Tag: owasp-top10

SQL Injection

The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.

Sensitive information leak

The phpinfo function may reveal sensitive information about your environment.

Log Injection

Improper Output Neutralization for Logs.

Origins-verified cross-origin communications

Unverified origins of messages and identities in cross-origin communications can lead to security vulnerabilities.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Path Traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

OS command injection

OS command injection from untrusted input.

Ldap Bind Without Password

Uncovered an anonymous LDAP bind,posing a risk of unauthorized execution of LDAP statements. Strengthen LDAP security with authentication enforcement.

Sendfile Injection

Functions require input validation and sanitization to prevent security risks from untrusted user data.

Assert Use

Executing assert with user-provided input is comparable to invoking dynamic code evaluations.

Loose file permissions

Weak file permissions can lead to privilege escalation.

Improper Authentication

The wp_ajax_priv_upload and wp_ajax_nopriv_upload hooks allow developers to define callbacks for authenticated and anonymous AJAX requests.

Insecure connection

Connections that use insecure protocols transmit data in cleartext, which can leak sensitive information.

Open Redirect

Redirecting to the current request URL might direct to another domain if the current path begins with two slashes.

Insecure cryptography

Use of a broken or risky cryptographic algorithm identified as weak.

Object Input Stream Insecure Deserialization

Sanitize user input to prevent PHP object injection vulnerabilities from direct injection without sanitization.

Code Injection

Avoid running dynamic commands to prevent command injection vulnerabilities.

Zip bomb attack

Expanding unverified archive files without controlling the size of the expanded data can lead to zip bomb attacks.

Unsafe Reflection

Use of externally-controlled input in reflection.

Deserialization of untrusted data

Deserialization of untrusted data can lead to security vulnerabilities, such as inadvertently running remote code.

Static Initialization Vector (IV)

Using a static initialization vector (IV) for a cryptographic cipher is security sensitive.

Coral Csrf Rule

Modify input validation check to guarantee expected behavior for all inputs, not just an invalid assumption that causes errors.

Insecure cookie

Insecure cookies can lead to unencrypted transmission of sensitive data.

Improper access control

The software does not restrict or incorrectly restrict access to a resource from an unauthorized actor.