| 1 |
Brute Force |
An automated program that tries all possible combinations to guess sensitive information |
Guessing passwords, hashes or API secrets |
Rate limiting |
| 2 |
Privilege Escalation |
Someone gains unauthorized access with higher privileges than they were initially granted |
Becoming admin from a regular user |
Least privilege, proper access control, and employee awareness |
| 3 |
Impersonation |
This is a type of phishing attack where an attacker pretends to be someone else in order to steal data, gain unauthorize access, or disrupt operations |
Sending email as your manager at your employer |
Employee awareness, proper identity and access management |
| 4 |
Denial of Service |
A malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of Internet traffic such as bogus packets, requests for connections, or malformed messages |
Making countless requests to a web server until its resources are exhausted |
Rate limiting |
| 5 |
SQL Injection |
Malicious SQL code for backend database manipulation to access information that was not intended to be displayed |
Extracting username and passwords from the database |
Input validation escaping and sanitization, stored procedures, prepared statement with parameterized queries |
| 6 |
Weak Encryption |
Use of encryption algorithms that are not robust enough to withstand attacks |
Insufficient key length which makes brute forcing easy or outdated encryption algorithms with known vulnerabilities |
Secure encryption algorithms |
| 7 |
Weak Hashing |
Use of hashing algorithms that are not robust enough to withstand attacks |
Outdated hashing algorithm which produces collisions |
Secure hashing algorithms |
| 8 |
Credential Theft |
Credential theft occurs when malicious actors steal login details and use them to access services or applications to steadily elevate their privileges |
Stolen API key is used to perform malicious API calls to withdraw customer account funds |
Secure storage and secure transportation |
| 9 |
Cookie Poisoning |
Cookie poisoning is a type of cyber attack in which a bad actor hijacks, forges, alters or manipulates a cookie to gain unauthorized access to a user's account |
Steal session cookie through Cross-Site Scripting |
HTTPS, secure and httpOnly flags are set on cookie, Cookie expiration |
| 10 |
Logic Error |
Flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior |
Accepting negative values when a customer is transferring funds |
Testing all edge cases |
| 11 |
Host Header Injection |
Attackers exploit this vulnerability to manipulate the Host header and cause the application to behave in unexpected ways |
Redirecting users to malicious sites for phishing or malware distribution |
Input validation and sanitization |
| 12 |
Referrer Leakage |
When sensitive information is inadvertently included in the HTTP referrer header and sent to external sites |
If session IDs in the referrer header are leaked, attackers might gain unauthorized access to user accounts |
Avoid Sensitive Data in URLs, No Referrer tag is set |
| 13 |
Insufficient Logging |
Attackers rely on insufficient logging to achieve their goals without being detected |
An attacker brute forces passwords without being detected and stopped |
Proper logging and monitoring |
| 14 |
Information Leakage |
When a website unintentionally reveals sensitive information to its users |
A server reveals passwords in error messages |
Employee awareness, sanitize output, enforce least privilege |
| 15 |
Eavesdropping |
An eavesdropping attack occurs when a attacker intercepts, deletes, or modifies data that is transmitted between two devices |
An attacker is able to transmit and modify login credentials being sent on unencrypted HTTP network |
HTTPS, HTTP Strict Transport Security |
| 16 |
Website Defacement |
Website defacement is the unauthorized alteration of the visual appearance or content of a website by a malicious actor |
Attacker published profanity, hate speech, politically motivated messages, or even links to malicious websites |
Content moderation, community guidelines |
| 17 |
Vulnerable Dependency |
Libraries or dependencies used by your application which has known vulnerabilities that can impact your application. |
An attacker steals funds by exploiting a remote code execution vulnerability in a database library used by an application |
Dependency scans, regularly updating, stay up to date with new vulnerabilities in used libraries |
| 18 |
Injection |
An umbrella term used for injections based attacks where an attacker injection malicious input to manipulate your application logic. (SQL injection, header injection, cross-site scripting, LDAP injection etc.) |
An attacker uses SQL injection to steal password hashes from the database |
Input validation and sanitization |
| 19 |
Misconfiguration |
When a system or application configuration settings are missing or are erroneously implemented, allowing unauthorized access |
An admin account for AWS is using a default password |
Least privilege, employee awareness, automated scans |
| 20 |
Path Traversal |
Path traversal is a type of security vulnerability that can occur when a web application or service allows an attacker to access server files or directories that are outside the intended directory structure. This can lead to the unauthorized reading or modification of sensitive data |
Admin route is left unchecked and can be accessible publicly |
Input validation and sanitization |
| 21 |
Location Spoofing |
Manipulate the location data shared by their device |
Attacker located across the globe spoofs their location to avoid suspicion |
IP verification, Browser location API |
| 22 |
Insecure Direct Object Reference |
when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly |
An attacker changes the id parameter in the URL (e.g., to id=admin) to access another user's profile without authorization |
Proper access control, input validation and sanitization |
| 23 |
Man in the Middle |
Communications between two parties is intercepted by an attack and data is either stolen or modified |
The attacker gains access to a user's email account and intercepts emails between the user and their contacts. The attacker can alter the contents of these emails or use the information for malicious purposes |
HTTPS |
| 24 |
Roll Your Own Code |
Developers writing their own encryption algorithms or session management mechanisms, instead of using established, thoroughly tested libraries or frameworks |
Writing your own encryption algorithm which is not thoroughly tested |
Use popular well tested frameworks, libraries or algorithms |
| 25 |
Cross-Site Request Forgery |
An attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated |
If a social media site doesn't properly verify requests, an attacker could create a malicious site that posts unwanted content or spam on the victim's social media profile when they visit the malicious site |
CSRF token, SameSite cookie, check Referrer Header |
| 26 |
Session Hijacking |
The malicious act of taking control of a user's web session |
An attacker steals a user's session cookie through XSS (Cross-Site Scripting) attacks, packet sniffing, or other methods. Once the attacker has the cookie, they can use it to impersonate the user on the web application |
Secure cookies, SameSite cookies, httpOnly cookies, cookie expiration |
| 27 |
Replay Attack |
It involves an attacker capturing a valid web request and retransmitting it one or more times. This can lead to unauthorized actions or access |
If a Two-Factor Authentication system doesn't properly validate the uniqueness or time sensitivity of the authentication codes, an attacker could intercept and reuse these codes to gain unauthorized access |
HTTPS, rate limiting, input validation |
| 28 |
Insider Threat |
A cyber security risk that originates from within an organization |
A current or former employee, contractor, vendor, or partner, abuses their legitimate access rights, causing harm to the organization's networks, systems, and data. |
Least privilege |
| 29 |
Misuse of Privileges |
This involves users who have legitimate access but engage in actions that are outside of their roles or responsibilities, often for malicious purposes |
A user with admin privileges browses through confidential files and extracts or deletes information |
Least privilege, logging and monitoring |
| 30 |
Intellectual Property Theft |
Theft of propriety code, application or system |
A malicious contributor clones your repository and labels it as theirs |
Least privilege, proper access control |
| 31 |
Data Exfiltration |
An attacker steals information form a software system |
An attack extracts financial data from a compromised server |
Least privilege, logging and monitoring, proper access control |
| 32 |
Unauthorized Access |
An attacker gains access to an organization's software application without permission |
An attacker gains unauthorized access to a user account through phishing |
logging and monitoring, proper access control |
| 33 |
Hardcoded Secret |
Including sensitive information such as passwords, API or encryption keys inside the codebase |
Including PayPal API key inside an opensource project that everyone can see |
Secret scans |
| 34 |
Vulnerable Code |
An umbrella term used for a flaw in your code that creates a potential risk of compromising security |
An attacker injects malicious SQL code to delete an application's database tabled |
Input validation and sanitization, automated scans, proper access control |
| 35 |
Zero Day |
An unknown or undressed security flaw in a software system |
An attacker is able to exploit a zero-day vulnerability in a SaaS product which gives them unauthorized access to an admin account |
Keep software up to date, least privilege, security audits, vulnerability disclosure |