CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
⚖ Terms of Use ✉ Contact

Security terms

45 terms of 1466 total · page 2 of 3

Sort A → Z Recently Added Recently Updated Difficulty Most Viewed Most Rated Most Shared
Level All Beginner Intermediate Advanced
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
XML Signature Wrapping (XSW)
An attack on XML digital signatures where the attacker wraps the signed element in a new structure — the signature validates the original but the application processes the attacker's version.
3mo ago security advanced
Diagram: Attack Chain / Cyber Kill Chain Attack Chain / Cyber Kill Chain 🧠 1
A sequential model of cyberattack stages from reconnaissance to exfiltration — used to identify optimal detection and disruption points.
3mo ago security advanced
Business Logic Vulnerability
Flaws in application workflow allow attackers to abuse legitimate features in unintended ways.
CWE-840 OWASP A4:2021
3mo ago security advanced 7.5
Cache Poisoning PHP 5.0+
An attacker manipulates a cached response so that subsequent users receive malicious content served from the cache.
CWE-346 OWASP A4:2021
3mo ago security advanced 8.1
Certificate Pinning
Hardcoding expected TLS certificate or public-key fingerprints in a client to prevent MITM even when a rogue CA issues a valid cert.
CWE-295 OWASP A7:2021
3mo ago security advanced
CSRF Double Submit Cookie Pattern PHP 5.0+
A stateless CSRF defence that sets a random cookie and requires it to also appear as a request parameter, relying on the Same-Origin Policy to prevent forgery.
CWE-352 OWASP A1:2021
3mo ago security advanced
DNS Rebinding Attack PHP 5.0+
An attacker tricks a browser into associating their malicious domain with an internal IP, bypassing same-origin policy to reach internal services.
CWE-350 OWASP A1:2021
3mo ago security advanced 8.8
HTTP Request Smuggling
Desynchronising front-end and back-end HTTP parsing via conflicting Content-Length and Transfer-Encoding headers to poison request queues.
CWE-444 OWASP A5:2021
3mo ago security advanced 9.8
HTTP Response Splitting PHP 5.0+
Injecting CRLF sequences into HTTP headers causes the server to emit two separate responses, enabling cache poisoning and XSS.
CWE-113 OWASP A3:2021
3mo ago security advanced 6.1
Insecure Deserialization PHP 5.0+
Untrusted data passed to unserialize() can trigger PHP magic methods and lead to remote code execution.
CWE-502 OWASP A8:2021
3mo ago security advanced 9.8
Key Management & Rotation
The policies and practices for generating, storing, distributing, rotating, and retiring cryptographic keys securely.
CWE-320 OWASP A2:2021
3mo ago security advanced
Diagram: OAuth 2.0 Vulnerabilities OAuth 2.0 Vulnerabilities
Misimplemented OAuth flows expose applications to CSRF, token theft, open redirects, and account takeover.
CWE-287 OWASP A2:2021
3mo ago security advanced 8.1
PHAR Deserialization Attack PHP 5.0+
PHP's phar:// stream wrapper triggers deserialization of PHAR metadata on any file operation, enabling PHP object injection without unserialize().
CWE-502 OWASP A8:2021
3mo ago security advanced 9.8
PHP Object Injection PHP 5.0+
Passing attacker-controlled data to unserialize() triggers magic methods on existing classes, enabling code execution, file deletion, or SSRF.
CWE-502 OWASP A8:2021
3mo ago security advanced 9.8
Prototype Pollution ES5
An attacker injects properties into JavaScript's Object.prototype, affecting all objects in the application.
CWE-1321 OWASP A3:2021
3mo ago security advanced 8.1
SameSite Lax Bypass PHP 7.3+
SameSite=Lax still sends cookies on top-level GET navigations — attackers can exploit this with GET-based state-changing endpoints.
CWE-352 OWASP A1:2021
3mo ago security advanced 6.5
Second-Order SQL Injection PHP 5.0+
Malicious data is safely stored in the database but later retrieved and used unsafely in a subsequent SQL query.
CWE-89 OWASP A3:2021
3mo ago security advanced 8.8
Diagram: Server-Side Request Forgery (SSRF) Server-Side Request Forgery (SSRF) PHP 5.0+
The server is tricked into making HTTP requests to internal or unintended destinations on behalf of the attacker.
CWE-918 OWASP A10:2021
3mo ago security advanced 8.6
Server-Side Template Injection (SSTI) PHP 5.0+
User input is embedded directly into a server-side template, allowing arbitrary code execution on the server.
CWE-1336 OWASP A3:2021
3mo ago security advanced 9.8
Side-Channel Attack
Information is leaked through observable characteristics of a system — timing, power consumption, or cache behaviour — rather than via direct data access.
CWE-208 OWASP A2:2021
3mo ago security advanced 5.9
✓ schema.org compliant