Findings Expand all Collapse all Security F001. SQL injection F002. Asymmetric denial of service F003. Symmetric denial of service F004. Remote command execution F005. Privilege escalation F006. Authentication mechanism absence or evasion F007. Cross-site request forgery F008. Reflected cross-site scripting (XSS) F009. Source code with sensitive information F010. Stored cross-site scripting (XSS) F011. Use of software with known vulnerabilities F013. Insecure object reference F014. Insecure functionality F015. Insecure authentication method F017. Sensitive information sent insecurely F018. Improper authentication for shared folders F019. Administrative credentials stored in cache memory F020. Non-encrypted confidential information F021. XPath Injection F022. Use of an insecure channel F023. Uncontrolled external site redirect F024. Unrestricted access between network segments F025. Call interception F026. User enumeration F027. Insecure file upload F028. Insecure temporary files F029. Inadequate file size control F030. Sensitive information sent via URL parameters F031. Excessive privileges F032. Spoofing F033. Password change without identity check F034. Insecure generation of random numbers F035. Weak credential policy F036. ViewState not encrypted F038. Business information leak F039. Improper authorization control for web services F040. Exposed web services F041. Enabled default credentials F042. Insecurely generated cookies F045. HTML code injection F047. Automatic information enumeration F048. Lack of root detection F049. Insecure digital certificates F050. Guessed weak credentials F051. Cracked weak credentials F052. Insecure encryption algorithm F053. Lack of protection against brute force attacks F054. Exposed administrative services F055. Insecure service configuration F056. Anonymous connection F059. Sensitive information stored in logs F063. Lack of data validation F065. Cached form fields F067. Improper resource allocation F069. Weak CAPTCHA F075. Unauthorized access to files F076. Insecure session management F077. ARP spoofing F078. Insecurely generated token F081. Lack of multi-factor authentication F082. Insecurely deleted files F083. XML Injection (XXE) F084. MDNS spoofing F085. Sensitive data stored in client-side storage F086. Missing subresource integrity check F087. Account lockout F090. Code injection (CSV) F091. Log injection F093. Hidden fields manipulation F096. Insecure deserialization F097. Reverse tabnabbing F098. External control of file name or path F100. Server-side request forgery (SSRF) F101. Lack of protection against deletion F102. Email uniqueness not properly verified F103. Insufficient data authenticity validation F104. USB flash drive attacks F105. Apache Lucene query injection F106. NoSQL injection F107. LDAP injection F108. Improper control of interaction frequency F110. HTTP request smuggling F111. Out-of-bounds read F114. Phishing F115. Security controls bypass F116. XS-Leaks Hygiene F037. Technical information leak F043. Improperly set HTTP headers F044. Insecure HTTP methods enabled F046. Missing secure obfuscation F058. Debugging enabled in production F060. Insecure exceptions F061. Errors without traceability F062. Concurrent sessions F064. Traceability loss F068. Insecure session expiration time F070. Inappropriate coding practices F072. Duplicate code F073. Conditional statement without a default option F074. Commented-out code F079. Non-upgradable dependencies F088. Privacy violation F113. Improper type assignation F117. Unverifiable files F118. Regulation infringement F119. Metadata with sensitive information F120. Improper dependency pinning