Tag: owasp-top10
NoSQL Injection PHP 5.4+
Attacker-controlled input embedded into NoSQL queries (MongoDB, Redis, Couchbase) that subverts query intent — bypassing auth, exfiltrating data, or executing server-side code.
CWE-943 OWASP A3:2021
1w ago
security intermediate
8.8
Server-Side Includes (SSI) Injection
Attacker-controlled SSI directives (`<!--#exec ... -->`) injected into pages parsed by Apache or another SSI-enabled server, achieving file disclosure or remote command execution.
CWE-97 OWASP A3:2021
1w ago
security intermediate
9.8
Dependency & Supply Chain Security
Protecting applications from malicious or vulnerable third-party packages — covering transitive dependencies, lock files, SRI hashes, CVE scanning, and supply chain attack vectors.
CWE-1357 OWASP A6:2021
1mo ago
security intermediate
Account Enumeration PHP 5.0+ Differing application responses to valid vs. invalid usernames allow attackers to build a list of registered accounts.
CWE-203 OWASP A2:2021
2mo ago
security intermediate
5.3
Account Takeover (ATO) PHP 5.0+ An attacker gains full control of a user account through credential stuffing, phishing, session hijacking, or abusing password-reset flows.
CWE-287 OWASP A7:2021
2mo ago
security intermediate
9.8
Arbitrary File Upload PHP 5.0+ Accepting file uploads without validating type, extension, and content can allow PHP shell uploads and RCE.
CWE-434 OWASP A4:2021
2mo ago
security intermediate
9.8
Broken Access Control PHP 5.0+ Failure to enforce what authenticated users are allowed to do — the #1 OWASP vulnerability, enabling privilege escalation and data exposure.
CWE-284 OWASP A1:2021
2mo ago
security intermediate
8.8
Command Injection PHP 5.0+ User input passed to a shell function (exec, system, shell_exec) allows arbitrary OS command execution.
CWE-78 OWASP A3:2021
2mo ago
security intermediate
9.8
Insecure Password Reset Flow PHP 5.0+
Weaknesses in the password-reset mechanism allow attackers to take over accounts without knowing the original password.
CWE-640 OWASP A7:2021
2mo ago
security intermediate
8.1
Mass Assignment PHP 5.0+
Blindly binding all user-submitted fields to a model allows attackers to set fields they should not control.
CWE-915 OWASP A1:2021
2mo ago
security intermediate
8.1
Path Traversal PHP 5.0+ User input used in a file path allows attackers to navigate outside the intended directory using ../ sequences.
CWE-22 OWASP A3:2021
2mo ago
security intermediate
7.5
Privilege Escalation PHP 5.0+
A flaw that lets a lower-privileged user gain higher access — e.g. reading an admin role from a URL parameter.
CWE-269 OWASP A1:2021
2mo ago
security intermediate
8.8
Weak Cryptography PHP 5.0+
Using MD5 or SHA1 for passwords or security tokens — both are cryptographically broken and trivially reversible.
CWE-327 OWASP A2:2021
2mo ago
security intermediate
7.5
Cross-Site Request Forgery (CSRF) PHP 5.0+ A forged request tricks an authenticated user's browser into performing an unintended action on a site they're logged into.
CWE-352 OWASP A1:2021
2mo ago
security intermediate
6.5
Cross-Site Scripting (XSS) PHP 5.0+ User-supplied content rendered in the browser without escaping, allowing script injection into other users' sessions.
CWE-79 OWASP A3:2021
2mo ago
security intermediate
6.1
Insecure Direct Object Reference (IDOR) PHP 5.0+ A user accesses another user's data by changing an ID in a URL or request — no authorisation check performed.
CWE-639 OWASP A1:2021
2mo ago
security intermediate
7.5
SQL Injection PHP 5.1+ Unsanitised user input inserted directly into a SQL query, letting attackers read, modify, or delete database data.
CWE-89 OWASP A3:2021
2mo ago
security intermediate
9.8