prevent cross-site scripting attacks.
    • Ensure that internal services and ports are properly protected and restricted.

Server-Side Cross-Site Scripting (XSS)

Server-Side Cross-Site Scripting (XSS) occurs when untrusted data is reflected in server responses without proper validation or encoding.
  • Attackers can inject malicious scripts into server responses, leading to the execution of arbitrary code.
  • Prevention:
    • Implement strict input validation and output encoding to prevent XSS attacks.
    • Use content security policies (CSP) to restrict script execution.

HTTP Response Splitting

HTTP Response Splitting involves injecting additional headers or content into HTTP responses.
  • Attackers can manipulate web pages, perform phishing attacks, or bypass security controls.
  • Prevention:
    • Implement strict input validation and sanitization.
    • Ensure proper encoding and sanitization of user-generated content.

Cross-Site Content Hijacking

Cross-Site Content Hijacking occurs when attackers steal or manipulate content from other websites.
  • Attackers can display misleading or malicious content, perform phishing attacks, or distribute malware.
  • Prevention:
    • Implement content security policies to prevent content hijacking.
    • Regularly monitor and review website content for unauthorized modifications.

Server-Side Formula Injection

Server-Side Formula Injection allows attackers to inject malicious formulas into server-side components.
  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.
  • Prevention:
    • Implement proper input validation and sanitization.
    • Avoid executing user-supplied formulas or expressions.

Server-Side Header Injection

Server-Side Header Injection involves injecting malicious headers into server responses.
  • Attackers can manipulate web page behavior, perform session hijacking, or perform other malicious actions.
  • Prevention:
    • Implement strict input validation and sanitization of headers.
    • Use secure coding practices to prevent header injection vulnerabilities.

Object Injection

Object Injection occurs when an attacker can manipulate or inject malicious objects into an application.
  • Attackers can execute arbitrary code, perform unauthorized actions, or gain unauthorized access.
  • Prevention:
    • Implement strict input validation and sanitization.
    • Use secure coding practices and avoid deserializing untrusted data.

Cross-Site Printing

Cross-Site Printing is an attack that exploits vulnerabilities in web browsers or printing services to disclose sensitive information.
  • Attackers can print sensitive data without authorization or manipulate the printed content.
  • Prevention:
    • Implement strict access controls to printing services.
    • Regularly update web browsers and printing software to address security vulnerabilities.

Server-Side Server-Side Template Injection (SSTI)

Server-Side Server-Side Template Injection (SSTI) allows attackers to inject malicious templates into server-side template engines.
  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.
  • Prevention:
    • Use secure templating engines with built-in sandboxing or template escaping mechanisms.
    • Validate and sanitize user-supplied templates.

Clickjacking with Cursorjacking

Clickjacking with Cursorjacking combines clickjacking and cursor manipulation techniques to trick users into clicking on hidden elements.
  • Attackers can perform actions on behalf of the user without their knowledge or consent.
  • Prevention:
    • Implement X-Frame-Options header to prevent clickjacking attacks.
    • Use frame-busting techniques to mitigate cursorjacking attacks.

SOAP Array Abuse

SOAP Array Abuse involves manipulating SOAP arrays to cause memory exhaustion or denial of service attacks.
  • Attackers can exhaust server resources, leading to service disruption or unavailability.
  • Prevention:
    • Implement proper input validation and sanitization of SOAP requests.
    • Use secure SOAP libraries that mitigate array abuse vulnerabilities.

Server-Side Resource Injection

Server-Side Resource Injection allows attackers to inject malicious resources into server-side components.
  • Attackers can execute arbitrary code, access sensitive information, or perform unauthorized actions.
  • Prevention:
    • Implement strict input validation and sanitization.
    • Avoid executing user-supplied resources or dynamically loading external resources.

Cross-Site Session Transfer

Cross-Site Session Transfer occurs when an attacker steals a user's session and uses it on a different site.
  • Attackers can gain unauthorized access to user accounts, perform actions on their behalf, or extract sensitive information.
  • Prevention:
    • Implement strict session management mechanisms.
    • Use session identifiers that are bound to the originating domain.

Server-Side HTTP Parameter Pollution

Server-Side HTTP Parameter Pollution occurs when an attacker manipulates or injects additional parameters in server-side requests.
  • Attackers can bypass security controls, manipulate data, or perform unauthorized actions.
  • Prevention:
    • Implement strict input validation and sanitization of parameters.
    • Use server-side checks to prevent parameter pollution.

Cross-Site Tracking

Cross-Site Tracking involves tracking users across multiple websites without their knowledge or consent.
  • Attackers can collect sensitive information, track user behavior, or perform targeted advertising.
  • Prevention:
    • Implement proper privacy measures such as cookie policies and consent mechanisms.
    • Regularly review and monitor third-party tracking scripts.

Server-Side Template Manipulation

Server-Side Template Manipulation allows attackers to modify server-side templates to inject malicious content.
  • Attackers can manipulate website content, perform phishing attacks, or execute arbitrary code.
  • Prevention:
    • Use secure templating engines that prevent template injection vulnerabilities.
    • Validate and sanitize user input before rendering templates.

Cross-Site JSONP Hijacking

Cross-Site JSONP Hijacking involves hijacking JSONP requests to steal sensitive data from different domains.
  • Attackers can access sensitive information, perform session hijacking, or execute arbitrary code.
  • Prevention:
    • Implement strict validation of JSONP callbacks and sources.
    • Use CSRF tokens or other anti-CSRF measures to prevent JSONP hijacking.

Server-Side Server-Side Code Injection

Server-Side Server-Side Code Injection occurs when untrusted data is injected and executed as code on the server-side.
  • Attackers can execute arbitrary code, gain unauthorized access, or perform unauthorized actions.
  • Prevention:
    • Use secure coding practices and avoid executing user-supplied code.
    • Implement proper input validation and sanitization.

HTML5 Storage XSS

HTML5 Storage XSS involves injecting malicious scripts into HTML5 storage mechanisms.
  • Attackers can execute scripts in the context of other web pages, leading to the execution of arbitrary code.
  • Prevention:
    • Implement strict input validation and output encoding.
    • Use Content Security Policy (CSP) to restrict script execution.

Server-Side XML Injection

Server-Side XML Injection occurs when untrusted data is injected into XML documents on the server-side.
  • Attackers can manipulate XML data, perform unauthorized actions, or disclose sensitive information.
  • Prevention:
    • Implement proper input validation and sanitization.
    • Use secure XML parsing libraries and avoid executing user-supplied XML.

Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch

Cross-Site Script Inclusion (XSSI) via MIME Type Mismatch involves injecting malicious scripts using MIME type inconsistencies.
  • Attackers can execute scripts in the context of other web pages, leading to the execution of arbitrary code.
  • Prevention:
    • Use strict content type validation and enforce proper MIME type handling.
    • Implement proper output encoding to prevent script inclusion vulnerabilities.

Server-Side Code Injection via Content-Type

Server-Side Code Injection via Content-Type occurs when untrusted data is injected into server requests' Content-Type header.
  • Attackers can execute arbitrary code, perform unauthorized actions, or gain unauthorized access.
  • Prevention:
    • Implement strict input validation and sanitization of Content-Type headers.
    • Use secure coding practices and avoid executing user-supplied code.

Session Sidejacking

Session Sidejacking involves intercepting and hijacking user sessions over unencrypted connections.
  • Attackers can gain unauthorized access to user accounts, perform actions on their behalf, or extract sensitive information.
  • Prevention:
    • Implement secure communication channels (HTTPS) to encrypt session data.
    • Use secure session management techniques.

Server-Side Server-Side Request Forgery (SSRF) via DNS Rebinding

Server-Side Server-Side Request Forgery (SSRF) via DNS Rebinding occurs when an attacker manipulates DNS resolution to make requests to internal resources.
  • Attackers can bypass firewall restrictions, perform port scanning, or access internal resources.
  • Prevention:
    • Implement strict input validation and sanitization of user-supplied URLs.
    • Use allow-lists or access controls to restrict outbound requests.

Server-Side Web Cache Poisoning via Content Spoofing

Server-Side Web Cache Poisoning via Content Spoofing involves manipulating server-side caches to serve spoofed or malicious content to users.