Top 30 Application Vulnerabilities and

Definitions

Prepared by HANIM EKEN

https://ie.linkedin.com/in/hanimeken

https://ie.linkedin.com/in/hanimeken
1. Injection Flaws

Definition: Injection flaws occur when untrusted data is sent to an interpreter as part of a
command or query. This allows attackers to execute malicious commands or access
unauthorized data.

2. Broken Authentication

Definition: Broken authentication vulnerabilities arise when authentication mechanisms are

improperly implemented, allowing attackers to compromise user accounts, passwords, or
session tokens.

3. Cross-Site Scripting (XSS)

Definition: XSS vulnerabilities enable attackers to inject malicious scripts into web pages
viewed by other users. These scripts can steal session cookies, redirect users to malicious
sites, or deface websites.

4. Broken Access Control

Definition: Broken access control vulnerabilities occur when developers fail to properly
enforce restrictions on what authenticated users are allowed to do, allowing unauthorized
access to sensitive data or functionality.

5. Security Misconfiguration

Definition: Security misconfiguration vulnerabilities arise when systems are configured

insecurely, leaving them vulnerable to exploitation. This includes default settings,
unnecessary features enabled, or outdated software.

6. Sensitive Data Exposure

Definition: Sensitive data exposure vulnerabilities occur when sensitive information, such as
passwords or credit card numbers, is not properly protected, allowing attackers to access or
steal the data.

7. Insufficient Logging and Monitoring

Definition: Insufficient logging and monitoring vulnerabilities occur when systems do not
properly log security-relevant events or do not monitor logs for suspicious activity, making it
difficult to detect and respond to security incidents.

8. Insecure Deserialization

Definition: Insecure deserialization vulnerabilities arise when untrusted data is deserialized

by an application, leading to arbitrary code execution or other malicious activities.

https://ie.linkedin.com/in/hanimeken
9. XML External Entity (XXE) Injection

Definition: XXE injection vulnerabilities occur when an application parses XML input
insecurely, allowing attackers to read sensitive files, execute arbitrary code, or perform other
malicious actions.

10. Broken Function Level Authorization

Definition: Broken function level authorization vulnerabilities arise when applications fail to
properly enforce access controls on individual functions or endpoints, allowing unauthorized
access to restricted functionality.

11. Insecure Direct Object References (IDOR)

Definition: Insecure direct object reference vulnerabilities occur when applications expose
internal objects such as files or database records without proper authorization, allowing
attackers to access sensitive data.

12. Cross-Site Request Forgery (CSRF)

Definition: CSRF vulnerabilities occur when attackers trick authenticated users into
unknowingly submitting malicious requests, leading to unauthorized actions being performed
on behalf of the victim.

13. Using Components with Known Vulnerabilities

Definition: This vulnerability arises when applications use outdated or vulnerable third-party
components, libraries, or frameworks, making them susceptible to exploitation by attackers.

14. Invalidated Redirects and Forwards

Definition: Invalidated redirects and forwards vulnerabilities occur when applications redirect
or forward users to untrusted destinations based on user-supplied input, potentially leading to
phishing attacks or other malicious activities.

15. Remote Code Execution (RCE)

Definition: RCE vulnerabilities allow attackers to execute arbitrary code on a targeted

system, enabling them to take control of the system, steal data, or launch further attacks.

16. Insecure File Upload

Definition: Insecure file upload vulnerabilities occur when applications allow users to upload
files without proper validation, leading to the execution of malicious code or the uploading of
malware-infected files.

https://ie.linkedin.com/in/hanimeken
17. Server-Side Request Forgery (SSRF)

Definition: SSRF vulnerabilities allow attackers to make unauthorized requests from the
server to internal or external resources, potentially exposing sensitive data or services to
exploitation.

18. Improper Input Validation

Definition: Improper input validation vulnerabilities occur when applications fail to properly
validate and sanitize user input, allowing attackers to inject malicious code or bypass security
controls.

19. Cryptographic Issues

Definition: Cryptographic issues arise when applications use weak or insecure cryptographic
algorithms, improper key management, or other cryptographic flaws, making them
susceptible to attacks such as brute force or encryption bypass.

20. Insecure API

Definition: Insecure API vulnerabilities occur when APIs are not properly secured, allowing
attackers to access sensitive data, execute unauthorized actions, or manipulate the
application's behavior.

21. Command Injection

Definition: Command injection vulnerabilities occur when applications execute system

commands or shell scripts with user-supplied input without proper validation, allowing
attackers to execute arbitrary commands on the underlying system.

22. Path Traversal

Definition: Path traversal vulnerabilities occur when applications allow attackers to access
files or directories outside of the intended directory structure, potentially exposing sensitive
information or system files.

23. Insecure Mobile Applications

Definition: Insecure mobile application vulnerabilities arise when mobile apps fail to
implement secure coding practices, leaving them susceptible to various types of attacks such
as data leakage, unauthorized access, or tampering.

24. Insufficient Transport Layer Protection

Definition: Insufficient transport layer protection vulnerabilities occur when applications fail
to adequately encrypt data transmitted over the network, leaving it vulnerable to interception
or tampering.

https://ie.linkedin.com/in/hanimeken
25. Race Conditions

Definition: Race condition vulnerabilities occur when multiple processes or threads access
shared resources concurrently, leading to unexpected behavior or security vulnerabilities.

26. Insecure Randomness

Definition: Insecure randomness vulnerabilities occur when applications use weak or

predictable random number generators, making them susceptible to cryptographic attacks or
session hijacking.

27. Clickjacking

Definition: Clickjacking vulnerabilities occur when attackers trick users into clicking on
hidden or disguised elements on a web page, leading to unintended actions or malicious
activities.

28. UI Redressing (Phishing)

Definition: UI redressing vulnerabilities occur when attackers deceive users by overlaying or

modifying the appearance of legitimate user interfaces, leading to phishing attacks or other
malicious activities.

29. Security Through Obscurity

Definition: Security through obscurity vulnerabilities occur when security mechanisms rely
on secrecy or concealment rather than proper security controls, making them susceptible to
exploitation once discovered.

30. DNS Spoofing

Definition: DNS spoofing vulnerabilities occur when attackers manipulate DNS responses to
redirect users to malicious websites or servers, leading to phishing attacks or DNS cache
poisoning.

HANIM EKEN
https://ie.linkedin.com/in/hanimeken

https://ie.linkedin.com/in/hanimeken