Browse by Category

+ added · ✎ updated 7d

⚖ Terms of Use

Security terms

89 terms of 1448 total · page 2 of 5

🔒 Defending code from the threats that never sleep

Security vulnerabilities do not announce themselves — they wait quietly in code that looks perfectly fine on the surface. This category covers attack vectors, defensive techniques, secure coding practices, and the mental models that help you think like an attacker before one finds you. From SQL injection and XSS to authentication flaws and cryptographic pitfalls, understanding these terms is not optional — it is professional responsibility.

Sort A → Z Recently Added Recently Updated Difficulty Most Viewed Most Rated Most Shared

Level All Beginner Intermediate Advanced

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Missing CSRF Protection PHP 5.0+

A state-changing form or endpoint that lacks a CSRF token allows attackers to forge authenticated requests from any website the victim visits.

2mo ago security intermediate

Package Typosquatting

Malicious packages published with names similar to popular ones (lodahs, requesst) hoping developers mistype — the package executes malicious code on install.

2mo ago security intermediate

Secure File Downloads PHP 5.0+

Preventing path traversal, unauthorised access, and content injection when serving file downloads — validating paths, checking authorisation, and setting correct headers.

2mo ago security intermediate

Sensitive Data in Logs PHP 7.0+

Logging passwords, tokens, credit card numbers, or PII — log aggregators store data indefinitely and are often less secured than primary databases.

2mo ago security intermediate

Weak Random Function PHP 7.0+

Using rand(), mt_rand(), or array_rand() for security-sensitive values — these are predictable pseudo-random generators not suitable for tokens, keys, or passwords.

2mo ago security intermediate

Diagram: Account Enumeration

Account Enumeration PHP 5.0+

Differing application responses to valid vs. invalid usernames allow attackers to build a list of registered accounts.

CWE-203 OWASP A2:2021

2mo ago security intermediate 5.3

Diagram: Account Takeover (ATO)

Account Takeover (ATO) PHP 5.0+

An attacker gains full control of a user account through credential stuffing, phishing, session hijacking, or abusing password-reset flows.

CWE-287 OWASP A7:2021

2mo ago security intermediate 9.8

Diagram: Arbitrary File Upload

Arbitrary File Upload PHP 5.0+

Accepting file uploads without validating type, extension, and content can allow PHP shell uploads and RCE.

CWE-434 OWASP A4:2021

2mo ago security intermediate 9.8

Diagram: Argon2 Password Hashing

Argon2 Password Hashing PHP 7.2+

The Password Hashing Competition winner (2015) — a memory-hard algorithm that resists GPU and ASIC brute-force attacks better than bcrypt.

2mo ago security intermediate

Diagram: Broken Access Control

Broken Access Control PHP 5.0+

Failure to enforce what authenticated users are allowed to do — the #1 OWASP vulnerability, enabling privilege escalation and data exposure.

CWE-284 OWASP A1:2021

2mo ago security intermediate 8.8

Clickjacking PHP 5.0+

A malicious page overlays an invisible iframe over your site, tricking users into clicking UI elements they cannot see.

CWE-1021 OWASP A4:2021

2mo ago security intermediate 6.5

Clickjacking & CSP frame-ancestors PHP 5.0+

Tricking users into clicking hidden UI elements by overlaying a transparent iframe — prevented by CSP frame-ancestors or the X-Frame-Options header.

CWE-1021 OWASP A4:2021

2mo ago security intermediate 6.1

Diagram: Command Injection

Command Injection PHP 5.0+

User input passed to a shell function (exec, system, shell_exec) allows arbitrary OS command execution.

CWE-78 OWASP A3:2021

2mo ago security intermediate 9.8

Diagram: Content Security Policy (CSP)

Content Security Policy (CSP) PHP 5.0+

An HTTP response header that restricts which scripts, styles, and resources the browser is allowed to load.

2mo ago security intermediate

CORS Misconfiguration PHP 5.0+

Overly permissive Cross-Origin Resource Sharing headers allow malicious sites to read sensitive API responses.

CWE-942 OWASP A5:2021

2mo ago security intermediate 7.5

Credential Stuffing PHP 5.0+

Automated injection of username/password pairs from previous data breaches to gain access to accounts where users reused credentials.

CWE-307 OWASP A7:2021

2mo ago security intermediate 8.1

CRLF Injection PHP 5.0+

Injecting carriage-return and line-feed characters into HTTP headers splits responses or injects new headers, enabling log poisoning and XSS.

CWE-93 OWASP A3:2021

2mo ago security intermediate 6.1

CSPRNG PHP 7.0+

Cryptographically Secure Pseudo-Random Number Generator — produces unpredictable values suitable for security tokens.

2mo ago security intermediate

DOM-Based XSS ES5

Malicious script is injected and executed via the browser DOM without any server-side involvement.

CWE-79 OWASP A3:2021

2mo ago security intermediate 6.1

Email Header Injection PHP 5.0+

Injecting extra headers or recipients into mail() calls via unvalidated user input, enabling spam relay and phishing.

CWE-93 OWASP A3:2021

2mo ago security intermediate 6.5

← Prev 1 2 3 4 5 Next →

✓ schema.org compliant